hex nº13:(hex13-07.txt):12/03/2002 << Back To hex nº 13
< ---------------------------- [ Hex Ezine ] ------------------------------- > < - [ Meet da c0de ] ------------------------------------------------------- > < - [ by Netdork ] ------------------------------------------------------- > Hola atrevidos lectores, revisemos el src de polos@ezkracho.com.ar, en busca de pelotudeces (mis comentarios son los que tienen ## al comienzo): Luego de leer el src hitea http://kebrachohq.com.ar/src/exploits para seguir riendote de polos y su aborto de nessus. --- [ Begin code ] --- main(int argc, char *argv[]) /*declaro las variables para argumentos */ { u_short rango1, rango2; /*incio las variables de los puertos */ printf("Puertos Abiertos:\n"); if(argc < 2) { /*si no ingresa ingun argumento... */ printf("BLASTER [ver 1.0]\n"); printf("author: polos e-mail: thebigsnake@usa.net\n"); ## cutted src, lot of crap printf("\nman blaster for more information\n"); } ## yo que vos aprenderia a usar switch, de ultima getopt que no es ansi pero ## eso veo que no te preocupa una mierda,(!que retorna cada funcion,!prototipos) if(argc>3) { if(strstr(argv[3],"-v")) { opcion=1; } else { opcion=0; } if(strstr(argv[3],"y")) { expne=1; } if(strstr(argv[3],"e")) { vrfye=1; } if(strstr(argv[3],"a")) { ftpba=1; } if(strstr(argv[3],"f")) { ftpb=1; } if(strstr(argv[3],"c")) { cgi=1; } ## esos millares de {} en ifs con 1 solo statement te hacen leer el src lento ## no seas cavernicola host=gethostbyname(argv[4]); if (host==NULL) { printf("Unknown host: %s\n",argv[4]); exit(0); } ## estem.. como probas que existe un argv[4] aca? i mean hiciste un ## if(argc<3) but el argv empieza de 0 gil. proof of concept: ## netd0rk@rainingblood:~/blaster$ ./blaster 1 2 X ## Puertos Abiertos: ## Segmentation fault ## the same for inet_addr down here ips=ntohl(inet_addr(argv[4])); ## {user,pass}list = arrays de 14 chars ## 'hola lidero el camino de la seguridad informatica, te instalo el norton ## antivirus?' ## ## netd0rk@rainingblood:~/blaster$ ./blaster 1 2 -e localhost -o ## AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ## ================================================================= ## Escaneando Puertos.... ## ================================================================= ## Segmentation fault ## netd0rk@rainingblood:~/blaster$ if(argc>5) { if (strstr(argv[5],"-o")) { sprintf(userlist,"%s",argv[6]); sprintf(passlist,"%s",argv[7]); } } rango1=atoi(argv[1]); rango2=atoi(argv[2]); ## buuu system sin path completo, anda a comer gil system("clear"); printf("=================================================================\n"); printf("%sScannig ports....%s\n",VERDE,NORMAL); printf("=================================================================\n"); for(i=rango1;i<rango2; i++) { puerto=i; if (sockete=socket(AF_INET, SOCK_STREAM ,0) ==-1) { printf("error: creating the socket\n"); ## si , error al crear el socket, pero no salis del loop / exiteas el proggie ## so el cartelito metetelo en el orto } target.sin_family=AF_INET; target.sin_port = htons(puerto); memcpy(host->h_addr,(char *)&target.sin_addr,host->h_length); bzero(&(target.sin_zero),8); if (connect(sockete,(struct sockaddr_in*)&target,sizeof(target)) !=-1) { sprintf(port,"%d",i); caca(); if((i==21 && i != -1)) { sprintf(tempi1,"yes",0); } if((i==25 && i !=-1)) { sprintf(tempi,"yes",0); } if((i==23 || i==25 || i==21 && i !