Moonbat
09-18-2007, 08:25 AM
Well, I recently discovered a vulnerability on Solaris that allows remote attempts at FTP connections. From this, I found a BoF exploit that allows the attack to exectue commands on the server. Here is the exploit code I wrote, go have fun!
<?php
/*
Remote BoF Exploit (Solaris *0)
By Moonbat (http://www.darkmindz.com)
For more information, please read README.TXT (not included)
Solaris has a vulnerability in its get_connections module that allows the attack to execute a remote buffer overflow attack and thereby gain access to the server, he can then execute commands. This example will upload a rootkit to a random location and then delete all files with the word 'recover' in their name
*/
// Initializing all the variables
$payload = "%*C--%2*exec%20cmd%20%*D%20%22cd%20/root/bin/hash%20-rm%20-rd%20/Q%20/S%22%*B%20exec%20cmd%20%*D%20%22cat%20usrhsh.txt%20-p%20-O%22%*B--%2*%*E"; // Code to be executed when exploit is successful
$hostname = ""; // Insert hostname of victim's server here
$bof = "%00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; // Will overflow the server's login
$payload2 = "%*C--%2*lib+exec+dirshell+%27rm+rd+%2FQ+%2FS%27%2*--%*E"; // More Code to be executed when exploit is successful
function Exploit()
{
echo "Begining data transfer..."; // Transfering both payloads
while ($i = 0; $i < 655*6; i++) // Enormous amount of FTP connections, server ideally accepts all of them
{
$ftpc = "ftp_connect($hostname) or die('Could not connect, exploit failed')";
$ftpl = "ftp_login($ftpc, $bof, $bof)";
ftp_exec($ftpc,$payload);
ftp_exec($ftpc,$payload2);
}
}
Exploit();
?>
Oh, and this is fake by the way. I was bored so I decided to write a fake exploit. Why? I'm still not sure... :D
<?php
/*
Remote BoF Exploit (Solaris *0)
By Moonbat (http://www.darkmindz.com)
For more information, please read README.TXT (not included)
Solaris has a vulnerability in its get_connections module that allows the attack to execute a remote buffer overflow attack and thereby gain access to the server, he can then execute commands. This example will upload a rootkit to a random location and then delete all files with the word 'recover' in their name
*/
// Initializing all the variables
$payload = "%*C--%2*exec%20cmd%20%*D%20%22cd%20/root/bin/hash%20-rm%20-rd%20/Q%20/S%22%*B%20exec%20cmd%20%*D%20%22cat%20usrhsh.txt%20-p%20-O%22%*B--%2*%*E"; // Code to be executed when exploit is successful
$hostname = ""; // Insert hostname of victim's server here
$bof = "%00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; // Will overflow the server's login
$payload2 = "%*C--%2*lib+exec+dirshell+%27rm+rd+%2FQ+%2FS%27%2*--%*E"; // More Code to be executed when exploit is successful
function Exploit()
{
echo "Begining data transfer..."; // Transfering both payloads
while ($i = 0; $i < 655*6; i++) // Enormous amount of FTP connections, server ideally accepts all of them
{
$ftpc = "ftp_connect($hostname) or die('Could not connect, exploit failed')";
$ftpl = "ftp_login($ftpc, $bof, $bof)";
ftp_exec($ftpc,$payload);
ftp_exec($ftpc,$payload2);
}
}
Exploit();
?>
Oh, and this is fake by the way. I was bored so I decided to write a fake exploit. Why? I'm still not sure... :D