=-1) && opcion==1){ read(sockete, buffer,sizeof(buffer)); printf("%s",buffer); } } close(sockete); } } if((expne==1 || vrfye==1) && (strstr(tempi,"yes"))) { if(expne==1) { printf("=================================================================\n"); printf("%sExtracting users exploiting %svrfy%s\n",CELESTE,ROJO,NORMAL); printf("=================================================================\n"); } if (vrfye==1) { printf("=================================================================\n"); printf("%sExtracting users exploiting %sexpn%s\n",CELESTE,ROJO,NORMAL); printf("=================================================================\n"); } atack(); } if((ftpba==1) && (strstr(tempi1,"yes"))) { printf("=================================================================\n"); printf("checking anonymous access\n"); printf("=================================================================\n"); anon(); } if((ftpb==1) && (strstr(tempi1,"yes"))) { printf("=================================================================\n"); printf("Brute force on ftp\n"); printf("=================================================================\n"); bruteftp(); } if(cgi==1) { printf("===================================================================\n"); printf("CGI SCAN:\n"); printf("===================================================================\n"); cgiscan(); } } atack() { archivo=fopen(userlist,"r+"); printf("%sUSUARIOS on Host%s:\n\n",CELESTE,NORMAL); conectar(25); read(sockete,buf,1023); memset(buf,0x00,sizeof(buf)); while(fgets(buffer,maximo,archivo) != NULL) { if (vrfye==1) { /*Si se eligio expn.... */ sprintf(temporal,"expn %s",buffer); } else if (expne==1) { sprintf(temporal,"vrfy %s",buffer); } write(sockete,temporal,strlen(temporal)); read(sockete,buf,sizeof(buffer)); temp(); memset(buf,0x00,sizeof(buf)); } return 0; close(sockete); fclose(archivo); printf("=================================================================\n"); } temp() { ## supone que el user se llama user250, de tarea decime que pasaria ## encima el protocolo de smtp que es re boludo... hacias un ## strncmp(buf,"250",3) y listo. if(vrfye==1 && strstr(buf,"250")) { printf("%s%s%s", BRILLOSO,buf,NORMAL); } ## idem above if (expne==1 && strstr(buf,"252")){ printf("%s%s%s", BRILLOSO,buf,NORMAL); } ## yeah idem if (strstr(buf,"502")) { printf("Expn not allowed\n"); exit(0); } } anon() { conectar(21); read(sockete,buffer,sizeof(buffer)); sprintf(user,"user anonymous\n",0); write(sockete,user,strlen(user)); read(sockete,buffer,sizeof(buffer)); memset(buffer,0x00,sizeof(buffer)); sprintf(pass,"pass aa@usa.com\n",0); write(sockete,pass,sizeof(pass)); read(sockete,buffer,sizeof(buffer)); ## si el ftpd te corta la coneccion por X razon ## (too many users connected/cerrado por reparacion(?))los read/write te fallan ## como el orto.. y vos seguis writeando/read'eando if (strstr(buffer,"230")) { printf("\n%Anonymous Access allowed%s\n",ROJO,NORMAL); exit(0); } else { printf("\n%sAnonymous access not allowed%s\n",CELESTE,NORMAL); } printf("==================================================================\n"); close(sockete); } bruteftp() { archivo=fopen(userlist,"r"); archivo2=fopen(passlist,"r"); if((archivo == NULL) || (archivo2 == NULL)){ printf("error: opening the files\n"); exit(0); } conectar(21); read (sockete, buf, 1023); i=0; printf("%sPasswords cracking........%s",BRILLOSO,NORMAL); while(fgets(user,maximo,archivo) && fgets(pass,maximo,archivo2) !=NULL) { { i++; ## buffer = array de 1000 chars, pero bue, dejo de abusar de tu falta de ## conocimientos en pointers sprintf (buffer, "user %s",user); write (sockete, buffer, strlen (buffer)); read (sockete, buf, 1023); memset(buffer,0x00,sizeof(buffer)); sprintf (buffer, "pass %s",pass); write (sockete, buffer, strlen (buffer)); sleep (1); read (sockete, buffer, sizeof (buffer)); if (strstr (buffer, "230", 3)){ printf("\nUSER:%s\r\rPASS:%s",user,pass); close(sockete); conectar(21); } ## hay algunos ftpd que no te dejan mandar 5 users seguidos, no es algo ## protocolar el 5 ## netd0rk@rainingblood:~$ nc localhost 21 ## 220 ProFTPD 1.2.2rc3 Server (KebrachoHQ) [rainingblood.com.ar] ## user a ## 331 Password required for a. ## pass b ## 530 Login incorrect. ## user a ## 331 Password required for a. ## pass a ## 530 Login incorrect. ## user a ## 331 Password required for a. ## pass a ## 530 Login incorrect ## netd0rk@rainingblood:~$ ## so.. estarias escribiendo en un file que no existe o no es el que vos ## queres escribir if (i==5) { close(sockete); conectar(21); printf("reconectando\n"); } } } printf("=================================================================\n"); close(sockete); fclose(archivo); fclose(archivo2); } conectar(puerto) { ## que feo es tener todas las vars globales.no es mas facil un ## return socket; ? sockete=socket(AF_INET, SOCK_STREAM ,0); /*creo el socket */ target.sin_family=AF_INET; target.sin_port = htons(puerto); memcpy(host->h_addr,(char *)&target.sin_addr,host->h_length); bzero(&(target.sin_zero),8); connect(sockete,(struct sockaddr_in *) &target,sizeof(target)); ## ## eeh, y si la coneccion falla? ## no seria un poco inteligente poner if(connect(...)<0)return -1;? ## ## root@rainingblood:/home/fox/blaster# telnet 0 80 ## Trying 0.0.0.0... ## telnet: Unable to connect to remote host: Connection refused ## root@rainingblood:/home/fox/blaster# ./blaster 1 2 -c localhost ## ================================================================= ## Escaneando Puertos.... ## ================================================================= ## =================================================================== ## CGI SCAN: ## =================================================================== ## CGi encontrados: ## Broken pipe ## root@rainingblood:/home/fox/blaster# ## } caca() { archivo3=fopen("puertos","r+"); while(fgets(buffer,maximo,archivo3) != NULL) { sscanf(buffer, "%s %d %s",demonio,temporal,temporal); ## ponele if(sscanf(...)!=3)fuckoff , no seas tan gil.. si falta una arg en el ## file aborta if(strstr(buffer,port) ) { printf("[%s%d%s] %s open\n",VERDE,i,NORMAL,demonio); return 0; } } printf("[%s%d%s] unknown open\n",VERDE,i,NORMAL); fclose(archivo3); } cgiscan() { archivo=fopen("cgi","r+"); ## ## eh.. porque no comprobas que fopen no fallo? ser vago es una cosa pero ## lo tuyo es cualquiera... ## root@rainingblood:/home/fox/blaster# mv cgi .cgi ## root@rainingblood:/home/fox/blaster# ./blaster 1 2 -c localhost ## ================================================================= ## Escaneando Puertos.... ## ================================================================= ## =================================================================== ## CGI SCAN: ## =================================================================== ## CGi encontrados: ## Segmentation fault ## root@rainingblood:/home/fox/blaster# ## conectar(80); printf("Cgi's on Host:\n"); while(fgets(buf,maximo,archivo) != NULL) { sprintf(buf,"%s\n\n",buf); write(sockete,buf,strlen(buf)); read(sockete,buffer,20); ## strtok'iar un array copiado y strcmp'iarlo cuesta mucho? if(strstr(buffer,"200")) { sscanf(buf,"%s %s %s",temporal,buf,temporal); printf ("%s%s%s\n",BRILLOSO,buf,NORMAL); } close(sockete); sleep(1); conectar(80); memset(buffer,0x00,sizeof(buffer)); ## man a ver si cerras "archivo" , no?. } } --- [ End code ] ---